Re: Trojan.Win32.Tdss.beea
PostPosted:Wed Jun 09, 2010 10:25 am
Thanks for checking EP_X0FF :)
A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/
hxxp://scanner-programming.com:81/download.php?q=8a5352b31d85a47aff904528c976af86&affid=402&subid=landingFakeAV - Mal/TDSSPack-Q - Result: 9/41 (21.96%)
FILE ADDED! C:\Documents and Settings\All Users\Favorites\_favdata.dat
FILE ADDED! C:\Documents and Settings\Username\Application Data\Microsoft\Internet Explorer\Quick Launch\Protection Center.lnk
FILE ADDED! C:\Documents and Settings\Username\Desktop\Protection Center Support.lnk
FILE ADDED! C:\Documents and Settings\Username\Desktop\Protection Center.lnk
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\4otjesjty.mof
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\8017.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\ac2b.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\asd2.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\asd3.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\asd3.tmp.exe
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\b657.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\bc3f.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\c0bf.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\cnt.dat
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\cntr.dat
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\dhdhtrdhdrtr5y
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\kernel64xp.dll
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\mscdexnt.exe
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\PRAGMA152e.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\PRAGMA1ca7.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\TMP1967.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\tmp5220.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\tmp7E40.tmp
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\topwesitjh
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temp\wscsvc32.exe
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temporary Internet Files\Content.IE5\8DM3QHO7\402-direct[1].ex
FILE ADDED! C:\Documents and Settings\Username\Local Settings\Temporary Internet Files\Content.IE5\8DM3QHO7\readdatagateway[1].htm
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center <- dir
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\About.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Activate.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Buy.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Protection Center Support.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Protection Center.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Scan.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Settings.lnk
FILE ADDED! C:\Documents and Settings\Username\Start Menu\Programs\Protection Center\Update.lnk
FILE ADDED! C:\Program Files\Protection Center <- dir
FILE ADDED! C:\Program Files\Protection Center\about.ico
FILE ADDED! C:\Program Files\Protection Center\activate.ico
FILE ADDED! C:\Program Files\Protection Center\buy.ico
FILE ADDED! C:\Program Files\Protection Center\cnt.db
FILE ADDED! C:\Program Files\Protection Center\cntext.dll
FILE ADDED! C:\Program Files\Protection Center\cnthook.dll
FILE ADDED! C:\Program Files\Protection Center\cntprot.exe
FILE ADDED! C:\Program Files\Protection Center\help.ico
FILE ADDED! C:\Program Files\Protection Center\scan.ico
FILE ADDED! C:\Program Files\Protection Center\settings.ico
FILE ADDED! C:\Program Files\Protection Center\splash.mp3
