[markusg]

Hi,
is Trojan.Kordeef a new one, could not find any infos.
removed 2 patched system files winlogon and explorer.exe from infected machine.
files attached.
http://www.virustotal.com/file-scan/rep ... 1292072505
http://www.virustotal.com/file-scan/rep ... 1292072830

[4everyone]

Bamital used to patch WInlogon.exe & Explorer.exe. Trojan.Kordeef looks new for me.. Lemme check whether i can find any difference between Bamital & Kordeef :)

BTB,

Bamital posts can be found here..

http://www.kernelmode.info/forum/viewto ... ital#p2095

[EP_X0FF]

Is the any kb.dll available? :)
I see it loads it on overwritten entry point (explorer.exe)

[markusg]

sorry yes

[EP_X0FF]

Sorry, but there seems to be also another file named C:\WINDOWS\system32\dll
Can you please upload it? :)

Code: Select all

BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
  void *pCode; 
  if ( fdwReason == 1 )
  {
    pCode = ReadExecutableCode("C:\\WINDOWS\\system32\\dll");
    if ( pCode )
      ((void (__thiscall *)(_DWORD))pCode)(pCode);
  }
  return 0;
}

[markusg]

ok there is an other one

[EP_X0FF]

Maybe I should be more clear regarding this http://www.kernelmode.info/forum/viewto ... 3943#p3943 :)

The code above is what exactly doing this kb.dll loaded by patched explorer.exe

kb.dll reads file named C:\WINDOWS\System32\dll and then executes it.

That's why I'm asking about this file because it can help to understand how does all this puzzle work :)

[markusg]

ok sorry. i have understand it wrong, i have at first to search this file. its not removed yet. give me a bit time

[markusg]

i found on an other pc perhaps an dropper.
it creates same dll files.

[EP_X0FF]

Yes you right, this is dropper.

Dropper VT result
http://www.virustotal.com/file-scan/rep ... 1292176900

C:'\Windows\System32\dll is payload code, encrypted by xor.

Once infected explorer.exe starts in loads kb.dll which reads C:\windows\system32\dll and then kb.dll executes it.

Infected Explorer.exe/Winlogon.exe --> C:\Windows\system32\kb.dll --> Read/Execute --> C:\Windows\System32\dll --> Decrypt/Execute --> Profit :)

New code decrypts itself in simple loop



and then executes all the rest.

String data from decrypted "dll"

15 X_if _if c h r o m e . e x e f i r e f o x . e x e o p e r a . e x e i e x p l o r e . e x e GET HTTP/1.1
Host: &version= Run Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry Flag GetUserGeoID SYSTEM\CurrentControlSet\Services\sr\Parameters
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore FirstRun DisableSR \user32.dll kb.dll k b . d l l
\updhlp.dat open -new-window <script src="http:// " type="text/javascript"></script> Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup
19792079 [%subid] <d> </d> <m> </m> <e> </e> <f> </f> <j> </j> <c> </c> <u> </u> <t> </t> <p> </p> <k> </k> <b> </b> <p> </p> <k> </k> [%key] [%subid] </ul>
google.com/ Date: X55 Fut 2999 </title> <r> </r> **http%3a// User-Agent: Accept-Encoding: Content-Type: text/html GET /search GET /s? google. search.yahoo.com
bing.com ?subid= &id= .info/message.php \temp.ini \user32.dll TimeGetWork Uses32 ExitTime Ver Decode Domen Flags \admin.txt .gif .jp .png .js .ico .css .aspx /
iexplore.exe .upd & q= p= text= "> % <d> </d> <s> </s> <i> </i> &HTTP_REFERER= \ PROCESSOR_IDENTIFIER &os= &br= IE Op FF Ch &flg= &ad= &ver= \server.dat \Windows
\winhelp.exe Exists555 Explorer555 Global\EventHlpFile Global\EventHlpFile2 HlpMap555
<title> - porno yschttl spt" href="http:// <div><a href="http://rds.yahoo.com <em> </em> <a href="http:// sb_tlst"><h3><a href="http://
class="sb_ads <a href="http:// " <em> </em> 19091979 \Server HTTP/1.1 302 Moved Temporarily
Location: Connection: keep-alive
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
<html><head><script language="JavaScript">function f(){var form = document.forms["rr"];form.submit();}if(document.cookie=="")
{if (history.length!=0) document.cookie="k=1";window.onload=f;}else{document.cookie="k=1;expires=Mon, 01-Jan-2001 00:00:00 GMT";history.back();}</script></head><body><form action="http:// " method="post" name="rr"></form></body></html> 8 / <html><head></head><body><script type="text/javascript">location.href="http:// ";
</script></body></html> N0
<title> </title> <meta keyword > </head> Content-Length: Accept-Encoding: </body> </html> Host: Referer: http:// gzip sdch none HTTP/1. 200 OK _
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

decrypted stuff attached