Trojan downloader with blacklist and Vm detection on board.
http://www.virustotal.com/file-scan/rep ... 1288786972
Drops itself to %systemroot%\system32\config as svchost.exe
Set itself to autorun as service - Windows Service Manager.
Creates special mutex svchost32_2
While installation executes STOP and DISABLE commands for ALG service (Application-level gateway) and Windows Firewall service.
Malware contains security software blacklist.
%systemroot%\system32\config\svchost.jxe
http://www.virustotal.com/file-scan/rep ... 1288786972
Drops itself to %systemroot%\system32\config as svchost.exe
Set itself to autorun as service - Windows Service Manager.
Creates special mutex svchost32_2
While installation executes STOP and DISABLE commands for ALG service (Application-level gateway) and Windows Firewall service.
Malware contains security software blacklist.
klpf FSDFWD UmxCfg Detector de OfficeScanNT klpid F-Secure Filter kmxfile F-Secure HIPS kmxids FSFW UmxAgent ISWKL fsbts F-Secure Recognizer Panda AntivirusBot trying to establish connection with
lnsfw1 McAfee Framework Service kmxsbx sharedaccess OutpostFirewall kmxfw kmxcfg FSMA kmxagent FSORSPClient sfilter WinDefend klif kmxbig Norton Antivirus Service
vsdatant kl1 F-Secure Gatekeeper Handler Starter BFE IswSvc vsmon ZoneAlarm UmxPol kmxndis SmcService MpsSvc UmxLU F-Secure Gatekeeper Kaspersky Anti-Hacker.lnk
ZoneAlarm Client ISW Zone Labs Client AMonitor Look 'n' Stop
hxxp://adpool-3.net/cgi-bin/npr/web/t_vtc.cgiDrops configuration file
d45parog.net/cgi/no.cgi
%systemroot%\system32\config\svchost.jxe
[M]Looks like contains hardcoded VmWare detection (sample wasn't tried on VmWare)
S1=e54q`snf/odu.bfh.on/bfh
S2=e54q`snf/odu.bfh.on/bfh
S3=e54q`snf/odu.bfh.on/bfh
[C]
Version=36060186
vmware svga cntxcorp vmware pointing
Attachments
pass: malware
(29.64 KiB) Downloaded 57 times
(29.64 KiB) Downloaded 57 times
Ring0 - the source of inspiration