FILE ADDED! C:\Program Files\Protection Center\Uninstall.exe
FILE ADDED! C:\Program Files\Protection Center\update.ico
FILE ADDED! C:\Documents and Settings\username\Desktop\Sysinternals Antivirus.lnk
FILE ADDED! C:\Documents and Settings\username\Local Settings\Temp\Perflib_Perfdata_5e8.dat
FILE ADDED! C:\Documents and Settings\username\Local Settings\Temp\win1.tmp
FILE ADDED! C:\Documents and Settings\username\Start Menu\Programs\Sysinternals Antivirus <- dir
FILE ADDED! C:\Documents and Settings\username\Start Menu\Programs\Sysinternals Antivirus\Sysinternals Antivirus.lnk
FILE ADDED! C:\Program Files\adc_w32.dll
FILE ADDED! C:\Program Files\alggui.exe
FILE ADDED! C:\Program Files\skynet.dat
FILE ADDED! C:\Program Files\svchost.exe
FILE ADDED! C:\Program Files\Sysinternals Antivirus <- dir
FILE ADDED! C:\Program Files\Sysinternals Antivirus\Sysinternals Antivirus.exe
FILE ADDED! C:\Program Files\wp3.dat
FILE ADDED! C:\Program Files\wp4.dat
FILE ADDED! C:\WINDOWS\Prefetch\PC_PROTECT.EXE-07A7C79B.pf
FILE ADDED! C:\WINDOWS\Prefetch\SVCHOST.EXE-30F98231.pf
FILE ADDED! C:\WINDOWS\Prefetch\SYSINTERNALS ANTIVIRUS.EXE-25B10B06.pf
93.190.139.212GUI
91.207.192.25
93.190.139.215
217.23.5.57
74.55.47.101
[Info]Contains
Count=23
[Data]
SignName0=Trojan-IM.Win32.Faker.a
SignName1=Virus.Win32.Faker.a
SignName2=Trojan-PSW.BAT.Cunter
SignName3=Trojan-PSW.VBS.Half
SignName4=Trojan-PSW.Win32.Antigen.a
SignName5=Trojan-PSW.Win32.Delf.d
SignName6=Trojan-PSW.Win32.Dripper
SignName7=Trojan-PSW.Win32.Fantast
SignName8=Trojan-PSW.Win32.Hooker
SignName9=Trojan-SMS.J2ME.RedBrowser.a
SignName10=Trojan-Spy.Win32.WMPatch
SignName11=Trojan.BAT.AnitV.a
SignName12=Trojan-Spy.HTML.Bankfraud.ix
SignName13=Trojan-Spy.HTML.Bankfraud.ra
SignName14=Trojan-Spy.HTML.Bayfraud.hn
SignName15=Trojan-Spy.HTML.Citifraud
SignName16=Trojan-Spy.HTML.Sunfraud.a
SignName17=Trojan-Spy.HTML.Paypal.hn
SignName18=BAT.Looper
SignName19=Virus.BAT.Gray.705
SignName20=Virus.BAT.IBBM.ClsV
SignName21=Packed.Win32.PolyCrypt
SignName22=SpamTool.Win32.Delf.h
#pragma namespace("\\\\.\\root\\SecurityCenter")and more interesting strings.
#pragma deleteclass("AntiVirusProduct", NOFAIL)
#pragma deleteclass("FirewallProduct", NOFAIL)
Detailed report of suspicious malware actions:
Created process: (null),"C:\Program Files\Sandboxie\SandboxieRpcSs.exe",(null)
Created process: (null),C:\Program Files\AVGT\antivirusGT.exe ,(null)
Created process: C:\Windows\system32\cmd.exe,"C:\Windows\system32\cmd.exe" /c del C:\Users\ADMINI~1\Desktop\AV7WIN~1.EXE > nul,C:\Users\Administrator\Desktop
Defined file type created: C:\Program Files\AVGT\antivirusGT.exe
Defined file type created: C:\Users\Administrator\AppData\AppData\Local\Temp\MicrosoftExtensions.dll
Defined file type created: C:\Users\Administrator\AppData\Desktop\AV7win_2004_b6.exe
Defined file type modified or overwritten: C:\Program Files\Mozilla Firefox\greprefs\all.js
Defined registry AutoStart location added or modified: machine\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = \??\C:\Program Files\AVGT\..ORSF0W\??\C:\Program Files\AVGT\...6PAXFH\??\C:\Users\Administrator\AppData\Local\Temp\MicrosoftExtensions.dll.IVAGEA
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\AVGT = C:\Program Files\AVGT\antivirusGT.exe
Detected backdoor listening on port: 0
Detected keylogger functionality
Detected process privilege elevation
Enumerated running processes
Internet connection: C:\Users\Administrator\Desktop\AV7win_2004_b6.exe Connects to "62.122.75.137" on port 80 (TCP - HTTP).
