A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #510  by __Genius__
 Thu Apr 01, 2010 8:08 am
YolrotX
written in Visual Basic 6.0
MD5 Checksum : cb702c3319a27e792b84846d3d6c61ad
Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it's also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .
Code: Select all
hxxp://www.oviedolocal3476.com/mail/bin/msm.exe
\system32\updates.exe
Code: Select all
hxxp://www.oviedolocal3476.com/mail/bin/plugoff.exe
\system32\securitys.exe
Code: Select all
hxxp://www.oviedolocal3476.com/mail/bin/regdllhelper.exe
\system32\drivess.exe
when start to executing, it's also drop a driver named "drive.sys" and "drive.sys.off" to system32\Drivers, had some rootkit behavior, while scanning with RKU it reports try to hide process update.exe .
Open a Handle to Cmd.exe .
seems, there's no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
Code: Select all
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run
Code: Select all
\System32\avg.exe
\System32\update.exe
\System32\security.exe
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .
vt result : Result: 6/42 (14.29%)
vt perma link :
http://www.virustotal.com/analisis/ec89 ... 1270075998
sample attached ... .
Attachments
password : Infected
(37.81 KiB) Downloaded 82 times
Last edited by __Genius__ on Thu Apr 01, 2010 10:12 am, edited 3 times in total.
 #512  by EP_X0FF
 Thu Apr 01, 2010 9:10 am
Hello,

please follow forum rules while posting, especially this part:
Malware samples and links to malware are permitted, but you must obfuscate a link (ie. hxxp://, NOT http://) and clearly show that a link is malware. This is to ensure people don't accidentally infect themselves.
I've edited your post.

BTW why it is called YolrotX?
As I see, it is detected by Kaspersky as - Backdoor.Win32.Poison.apec

Regards.
 #513  by __Genius__
 Thu Apr 01, 2010 10:02 am
Hi EP, Thanks for attention, yes I knew the rules but I forgot to obfuscate them .
yes, you're right , I found yolrotX in the strings as the original name of the executable file so I choosed this name for the topic and descriptions .
 #523  by gjf
 Fri Apr 02, 2010 9:26 am
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .
Does these processes check themselves? I mean if I will kill "update.exe" will it be restored by "security.exe" etc?
 #528  by __Genius__
 Fri Apr 02, 2010 3:25 pm
As I analysed this malware, No, I don't know what's the reason of author to made different processes with different kind of names, but there's no process checking stuff .
Also, while checking the malware behavior, check your Content.IE5 folder, you will see some evidence of this malware :)