A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3271  by EP_X0FF
 Sun Oct 31, 2010 5:56 am
Info stealer.

Drops dll named podzce.dll, configuration files to specially created folder inside %AppData% named Bitrix Security

Set itself to autorun through HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components as service

Run through podzce.dll export fn DllUnrer

dropper
http://www.virustotal.com/file-scan/rep ... 1288503327

payload dll
http://www.virustotal.com/file-scan/rep ... 1288503472

Bot trying to establish connection with:
hxxp://www.teten.net/mu.php
hxxp://www.teten.net/mc.php
hxxp://www.teten.net/mi.php
hxxp://www.teten.net/mn.php
hxxp://www.teten.net/ml.php
unpacked dll strings
.xml .css .gif .png .swf .jpeg .jpg \signons.sqlite \formhistory.sqlite \cookies.sqlite-journal \cookies.sqlite .. . *.* \Mozilla\Firefox\Profiles\ user32.dll GetClipboardData PR_Write 0 w \ffcd[CLIPBOARD]:% Firefox [->] [<-] [bck] [del] [sht_down] [sht_up]
[%s]KEYLOGGED:%s -- ]
[ post http/ POST http:// https:// host: & referer: https content-length: content-type: application/x-www-form-urlencoded
log nolog pm cl ] %s& text _a -уP0µ˜П»‚ Є ЅО%26 lf password %c --9e8976aa1b089a D3 D2 D1 .txt rb / wb wt --
D nspr4 open rundll32.exe "%s", InstllH __ourevent_ | \mxd1.txt kernel32.dll nspr4.dll __myieevent_ InstllH DllUnrer firefox iexplore rundll32 - \uurn __ev1_ __ev2_ ____jnccs_ ____grtgr_ , : %s %ws %x ab /mi.php /mu.php /mc.php /mn.php /ml.php pr command _ %02d%02d%02d_%04d %02d%02d%d \ @ MZ miu rt \nienlg * .zip %02d-%02d-%d_ // %02d-%02d-%02d .sol .* \* _scs %s\sst .pfx _g sss.pfx gp.txt bs pfx p a s s msav Software\Microsoft\Windows\CurrentVersion\Run %s%s {CB92D056-5802-4D2E-A0FE-59E3F5EF3598} Version EN rundll32.exe "%s", DllUnrer \te.txt rundll32.exe "%s", InstllH DisableSecuritySettingsCheck DisableFixSecuritySettings Software\Microsoft\Internet Explorer\Security NoProtectedModeBanner ShownVerifyBalloon 1809 2500 1405 1200 1400 ___someevent_ _shrd [domain] t offset al
-------------
' " &nbsp; &#64; ) value=" </ > %d sentc qual h ss i m a g e / j p e g %s\%s_%u.bmp % S \ % S _ % S _ % S % S . j p g % S \ % S _ % u . b m p %02d-%02d-%02d-%04d % s % s BUTTON strtok
*******GRABBED BALANCE*******
offset TranslateMessage GetMessageA DispatchMessageA ccsfe SOFTWARE\Microsoft\Active Setup\Installed Components\ service Locale StubPath IsInstalled 4,3,6,3 Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData \Macromedia %s\%s_skey_%s_%s.zip CertOpenSystemStoreA PFXExportCertStore CertCloseStore sss.pfx MY ReleaseDC GetDC SelectObject DeleteObject BitBlt CreateDIBSection DeleteDC CreateCompatibleDC GetObjectA CreateCompatibleBitmap GdipGetImageEncodersSize Referer: https://%s/cgi-bin/ias/A/1/bofa/ibd/IAS/presentation/GotoWelcome
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Accept: */*
https://%s/cgi-bin/ias/A/2/CustomerServiceMenuEntryPoint?custAction=75 ****BOAQUES****
https://%s/cgi-bin/ias/A/2/GotoCustomerServiceMenu
****BOAEMAIL****
mail address is: id="securityKey%dDiv" id="securityKey%dAns" ************COOKIES************ \f.exe C:\NTDETECT.COM C:\ntldr GetProcAddress LoadLibraryA \crf.txt \rjg.txt \ner.txt \mcr.txt \cet.txt \rgx.txt \mmv.txt \lrtg.txt \hty.txt \mor.txt \oitr.txt Software\Microsoft\Silverlight Software\Microsoft\Silverlight\7 Software\Microsoft\Silverlight\0 vsff ervr gttr Software\Microsoft\Internet Explorer\Main pstorec.dll PStoreCreateInstance OutlookExpress Del OE Acc IE:Password-Protected sites MSN Explorer Signup IE Auto Complete Fields AutoComplete Passwords Resource: %s
Description: %s
Username: %s
Password: %s
*******PROTECTED STORAGE*******
*******PROTECTED STORAGE*******
Content-Disposition: form-data; name="filesize" Content-Disposition: form-data; name="mes" Content-Disposition: form-data; name="filename"; filename= Content-Type: multipart/form-data; boundary=9e8976aa1b089a
Content-Type: application/x-www-form-urlencoded
LOADXML RUN GETINFO GETFILES DELETESELF DELETECOOKIES GRABCOOKIES COPYBOFAKEYS COPYCERTS DELETEBOFAKEYS KILLWIN RESETGRABLIMITS [%s]
%s=KEYLOGGED:%s KEYSREAD:%s
[%s]
%s=KEYSREAD:%s
****GETFILE PATHS****
arc OK
arc failed
****VOLUMES LIST****
%s,Name:%s
Referer: %s
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
Accept: */*
baseurl targeturl referer 5e7e8100 e161255a StringIndex :String https:// http:// POST
All in attach.

KILLWIN command seems to be erases ntldr and NTDETECT.com since both of them found inside readable strings.
Attachments
pass: malware
(120.73 KiB) Downloaded 71 times
 #3994  by markusg
 Tue Dec 14, 2010 8:30 pm
i saw this 2 or 3 times in the last days, so perhaps interesting for some of you.
ActiveX: {58C32624-87AC-4943-AF9F-8A89E4A2AAD5} - rundll32.exe "C:\Dokumente und Einstellungen\Tobias\Anwendungsdaten\Sun\vvurpn.dll", UnregisterDll
and entry in combofix
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{58C32624-87AC-4943-AF9F-8A89E4A2AAD5}]
2010-12-12 01:57   44032   ----a-w-   c:\dokumente und einstellungen\Tobias\Anwendungsdaten\Sun\vvurpn.dll
http://www.virustotal.com/file-scan/rep ... 1292099863
Attachments
(41.04 KiB) Downloaded 43 times