A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3457  by Quads
 Fri Nov 12, 2010 9:38 pm
A Trojan that has variations appearing with different company names, descriptions etc. like Niceware, iNiceware iNWare.inc reminds me of the ernel.dll on the TDL thread.

http://www.virustotal.com/file-scan/rep ... 1289431542

Attached is one group of file when testing in real world one of the variants of a Guy.

SOFTWARE / CURRENT VERSION / RUN : [Random] C:\\Documents and Settings\[username]\Local Settings\Temp\ [random 3 characters].exe
C:\WINDOWS\[random 6 characters].exe
C:\WINDOWS\System32\sshnas21.dll
C:\Documents and Settings\[username]\Local Settings\temp[random 3 characters].exe or C:\WINDOWS\temp [random 3 characters].exe (can be multiple files)
Scheduler change: Tasks: C:\windows\tasks\[random characters].job (may be more than one for the infection)

On My PC

Processes

C:\WINDOWS\system32\rundll32.exe , this file is legit but is being used by sshnas21.dll
C:\WINDOWS\Tvehoa.exe
C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe

Entries

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http= [address]
HKCU\..\Run: [U36VRSFLG6] C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe
HKUS\S-1-5-21-484763869-1275210071-1644491937-1003\..\Run: [U36VRSFLG6] C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe (User '?')

Files

C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
(Opera Software) -- C:\WINDOWS\Tvehoa.exe
(Opera Software) -- C:\WINDOWS\System32\sshnas21.dll
C:\\Documents and Settings\John\Local Settings\Temp\Tch.exe
C:\\Documents and Settings\John\Local Settings\Temp\Tcg.exe
C:\\Documents and Settings\John\Local Settings\Temp\Tcf.exe
C:\\Documents and Settings\John\Local Settings\Temp\a.dat
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS

Image



If you keep just stopping the processes and deleting the files in the temp folder(s) after awhile the task(s) restarts the .exe's that may still be there and the temp files get recreated.
Attachments
pass = infected
(1.25 MiB) Downloaded 65 times
 #3460  by Evilcry
 Sat Nov 13, 2010 7:33 am
Hi,
NiceWare samples belong to Arto botnet ( executables delivered are identified as Renos ) pretty active botnet
that in the past months registered 300k unique ips per day.

Here you can find a large sample set of NiceWare http://amada.abuse.ch/?search=megadataonline.net

Regards,
Evilcry
 #3468  by markusg
 Sat Nov 13, 2010 10:59 am
yes, at german forums we see this often the last days.
 #3482  by fatdcuk
 Sun Nov 14, 2010 7:48 pm
A.k.A Fraudpack and they have been with us for quite sometime quads(Renos a-b-c . exe's downloader until they started using random 3 letter series names for the droppers.

Must be over a year old or at least coming up to its first birthday...