A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2526  by fatdcuk
 Mon Aug 30, 2010 4:33 pm
Not had chance to to run deeper analysis so unknown vintage/family.

Attached is recovered driver + file i believe downloaded it :)

Downloader>>>
http://www.virustotal.com/file-scan/rep ... 1283061408
.sys file>>>
http://www.virustotal.com/file-scan/rep ... 1281542208
Attachments
(122.71 KiB) Downloaded 62 times
 #2528  by xqrzd
 Mon Aug 30, 2010 5:54 pm
I was unable to get it to load a driver. All it did was drop 1.tmp into C:\Windows\System32\Spool\prtprocs\w32x86, and then load it into spoolsv.exe, then it had spoolsv.exe add the original dropper to the registry startup list. Maybe it detected my VM?
Here is 1.tmp. It is almost exactly the same as the dropper.
Attachments
password is infected
(40.9 KiB) Downloaded 62 times
 #2536  by Alex
 Mon Aug 30, 2010 8:20 pm
Thanks for this sample fatdcuk.

There are few screens from some tools (driver loaded under VmWare 6.5):

Hidden driver with replaced ObjectType:
Image

Attached device:
Image

Hooked object types procedures:
Image

System threads:
Image

Hooked IRP's handlers of Beep driver:
Image

I'm not sure that all modification have been done by this driver because I tested other malware using this snapshot...

Alex
 #2564  by NOP
 Tue Aug 31, 2010 1:27 pm
xqrzd wrote:Maybe it detected my VM?
It can detect VM's.
Code: Select all
VIRTUALBOX..VideoBiosVersion....HARDWARE\DESCRIPTION\System.\\.\PhysicalDrive%d.VIRTUAL.VBOX....VMWARE..QEMU
It also tries to detect Sandboxie, CWSandbox(which always loads pstorec.dll) and Wireshark.
Code: Select all
SbieDll.dll.pstorec.dll.wireshark.exe
Attachments
Password: infected
(15.38 KiB) Downloaded 53 times