[Jaxryley]

Ran all three samples and grabbed what droppers I could many of which are the same from each exploit.

Very similar to a microjoin exploit with my Win 7 VM (32 bit) going into a reboot loop after executing converter7.

converter7 droppers.rar

(2.73 MiB) Downloaded 52 times

[Alex]

Besides attached files they drop classical TDL3, Bubnix and who know what else.

Code: Select all

[main]
version=3.273
quote=I felt like putting a bullet between the eyes of every panda that wouldn't screw to save it's species. I wanted to open the dump valves on oil tankers and smother all those french beaches I'd never see. I wanted to breathe smoke
affid=30018
subid=1
installdate=31.8.2010 7:28:3
builddate=30.8.2010 21:53:49
rnd=1935655697
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://68b6b6b6.com/;https://61.61.20.132/;https://34jh7alm94.asia/;https://61.61.20.135/;https://nyewrika.in/;https://rukkieanno.in/
wspservers=http://lk01ha71gg1.cc/;http://zl091kha644.com/;http://a74232357.cn/;http://a76956922.cn/;http://91jjak4555j.com/
popupservers=http://cri71ki813ck.com/
version=3.941

[Jaxryley]

Thanks for checking Alex.

Ran npwsmswaj.exe which dropped an ndis.sys and also started some sound files.

The sound files are interesting as I have heard of people getting hit with what sounds like radio ads which may relate to a bootkit?

npwsmswaj.exe - 6/43 - MS TrojanDownloader:Win32/Cutwail.BC
http://www.virustotal.com/file-scan/rep ... 1283244807

ndis.sys - 34/43 - MS VirTool:WinNT/Cutwail.L
http://www.virustotal.com/file-scan/rep ... 1283247821

Sound file included.

npwsmswaj.rar

(194.64 KiB) Downloaded 57 times

[nullptr]

HKCU:Run Qcosuruli rundll32.exe "C:\WINDOWS\majseaz.dll",Startup
HKCU:Run ewfkiphm C:\Documents and Settings\nullptr\ewfkiphm.exe
HKCU:RunOnce 236782 "C:\DOCUME~1\nullptr\LOCALS~1\APPLIC~1\236782.exe" 0 26
HKCU:RunOnce 35372425 "C:\DOCUME~1\nullptr\LOCALS~1\APPLIC~1\35372425.exe" 0 37
HKLM:Run lsdefrag C:\DOCUME~1\nullptr\LOCALS~1\Temp\dp.exe
HKLM:Run ewrgetuj C:\DOCUME~1\nullptr\LOCALS~1\Temp\geurge.exe

_tbp.exe - Hiloti - http://www.virustotal.com/file-scan/rep ... 1283251370
236782.exe - Win32.SecurityTool - http://www.virustotal.com/file-scan/rep ... 1283251767
682085.exe - http://www.virustotal.com/file-scan/rep ... 1283251892
dp.exe - http://www.virustotal.com/file-scan/rep ... 1282818493
geurge.exe - http://www.virustotal.com/file-scan/rep ... 1283252278
majseaz.dll - http://www.virustotal.com/file-scan/rep ... 1283252529

[NOP]

This is a huge bundle of PPI samples. EuroPays, InstallConvertor and Earning4U to name just a few. Bad luck who ever executes this lot. :cry: