A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4644  by EP_X0FF
 Sat Jan 22, 2011 7:14 pm
78P8t3QI.exe is the same as hki121.exe

According to unpacked sample internals (see attach for unpacked hki121.exe)
83.133.119.139 f2.twothousands.cm cc.twothousands.cm 188.72.230.30 pfif.twothousands.cm ProductId Software\Microsoft\Windows\CurrentVersion %02x %u C:\ %d.%d.%d.%d exe !! 1http:// i %d %d n C %d G %d C %d Feed %d: Width: %d Height: %d Type: %d Weight; %d String Len:%d - "%s" - init size: %d "%s" ConfigInterpret: Config contains %d feeds ConfigInterpret - sanity error 2: %d %d %p %p %d %d c:\debug feedme http://%s/f.php?a=%s&b=%d&c=%d dat kernel32 %d error code %s.%d.%d.%s %d.%d.%s %d %d %d %s.f%s %s.%s Added feed at ptr %p %d %d %d %d %d-%s
%d %d %d %d %s Feed_Next fptr after sort %p Feed_Next fptr %p after coutn check count %d aptr->feeds is null, returning null %dx%d PopupMgr Software\Microsoft\Internet Explorer\New Windows GetLastInputInfo user32 8DA OK "%s" error %d %s %s ndatasize %d thedatasize %d %d error %d %s %s htm HTTP/1.1 200 OK
Content-Type: text/html
X-Powered-By: PHP/5.2.12
Content-Length: %d
~U:%s </body></html <html><head><title></title></head><body> <html><head><title></title></head><body></body></html> beforeEnd Referer: http://www.google.com
about:blank JavaScript <script src="%s"></script> = SWF? OBJECT EASClick= ;ct0= http:// <A href=" javascript mailto href A http click SCRIPT no-name %S FJiofjs FHifsoSDks HfhfioSjs JfsiJSS jIOFjejioAD HFudfjifejife FJIfjoi3r3 gjigojfd3HJ Referer: %s
%s\%s \*ad*txt %s\* %s\%s\Application Data\Macromedia\Flash Player\ Button #32770 &Yes Adobe Flash Player 9 a ShellExecuteA GetModuleHandleA GetModuleFileNameA shell32 RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351 UrlUnescapeA shlwapi CoInitialize ole32 LRC SOFTWARE\Microsoft\Direct3D Error Dlg Displayed On Every Error no DisableScriptDebuggerIE yes SOFTWARE\Microsoft\Internet Explorer\Main <IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH="%d" HEIGHT="%d" SRC="%s" tagged=YES></IFRAME> <script language="javascript" src="%s"></script> %d %d %d %d found %d wanted %d
%s NULL mimic_imp() end %d loop mimic_imp() enter
it is Troj/Agent-PZD (Sophos detection).

vnfuz.exe is autorunner
Attachments
pass: malware
(43.83 KiB) Downloaded 46 times