A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6965  by EP_X0FF
 Tue Jun 28, 2011 7:43 am
That's funny malware. Driver internally named 'Dog'.
User mode payload kills some Explorer settings (via CLSID) - for example folders settings no longer available.
Payload set on autorun via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key as C:\Alg.exe (this is hardcoded).

In attach extracted rootkit driver (pretty simple, looks like copy-past), decrypted dropper and infected MBR.

IDK if this is common behavior but after MBR infection system is no longer accessible - for me it stucks on Welcome screen.

edit: even after restoring mbr system does not log in.

Too much things hardcoded and this skiddie trash assembled seems to be from different sources.
Attachments
pass: malware
(63.1 KiB) Downloaded 138 times
 #6967  by nullptr
 Tue Jun 28, 2011 3:16 pm
Just a listing of differences from user mode payload. It looks like trashing of the operating system
is more likely due to programming ineptitude than anything else.
Attachments
(2.08 KiB) Downloaded 98 times
 #6971  by wealllbe20
 Tue Jun 28, 2011 10:14 pm
rootkit is crap!

it had trouble loading mbr code, finally did.

detected as unknown bootcode in esage bootkit remover.

restarted machine did not fix mbr code.

system restart=no

ran dos version of tesdisk off of bootable cd ran fix mbr portion of testdisk.

system restart=yes

always says windows finished installing new devices...?

retested with esage bootkit remover

unknown boot code comes up:

ran remover fix \\.\PhysicalDrive0

restart all is good.

no malicious mbr code after reboot.

windows still says finished installing new devices...?

restarted again...

mbr boot code is fine

no finished installing new devices window this time.
testdisk appears to wipe this mbr rootkit with no problem
if you want your esage bootkit remover to appear clean choose fix after fixing with testdisk.

mbr code appears fine. but I would like somebody to test this theory out.
 #6973  by EP_X0FF
 Wed Jun 29, 2011 2:42 am
A simple fixmbr command removes it completely. Anyway Windows registry will be trashed by user mode payload (see nullptr post).
Too much attention for such mediocre and buggy malware. I guess soon will be published some sort of yet another crappy 'articles' about this "powerful" and "stealth" bootkit.
 #6982  by CodeAddiction
 Wed Jun 29, 2011 7:08 pm
XP Pro SP3 Test Box:
FIXMBR (offline with RC)
ERUNT restore (offline BartPE)
Manual deletion of malware files (offline BartPE)
 #7028  by WawaSeb
 Sat Jul 02, 2011 9:40 am
alg.exe file dropped by hello_tt.sys driver.
It causes a lot of damage, even if MBR is clean before execution.

Seems not to be packed.
Pass : infected

http://www.threatexpert.com/report.aspx ... 7c7808b5c0
http://www.virustotal.com/file-scan/rep ... 1309533302
http://virusscan.jotti.org/fr/scanresul ... d0a34a87a2

Best regards,
Attachments
(56.65 KiB) Downloaded 116 times