A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #521  by EP_X0FF
 Fri Apr 02, 2010 5:10 am
Malware analyzed by me in the beginning of this year. Contains specific code against Rootkit Unhooker <= 3.8 (last available version is unaffected) and IceSword, see dump for more info.
Primitive trojan using AppInit_Dll's key for WINMM.dll loading (because it's loading codecs) and setting itself as multimedia codec in registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
value: midi9 c:\auxspy.dll

to be loaded into address space of newly created processes.
Contains only one interesting thing inside - blacklist of security software. Because user32.dll initializes a lot of crap (including AppInit) trojan code executed before application entry point and able to kill application if it matches built-in signature.

Below is dump of blacklist.
wininet.dll ws2_32.dll\ntdll.dll //fHqq Referer:
SS: Host: TSYSCHECK RKHDRV software\microsoft\windows nt\currentversion\ AppInit_DLLs winmm.dll windows drivers32 midi9 BINRES Antirootkit guardxup. .pif
location: custom http://www.google. http://www.bing.com search.yahoo. search rds.yahoo yimg acl .bat .reg cmd reged /windows nt/ HTTP/1.0 302 Found
Content-Length: 0
Location: AntiMcHTNOD3LIVEPand<UA COMOESS CAUpLiveNortSpySEnigAVPUTMUFAdobSUPEMpCo IceSword Malwarebytes format=rss c.atdmt.com .googlehosted.com mcafee clamav prevx pandasecurity avir kaspersky bitdefender drweb .eset. sophos symantec onecare
When injected trojan dll rebased at specific (auto-calculated?) address, worker thread created.
You do not have the required permissions to view the files attached to this post.
 #522  by gjf
 Fri Apr 02, 2010 9:23 am
Oh, midi9! I believe there is a famoly of malware using this specific name :)

As I understand
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
value: midi9 c:\auxspy.dll
the path can be different as well as the name (which can be as "auxspyXXX.dll")?
 #525  by EP_X0FF
 Fri Apr 02, 2010 12:34 pm
Sure :) I placed it to C:\ and named auxspy.dll for easy loading from my own malware loader :)
ITW this sample drops into X:\Documents and Settings\<UserName>\Temp directory with random name and extension or to %systemroot\system32%, I saw both variants.