Malware sample for practice

[GEEK]

hey

found this on my usb so i am guessing its not a very dangerous virus.

i have sent it to any online AV checkers simply coz i am not bothered

if anyone wants to practise i have zipped unedited binaries

password: infected

usb_malware_sample.rar

Edited June 14, 2009 by GEEK

[aztecx]

Has anyone analyzed this malware?

[Digitek]

working on it-- just startd reverse engineering so im a bit new

[aztecx]

Yeh i'd suggest running it in a VM. It's pretty heavy.

[starzboy]

recycler .exe

autorun .exe

these 2 looks like the same old new folder.exe

[hackerbit]

Another one but basically a script but the autorun.inf is interesting

pass : donttouch

[hackerbit]

Sorry forgot to attach the file

Don't Touch.zip

[SunBeam]

@hackerbit: Here you go:

Process injected! PID: 3328

PID: 3328, All hooks are now in place!

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: KERNEL32.DLL, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x004A2095: GetKeyboardState()

PID: 3328, -- Keylogging attempt detected!

PID: 3328, 0x004A20E6: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025BB28

PID: 3328, 0x004A1E57: CreateFileA(file: C:\WINDOWS\system32\drivers\ntfs.sys, OPEN_EXISTING)

PID: 3328, -- CreateFileA result - fHandle: 00000730

PID: 3328, 0x4F444E49: ReadFile(file: C:\WINDOWS\system32\drivers\ntfs.sys, tHandle: 00000730, numBytes: 0x0008C600)

PID: 3328, 0x004A1BAC: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SOFTWARE\KasperskyLab\protected\AVP7\profiles\Updater) -> FAIL

PID: 3328, 0x77E84B92: CreateFileW(file: \\.\PIPE\lsarpc, OPEN_EXISTING)

PID: 3328, -- CreateFileW result - fHandle: 0000071C

PID: 3328, 0x004A12E0: AdjustTokenPrivileges()

PID: 3328, 0x004A19F6: CreateFileA(file: C:\WINDOWS\system32\drivers\klif.sys, CREATE_ALWAYS)

PID: 3328, -- CreateFileA result - fHandle: 0000071C

PID: 3328, 0x004A1A13: WriteFile(tHandle: 0000071C)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ntdll.dll, flags: 00000000)

PID: 3328, 0x004A13BB: RegCreateKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys) -> SUCCESS

PID: 3328, 0x004A13E9: RegSetValueExA(keyHandle: 0000071C, valueName: Type, data: ) -> SUCCESS

PID: 3328, 0x004A13FD: RegSetValueExA(keyHandle: 0000071C, valueName: ErrorControl, data: ) -> SUCCESS

PID: 3328, 0x004A1411: RegSetValueExA(keyHandle: 0000071C, valueName: Start, data: ) -> SUCCESS

PID: 3328, 0x004A1456: RegSetValueExA(keyHandle: 0000071C, valueName: ImagePath, data: \??\C:\WINDOWS\system32\drivers\klif.sys) -> SUCCESS

PID: 3328, 0x004A14C7: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys\Enum) -> SUCCESS

PID: 3328, 0x004A14EC: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys\Security) -> FAIL

PID: 3328, 0x004A1511: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys) -> SUCCESS

PID: 3328, 0x004A1A3D: DeleteFileA(file: C:\WINDOWS\system32\drivers\klif.sys)

PID: 3328, 0x004A1BAC: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SOFTWARE\KasperskyLab\protected\AVP7\profiles\Updater) -> FAIL

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: KERNEL32.DLL, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)

PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)

PID: 3328, 0x004014CB: CreateFileA(file: C:\WINDOWS\explorer.exe, OPEN_EXISTING)

PID: 3328, -- CreateFileA result - fHandle: 0000071C

PID: 3328, 0x7C81F2C6: GetFileAttributesW(C:\Documents and Settings\SunBeam\Desktop\1.exe)

PID: 3328, 0x7C81F2C6: GetFileAttributesW(C:\WINDOWS\system32\)

PID: 3328, 0x004016BE: DeleteFileA(file: C:\WINDOWS\system32\ckvo.exe)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo.exe, attrs: 00000080)

