A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11347  by R136a1
 Mon Jan 30, 2012 3:05 pm
Hey there,

if you read the subsequent blogpost you will learn about the current MIDI exploit used by some chinese malware writers:

Malware Leveraging MIDI Remote Code Execution Vulnerability Found:
http://blog.trendmicro.com/malware-leve ... ity-found/

Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability:
http://www.securityfocus.com/bid/51292/info

Site with MIDI exploit (be careful!):
hxxp://images.c2bshop.com/mp.html

Loads the following file if exploit successful:
hxxp://images.c2bshop.com/tdc.exe

This in turn loads two other components:
hxxp://file.tellmegirl.com/20120113.exe -> rootkit component
hxxp://file.tellmegirl.com/20120113.jpg -> configuration file
Attachments
MIDI file + downloader + components
pw: infected

(170.71 KiB) Downloaded 47 times
 #11351  by EP_X0FF
 Mon Jan 30, 2012 3:47 pm
Hello,

links to malware sites must be obfuscated without exception, your post has been edited.
hxxp://file.tellmegirl.com/20120113.exe -> rootkit component
What it exactly doing?
Can you attach both drivers mentioned in article?

for all who interested decryption xor key for dropper is 0xa2 (ignoring nulls of course)

Thanks.
 #11353  by kmd
 Mon Jan 30, 2012 5:39 pm
how did it survives reboot? system infected for sure after dropper start for example rku gives alert about remote thread
i cant find any traces in registry, no hooks found
 #11354  by EP_X0FF
 Mon Jan 30, 2012 5:44 pm
kmd wrote:how did it survives reboot? system infected for sure after dropper start for example rku gives alert about remote thread
i cant find any traces in registry, no hooks found
It patches imm32.dll entry point to load malicious code copy saved on disk as d3dx9_09.dll (25 Mb to avoid uploading to online scanners)
 #11355  by R136a1
 Mon Jan 30, 2012 5:47 pm
I did a mistake:
20120113.exe doesn't contain any rootkit capabilities as you probably already noticed. This is the credentials stealer "related to certain Korean online game sites."

The dropper (tdc.exe) contains the rootkit. Unfortunately I am not able to decrypt this file. As you already mentioned the XOR key is "0xA2", but the file does contain another state of obfuscation (to many 0-bytes, so it seems to be crippled).

Anyway the decrypted dropper can be found here:
https://www.virustotal.com/file/cab7cd4 ... /analysis/

And com32.sys driver here:
https://www.virustotal.com/file/90142be ... /analysis/

Maybe someone has access to virustotal files.
 #11356  by EP_X0FF
 Mon Jan 30, 2012 6:06 pm
Seems this piece of crap is not really impressive
Probably this rootkit part is simple driver agent.

hxxp://hummingbird.tistory.com/3544