Internet connection: C:\Users\Administrator\Desktop\AV7win_2004_b6.exe Connects to "83.133.120.94" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Opened a service named: Csc
Opened a service named: CscService
Opened a service named: rasman
Opened a service named: Sens
Query DNS: adobe.com
Query DNS: downloadcentertoday.com
Query DNS: oddfunctions.com
Query DNS: adobe.com
Risk evaluation result: High
FILE ADDED! C:\Documents and Settings\USERNAME\Local Settings\History\History.IE5\MSHist012010071520100716 <- dir
FILE ADDED! C:\Documents and Settings\USERNAME\Local Settings\History\History.IE5\MSHist012010071520100716\index.dat
REG ADDED! HKLM SOFTWARE\AVSolution
REG ADDED! HKLM SOFTWARE\AVSuitE
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSuitE
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\PhishingFilter
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716
REG ADDED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed bin:MKMB1caLYCvaYvwI37gmWMr69uszZMBRAj2bjdmPtE/zmo4HY8AlosH/X6ovlsh59mkyWjOtO1n8d00lKx54N4IADMPaJkrlp0IMCKvs/TM=
REG ADDED! HKLM SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKLM SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKLM SYSTEM\ControlSet001\Services\kmixer\Enum 0 "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
REG ADDED! HKLM SYSTEM\ControlSet001\Services\kmixer\Enum Count int:1
REG ADDED! HKLM SYSTEM\ControlSet001\Services\kmixer\Enum NextInstance int:1
REG ADDED! HKLM SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKLM SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKLM SYSTEM\CurrentControlSet\Services\kmixer\Enum 0 "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
REG ADDED! HKLM SYSTEM\CurrentControlSet\Services\kmixer\Enum Count int:1
REG ADDED! HKLM SYSTEM\CurrentControlSet\Services\kmixer\Enum NextInstance int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\SessionInformation ProgramCount int:2
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution aazalirt int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution dkekkrkska int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution dkewiizkjdks int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution id "75.3"
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution iddqdops int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ienotas int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution iqmcnoeqz int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution irprokwks int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution jikglond int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution jiklagka int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution jrjakdsd int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution jungertab int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution kitiiwhaas int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution kkwknrbsggeg int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution klopnidret int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution knkd int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution krkdkdkee int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution krkmahejdk int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution krtawefg int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution krujmmwlrra int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ktknamwerr int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution kuruhccdsdd int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ooorjaas int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution oranerkka int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution oropbbsee int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution otnnbektre int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution otowjdseww int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution otpeppggq int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ready int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution rkaskssd int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution ronitfst int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution salrtybek int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution seeukluba int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution skaaanret int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution tobmygers int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution tobykke int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\AVSolution zibaglertz int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\PhishingFilter Enabled int:0
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\PhishingFilter EnabledV8 int:0
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU bin:OwAAADECAADAtkHfOiTLAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Ira\Qrfxgbc\kqgjhhhgffq.rkr bin:OwAAAAYAAADAtkHfOiTLAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count HRZR_HVFPHG bin:OwAAAMoAAADgIj3fOiTLAQ==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable int:1
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyOverride "<local>"
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer "http=127.0.0.1:5643"
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CacheLimit int:8192
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CacheOptions int:11
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CachePath exp:%USERPROFILE%\Local Settings\History\History.IE5\MSHist012010071520100716\
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CachePrefix ":2010071520100716: "
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012010071520100716 CacheRepair int:0
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections DefaultConnectionSettings bin:PAAAAAMAAAADAAAAEwAAAGh0dHA9MTI3LjAuMC4xOjU2NDMHAAAAPGxvY2FsPgAAAAAEAAAAAAAAAKBqdVYVWcgBAQAAAMCoAWsAAAAAAAAAAA==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings bin:PAAAAEAAAAADAAAAEwAAAGh0dHA9MTI3LjAuMC4xOjU2NDMHAAAAPGxvY2FsPgAAAAAEAAAAAAAAAKBqdVYVWcgBAQAAAMCoAWsAAAAAAAAAAA==
REG ADDED! HKU S-1-5-21-1454471165-1935655697-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Documents and Settings\USERNAME\Desktop\xdtwuuutssd.exe "xdtwuuutssd"