[p4r4n0id]

Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id

[dcmorton]

Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id

Well here's the best I can do with an incredibly vague request IMO. Might be what you're looking for, might not be

Google is your friend btw.. I went from vague name "Andromeda bot" to actual name "Worm:Win32/Gamarue.A/B" to VirusTotal result with MD5 to finding a sample of the MD5 using nothing but Google.

Thanks to Kobayashi from vxheavens for the sample as well

Edit:
The sample in the attach is Gamarue.B. MD5 for a Gamarue.A sample is 4a64dd57fbfe0acdf700709b38bd8e69

[p4r4n0id]

Hi dcmorton,

First thx for your fast replay and sorry for the vague request.

I will try to explain my self better :)

Andromeda is a bot (AFAIK it is similar to Zeus and Spyeye, also a modularized program which can be functionally developed and supported using plug-ins.) that one of his final payloads is the sample you have sent me.

http://www.maikmorgenstern.de/wordpress/?tag=botnets

Check the attached SC - the bot webpanel.

1.JPG (20.69 KiB) Viewed 2448 times

BTW, I think I have heard about google somewhere :) - he returned nothing interesting regarding this sample.

Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id

Well here's the best I can do with an incredibly vague request IMO. Might be what you're looking for, might not be

Google is your friend btw.. I went from vague name "Andromeda bot" to actual name "Worm:Win32/Gamarue.A/B" to VirusTotal result with MD5 to finding a sample of the MD5 using nothing but Google.

Thanks to Kobayashi from vxheavens for the sample as well

Edit:
The sample in the attach is Gamarue.B. MD5 for a Gamarue.A sample is 4a64dd57fbfe0acdf700709b38bd8e69

[leeno]

Request for sample

Andromeda bot
for details : http://cyb3rsleuth.blogspot.in/2012/02/ ... a-bot.html

[Xylitol]

https://www.virustotal.com/file/a28a819 ... 338038745/

[hx1997]

Hi,

is this an Andromeda bot?
Dr.Web identified it as BackDoor.Andromeda.22

[thisisu]

Pretty sure this is another one.
MD5: 1592ea251ea1a81244f4487276506f8f
https://www.virustotal.com/file/3f57a21 ... /analysis/
Some notes I was able to gather:

Creates a bad value under this key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Value = SunJavaUpdateSched
File path = c:\documents and settings\all users\svchost.exe (same MD5)
Opens this port: 53382
Interesting string from process (no clue what it means)

Code: Select all

hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst

[rkhunter]

Gamarue/Andromeda from my collection.

Worm:Win32/Gamarue.B
MD5: b2a537545dafd9d32c92c38d6091afb4

Worm:Win32/Gamarue.F
MD5: 3eb121fa5647244a8ee15870348aa782
MD5: b07f32cf40a39272d5e0bd597ee11be8
MD5: e13578369bc48a3fbda95335a337cd20
MD5: 6482dfa77d942a2506bb72f2b0edf2d4
MD5: bad248a697c9530b26062ab7ecbfa2ec
MD5: d54c067b972f9ba284bd52d659911b3c
MD5: e0c057d0973841cbbbb739426f2ea572

[EP_X0FF]

Hi,

is this an Andromeda bot?
Dr.Web identified it as BackDoor.Andromeda.22

Yes, Gamarue.F variant, written on assembler.

hxxp://smoxserv10.in/smox3/image.php
hxxp://smoxserv20.in/smox5/image.php
hxxp://smoxserv30.in/smox7/image.php
hxxp://smoxserv40.in/smox9/image.php
hxxp://smoxserv50.in/smox9/image.php
hxxp://smoxserv60.in/smox11/image.php

%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched

Payload injected into zombified wuauclt.exe process.

[rkhunter]

Worm:Win32/Gamarue.F
MD5: 3eb121fa5647244a8ee15870348aa782

Copies itself to

Code: Select all

C:\Documents and Settings\All Users\Local Settings\Temp\msdubmn.bat

Runs from

Code: Select all

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\XXXX

Starts wuauclt.exe and patches it in memory, after it, died.
Sets special permissions for Run key for complicates deletion. After permissions was changed, it deletes fine.