Posted June 14, 200916 yr hey found this on my usb so i am guessing its not a very dangerous virus.i have sent it to any online AV checkers simply coz i am not botheredif anyone wants to practise i have zipped unedited binariespassword: infectedusb_malware_sample.rar Edited June 14, 200916 yr by GEEK
September 6, 200915 yr Another one but basically a script but the autorun.inf is interestingpass : donttouch
September 21, 200915 yr @hackerbit: Here you go:Process injected! PID: 3328PID: 3328, All hooks are now in place!PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: KERNEL32.DLL, flags: 00000000)PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)PID: 3328, 0x004A2095: GetKeyboardState()PID: 3328, -- Keylogging attempt detected!PID: 3328, 0x004A20E6: OpenSCManagerA(machName: (null), dbName: (null), access: 000F003F) -> h:0025BB28PID: 3328, 0x004A1E57: CreateFileA(file: C:\WINDOWS\system32\drivers\ntfs.sys, OPEN_EXISTING)PID: 3328, -- CreateFileA result - fHandle: 00000730PID: 3328, 0x4F444E49: ReadFile(file: C:\WINDOWS\system32\drivers\ntfs.sys, tHandle: 00000730, numBytes: 0x0008C600)PID: 3328, 0x004A1BAC: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SOFTWARE\KasperskyLab\protected\AVP7\profiles\Updater) -> FAILPID: 3328, 0x77E84B92: CreateFileW(file: \\.\PIPE\lsarpc, OPEN_EXISTING)PID: 3328, -- CreateFileW result - fHandle: 0000071CPID: 3328, 0x004A12E0: AdjustTokenPrivileges()PID: 3328, 0x004A19F6: CreateFileA(file: C:\WINDOWS\system32\drivers\klif.sys, CREATE_ALWAYS)PID: 3328, -- CreateFileA result - fHandle: 0000071CPID: 3328, 0x004A1A13: WriteFile(tHandle: 0000071C)PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ntdll.dll, flags: 00000000)PID: 3328, 0x004A13BB: RegCreateKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys) -> SUCCESSPID: 3328, 0x004A13E9: RegSetValueExA(keyHandle: 0000071C, valueName: Type, data: ) -> SUCCESSPID: 3328, 0x004A13FD: RegSetValueExA(keyHandle: 0000071C, valueName: ErrorControl, data: ) -> SUCCESSPID: 3328, 0x004A1411: RegSetValueExA(keyHandle: 0000071C, valueName: Start, data: ) -> SUCCESSPID: 3328, 0x004A1456: RegSetValueExA(keyHandle: 0000071C, valueName: ImagePath, data: \??\C:\WINDOWS\system32\drivers\klif.sys) -> SUCCESSPID: 3328, 0x004A14C7: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys\Enum) -> SUCCESSPID: 3328, 0x004A14EC: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys\Security) -> FAILPID: 3328, 0x004A1511: RegDeleteKeyA(key: HKEY_LOCAL_MACHINE, subkey: System\CurrentControlSet\Services\KAVsys) -> SUCCESSPID: 3328, 0x004A1A3D: DeleteFileA(file: C:\WINDOWS\system32\drivers\klif.sys)PID: 3328, 0x004A1BAC: RegOpenKeyExA(key: HKEY_LOCAL_MACHINE, subkey: SOFTWARE\KasperskyLab\protected\AVP7\profiles\Updater) -> FAILPID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: KERNEL32.DLL, flags: 00000000)PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: USER32.dll, flags: 00000000)PID: 3328, 0x7C801DA8: LoadLibraryA/ExA(file: ADVAPI32.dll, flags: 00000000)PID: 3328, 0x004014CB: CreateFileA(file: C:\WINDOWS\explorer.exe, OPEN_EXISTING)PID: 3328, -- CreateFileA result - fHandle: 0000071CPID: 3328, 0x7C81F2C6: GetFileAttributesW(C:\Documents and Settings\SunBeam\Desktop\1.exe)PID: 3328, 0x7C81F2C6: GetFileAttributesW(C:\WINDOWS\system32\)PID: 3328, 0x004016BE: DeleteFileA(file: C:\WINDOWS\system32\ckvo.exe)PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo.exe, attrs: 00000080)PID: 3328, 0x004016E0: CopyFileA(existing: