WinNT/Wowliks (Alureon)

Forum for analysis and discussion about malware.
Post Reply
User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

WinNT/Wowliks (Alureon)

Post by EP_X0FF » Thu May 30, 2013 6:27 am

Another Alureon of the new generation (7 if count).

Trojan downloader, works from explorer.exe as first stage and then from zombified svchost.exe.

Contain small x64 loader which only purpose is to launch specified by command line file using syswow64\rundll32.exe

Dropper uses NTFS encryption for own made directory, autorun via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad as "wow.dll".

Call home in the following format
hello/2.6/101/4434dd11-6b41-4414-8a6d-a9ca7a8e9164/5.1.2600_3.0_32/1/00000000._..o.S.

List of servers
newagelimp.com:80;
newfogfrom.com:80;
95.211.203.99:80;

All strings from dropper
% s % \ s % s IsWow64Process kernel32 shell32.dll \ b a s e n a m e d o b j e c t s \ { % 0 8 x - % 0 4 x - % 0 4 x - % 0 4 x - % 0 4 x % 0 8 x } newagelimp.com:80;newfogfrom.com:80;95.211.203.99:80; j f l s d k j f 0 0 1 . d a t %[^:]:%[^;] 101 2.6 hello %s/%s/%s/%s/%s/%d/%08x google.com %d % S t m p . " % s " 7 " % s " % S W i n S t a 0 \ D e f a u l t GetNativeSystemInfo %d.%d.%d_%d.%d_%d SOFTWARE\Microsoft\Cryptography MachineGuid % s : d e l s o f t w a r e \ c l a s s e s \ c l s i d \ { f b e b 8 a 0 5 - b e e e - 4 4 4 2 - 8 0 4 e - 4 0 9 d 6 c 4 5 1 5 e 9 } \ i n p r o c s e r v e r 3 2 s o f t w a r e \ c l a s s e s \ c l s i d \ { f b e b 8 a 0 5 - b e e e - 4 4 4 2 - 8 0 4 e - 4 0 9 d 6 c 4 5 1 5 e 9 } \ i n p r o c s e r v e r 3 2 s v c h o s t . e x e - k n e t s v c s 6 4 . d l l % w i n d i r % \ s y s t e m 3 2 \ s v c h o s t . e x e - k n e t s v c s s v c h o s t . e x e SHEmptyRecycleBinW r u n d l l 3 2 . e x e % w i n d i r % \ s y s w o w 6 4 \ s v c h o s t . e x e - k n e t s v c s SHQueryRecycleBinW % t e m p % % s \ w o w . d l l r u n d l l 3 2 % s , 0 e x p l o r e r . e x e
VT

SHA256: 130cdda63e85e616e6f7116dfa73356b9ae02c3e18256165b69a67eec3e036a9
SHA1: 7dc4e3f885797f1e4cd3e0947ecdf34b04533668
MD5: 2d63009761960169773bd1f4c5082a36

https://www.virustotal.com/en/file/130c ... /analysis/
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Backdoor.Tranwos

Post by r3shl4k1sh » Sun Jun 09, 2013 6:38 pm

I am looking for Backdoor.Tranwos (Symantec), here is the article about it:
http://www.symantec.com/connect/blogs/b ... c-analysis

In short this file protect itself by encrypting the location it is in using EFS.

The detail page have the following info:

When the Trojan is executed, it creates the following files:
%CurrentFolder%\jflsdkjf001.dat
%Temp%\s[RANDOM ASCII CHARACTERS]\s[RANDOM ASCII CHARACTERS]\wow.dll
%Temp%\s[RANDOM ASCII CHARACTERS]\s[RANDOM ASCII CHARACTERS]\wow64.dll

The Trojan then creates the following registry entry:
HKEY_CURRENT_USER\Software\Classes\CLSID\{fbef8a05-beee-4442-804e-409d6c45
15e9}\InprocServer32\"Default" = "%Temp%\s[RANDOM ASCII CHARACTERS]\s[RANDOM ASCII
CHARACTERS]\wow.dll"

Next, the Trojan may connect to one or more of the following remote locations to open a back door on the compromised computer:
[http://]typerttsx.com
[http://]typicalsx.com
[http://]85.17.26.220

*************************************************************************

I don't have hash for this file, hope you can find it based on the information above.

Thanks.

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Backdoor.Tranwos

Post by Xylitol » Sun Jun 09, 2013 8:42 pm

You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Backdoor.Tranwos

Post by EP_X0FF » Tue Jul 23, 2013 12:37 pm

I am looking for Backdoor.Tranwos (Symantec), here is the article about it:
http://www.symantec.com/connect/blogs/b ... c-analysis
A bit too late, but this is Alureon.

New Alureon generation based malware moved in separate topic.
Ring0 - the source of inspiration

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: Rootkit TDL 4 (alias TDSS, Alureon.DX, Olmarik)

Post by thisisu » Sat Jun 21, 2014 9:39 pm

wow.dll

MD5 7d0463045f947477919491d2a0d025d8
SHA1 a34041f7a80bd165943673e887197807753be784
SHA256 a00d64fa5ff2a92f5d58cf06b0c0df67014c7ed19a1b34ec8c509fdda6e4f3da
https://www.virustotal.com/en/file/a00d ... 403386063/

wow.ini

Code: Select all

[main]
servers=f5f5dc.com;ffeed5.com;31.184.192.215;194.28.174.45
logs=1
aid=453
You do not have the required permissions to view the files attached to this post.

Kimberly
Posts: 14
Joined: Sun Dec 01, 2013 12:49 pm
Contact:

Re: WinNT/Alureon (7gen)

Post by Kimberly » Thu Jun 26, 2014 8:35 am

Seen on March 2, 2014 as part of a triple click fraud:
http://stopmalvertising.com/rootkits/an ... hreat.html

MD5: cc108b012ed2e9ed687d1406ffef92b0

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: WinNT/Alureon (7gen)

Post by EP_X0FF » Thu Jun 26, 2014 11:27 am

ZeroAccess has nothing to do with Alureon this is completely different malware families. As well as this Alureon branch has nothing to do with old rootkits.
Ring0 - the source of inspiration

Kimberly
Posts: 14
Joined: Sun Dec 01, 2013 12:49 pm
Contact:

Re: WinNT/Alureon (7gen)

Post by Kimberly » Sun Jun 29, 2014 7:24 am

Whoops, you're right. The wow.dll part is what got me confused, sorry for that. Thanks for setting it straight :)

Kimberly
Posts: 14
Joined: Sun Dec 01, 2013 12:49 pm
Contact:

Re: WinNT/Alureon (7gen)

Post by Kimberly » Sun Jun 29, 2014 7:52 am

Disregard the last post, fixed Za reference, thanks for pointing it out :)

Post Reply