PID: 3328, 0x004016E0: CopyFileA(existing: C:\DOCUME~1\SunBeam\Desktop\1.exe, new: C:\WINDOWS\system32\ckvo.exe, overwrite: 00000000)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo.exe, attrs: 00000007)

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo0.dll, attrs: 00000080)

PID: 3328, 0x004017D2: DeleteFileA(file: C:\WINDOWS\system32\ckvo0.dll)

PID: 3328, 0x004017EA: CreateFileA(file: C:\WINDOWS\system32\ckvo0.dll, CREATE_ALWAYS)

PID: 3328, -- CreateFileA result - fHandle: 00000718

PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo0.dll, attrs: 00000007)

PID: 3328, 0x7C8106F5: CreateRemoteThread(tHandle: FFFFFFFF, nHandle: 00000718, startAddr: 00401DB4, flags: 00000000)

PID: 3328, 0x00401EB9: PostMessageA(tHandle: 00000000, Msg: WM_CLOSE)

PID: 3328, 0x7C8106F5: CreateRemoteThread(tHandle: FFFFFFFF, nHandle: 00000718, startAddr: 00401D17, flags: 00000000)

PID: 3328, 0x00401AA0: RegOpenKeyExA(key: HKEY_CURRENT_USER, subkey: SoftWare\Microsoft\Windows\CurrentVersion\Run) -> SUCCESS

PID: 3328, --- handle: 00000718

PID: 3328, 0x00401ABB: RegSetValueExA(keyHandle: 00000718, valueName: kamsoft, data: C:\WINDOWS\system32\ckvo.exe) -> SUCCESS

PID: 3328, 0x0040196D: OpenProcess(procID: 1792, access: 001F0FFF)

PID: 3328, --- handle 0000071C

PID: 3328, 0x00401984: VirtualAllocEx(tHandle: 0000071C, startAddr: 0, size: 00001000)

PID: 3328, 0x0040199D: WriteProcessMemory(tHandle: 0000071C, bytes: 0x00000457, buffer(dll?): è)

PID: 3328, 0x00401EB9: PostMessageA(tHandle: 00000000, Msg: WM_CLOSE)

PID: 3328, 0x00401A27: CreateRemoteThread(tHandle: 0000071C, nHandle: 00000718, startAddr: 049B0000, flags: 00000000)

PID: 3328, 0x00401A62: ExitProcess(exitcode: 0)

[Termination] PID 3328 has terminated!

Get these:

- Process Explorer - kill the new thread the process made in explorer.exe (you'll find it's assigned to ckvo.exe) ;-)

- kOuD3LkA Restrictions Remover v1.0 - will: enable folder options, task manager, registry tools, fix "show hidden files" and "show protected operating system files";

Then open up regedit and delete that "kamsoft" key program put in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Once that is done, just delete ckvo.exe and ckvo0.dll from system32.

Delete autorun.inf and rs.cmd from all your partitions (mind they are hidden, and set to 'system files' attribute) ;-)

Cheers,

Sun

P.S.: Note that the .dll file will fail to be deleted since it's injected in most processes running on your OS. Either unload it from every .exe by searching for its module, or just reboot and then delete it afterward.

Edited September 21, 2009 by SunBeam

[nxanxa]

hi SunBeam,

I am wondering what tool did you use to do analysis, so that automatically created a list of all the API called (with results, too) by malware above??

Thanks,

N

[Loki]

Looks like MAtrap?

Either that or try APISpy or WinAPIOverride

[nxanxa]

Looks like MAtrap?

Either that or try APISpy or WinAPIOverride

Could you please tell me where to get the MAtrap and APISpy?

I googled, but it either returned useless (MAtrap), or too much unrelated information (APISpy).

Thanks,

N

[Loki]

Sorry, that should have been MalTrap... both are available on this forum via the search button (in the tools forum).

[Fullmetal2]

Looks like MAtrap?

Either that or try APISpy or WinAPIOverride

hey sry i cant find matrap in this forum.. can u link me plz?

[JMC31337]

Yea MalTrap doesnt seem bad.. saw the educational video on its injecting... anyone know how it works?

Is it using SetWindowsHookEx API??