C:\DOCUME~1\SunBeam\Desktop\1.exe, new: C:\WINDOWS\system32\ckvo.exe, overwrite: 00000000)PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo.exe, attrs: 00000007)PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo0.dll, attrs: 00000080)PID: 3328, 0x004017D2: DeleteFileA(file: C:\WINDOWS\system32\ckvo0.dll)PID: 3328, 0x004017EA: CreateFileA(file: C:\WINDOWS\system32\ckvo0.dll, CREATE_ALWAYS)PID: 3328, -- CreateFileA result - fHandle: 00000718PID: 3328, 0x00401A7A: SetFileAttributesA(file: C:\WINDOWS\system32\ckvo0.dll, attrs: 00000007)PID: 3328, 0x7C8106F5: CreateRemoteThread(tHandle: FFFFFFFF, nHandle: 00000718, startAddr: 00401DB4, flags: 00000000)PID: 3328, 0x00401EB9: PostMessageA(tHandle: 00000000, Msg: WM_CLOSE)PID: 3328, 0x7C8106F5: CreateRemoteThread(tHandle: FFFFFFFF, nHandle: 00000718, startAddr: 00401D17, flags: 00000000)PID: 3328, 0x00401AA0: RegOpenKeyExA(key: HKEY_CURRENT_USER, subkey: SoftWare\Microsoft\Windows\CurrentVersion\Run) -> SUCCESSPID: 3328, --- handle: 00000718PID: 3328, 0x00401ABB: RegSetValueExA(keyHandle: 00000718, valueName: kamsoft, data: C:\WINDOWS\system32\ckvo.exe) -> SUCCESSPID: 3328, 0x0040196D: OpenProcess(procID: 1792, access: 001F0FFF)PID: 3328, --- handle 0000071CPID: 3328, 0x00401984: VirtualAllocEx(tHandle: 0000071C, startAddr: 0, size: 00001000)PID: 3328, 0x0040199D: WriteProcessMemory(tHandle: 0000071C, bytes: 0x00000457, buffer(dll?): è)PID: 3328, 0x00401EB9: PostMessageA(tHandle: 00000000, Msg: WM_CLOSE)PID: 3328, 0x00401A27: CreateRemoteThread(tHandle: 0000071C, nHandle: 00000718, startAddr: 049B0000, flags: 00000000)PID: 3328, 0x00401A62: ExitProcess(exitcode: 0)[Termination] PID 3328 has terminated!Get these:- Process Explorer - kill the new thread the process made in explorer.exe (you'll find it's assigned to ckvo.exe) ;-)- kOuD3LkA Restrictions Remover v1.0 - will: enable folder options, task manager, registry tools, fix "show hidden files" and "show protected operating system files";Then open up regedit and delete that "kamsoft" key program put in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Once that is done, just delete ckvo.exe and ckvo0.dll from system32.Delete autorun.inf and rs.cmd from all your partitions (mind they are hidden, and set to 'system files' attribute) ;-)Cheers,SunP.S.: Note that the .dll file will fail to be deleted since it's injected in most processes running on your OS. Either unload it from every .exe by searching for its module, or just reboot and then delete it afterward. Edited September 21, 200915 yr by SunBeam
March 15, 201015 yr hi SunBeam,I am wondering what tool did you use to do analysis, so that automatically created a list of all the API called (with results, too) by malware above??Thanks,N
March 16, 201015 yr Looks like MAtrap?Either that or try APISpy or WinAPIOverrideCould you please tell me where to get the MAtrap and APISpy?I googled, but it either returned useless (MAtrap), or too much unrelated information (APISpy).Thanks,N
March 16, 201015 yr Sorry, that should have been MalTrap... both are available on this forum via the search button (in the tools forum).
June 8, 201015 yr Looks like MAtrap?Either that or try APISpy or WinAPIOverridehey sry i cant find matrap in this forum.. can u link me plz?
August 16, 201015 yr Yea MalTrap doesnt seem bad.. saw the educational video on its injecting... anyone know how it works?Is it using SetWindowsHookEx API??
Create an account or sign in to comment