A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #247  by EP_X0FF
 Tue Mar 16, 2010 6:51 pm
Dropper packed with UPX.

Installs rootkit driver aec<random chars>.sys into system3\drivers folder (some social engineering to fool users because of legitimate aec.sys present in Windows installation).
In my case rootkit driver was named aecq.sys.

Inside driver contains payload dll to be injected into address space from kernel mode.
Set's CreateProcess notification callback (see MSDN PsSetCreateProcessNotifyRoutine)

Registry and file is not hidden. Again to fool users rootkit driver has Version Info block (InternalName: "Kernel Driver").
Rootkit does not survived after regedit attack.

According to rootkit driver internals payload code injected into services.exe and explorer.exe

below is dump of readable strings from user mode part
vip888.eu hronomail.com DnsQuery_A DnsRecordListFree ntdll.dll NtDelayExecution GetVolumeInformationA VirtualFree VirtualAlloc
Sleep CloseHandle ExitThread CreateThread WSAIoctl select htons gethostbyname WSAStartup shutdown connect closesocket socket send
recv dnsapi.dll kernel32.dll ws2_32.dll GetProcAddress LoadLibraryExA D:\ C:\ yahoo.com gmail.com
Proxy-Connection: :// HTTP/1.0 500 Internal Server Error
Content-Length: 25
500 Internal Server Error HTTP/1.0 502 Bad Gateway
Content-Length: 15
502 Bad Gateway HTTP/1.0 400 Bad Request
Content-Length: 15
400 Bad Request HTTP/1.1 200 OK
http://www.virustotal.com/analisis/4c74 ... 1268764475


pass: malware
(32.14 KiB) Downloaded 97 times