cyb3rl0rd1867 Posted April 29, 2010 Posted April 29, 2010 (edited) Here are some interesting samples I came across while disinfecting someone's machine. Let me know if you come across something interesting!Kaspersky Names: Trojan.win32.scar.bzuzPassword:tuts4yousyre32.rar Edited April 29, 2010 by cyb3rl0rd1867
JMC31337 Posted May 14, 2010 Posted May 14, 2010 (edited) any info on what the machine symptoms were after infection or is it a file you just picked up? Did ya try to run it under ollydbg with Linux or Immunity debugger??I'll look at it 4 ya Edited May 14, 2010 by JMC31337
JMC31337 Posted May 14, 2010 Posted May 14, 2010 (edited) FILE: NDLL.EXE6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 4C 00 6F 00 61 00 64 00 2E 00 65 00 78 00 65 . . . . . .O r i g i n a l F i l e n a m e L o a d . e x eBotnets use Load.exe exploits with kits to load up php(MZ) injection=================================================4D 53 56 42 56 4D 36 30 2E 44 4C 4C 00 00 00 00 4D 65 74 68 43 61 6C 6C 45 6E 67 69 6E . . . . . .MSVBVM60.DLL __vbaExceptHandleBotNets use VBStarting at address 250 we see a long buffer of (00's) that's prob. why our ollydbg crashes for ver < 2.0I'm not sure about olly 1b versionOllydbg 2.0 crashes under linux environment upon loadng of exe (code has IsDebuggerPresent/Anti Debug)Its encrypted/obfuscated code, but we knew that from our virus scanners right awayProb base64 but dont hold me to that either(GOOGLE SEARCH SHOWS Rootkit injects userland bot code on load. Userland code is simply XORed....) Addres D240: Product Name : Projekt1 ?? interesting name (GERMAN)Head over to sunbelt software since i dont feel like running this trojan on my cpu, its been added to the sandbox database, how nice for us...some reg entries keyboard layouts etc...so it sounds shady to me... Edited May 14, 2010 by JMC31337
cyb3rl0rd1867 Posted May 14, 2010 Author Posted May 14, 2010 any info on what the machine symptoms were after infection or is it a file you just picked up? Did ya try to run it under ollydbg with Linux or Immunity debugger??I'll look at it 4 yaumdmgr added itself to the startup registry but crashed when windows started. The other .exe in there just kept making copies of itself in memory, slowing the system down to a crawl. I thought they were malfunctioning but I'm not really sure. I took a look at in a vb decompiler but it was incomprehensible so it kind of slipped to they wayside, but thanks for taking a look at it. If you find out any more info please post!
JMC31337 Posted May 15, 2010 Posted May 15, 2010 (edited) analyzed under wine: heres the outputFILE: ndll.exefixme:shdocvw:navigate_url Unsupported argumentsfixme:mshtml:HlinkTarget_SetBrowseContext (0x136f18)->((nil))fixme:shdocvw:ClOleCommandTarget_QueryStatus (0x1221dc)->((null) 1 0x34ddd4 (nil))fixme:shdocvw:ClOleCommandTarget_Exec (0x1221dc)->((null) 25 2 0x34dde8 (nil))fixme:shdocvw:ClOleCommandTarget_Exec (0x1221dc)->((null) 26 2 0x34dde8 (nil))fixme:mshtml:on_change_dlcontrol unsupported dlcontrol 0034dda0fixme:mshtml:OleControl_OnAmbientPropertyChange not supported AMBIENT_USERAGENTfixme:mshtml:OleControl_OnAmbientPropertyChange not supported AMBIENT_PALETTEfixme:shdocvw:ClientSite_GetContainer (0x1221dc)->(0x34de24)fixme:shdocvw:ClOleCommandTarget_Exec (0x1221dc)->({000214d1-0000-0000-c000-000000000046} 37 0 0x34df18 (nil))fixme:win:WIN_CreateWindowEx Parent is HWND_MESSAGEfixme:mshtml:BSCServiceProvider_QueryService (0x13a398)->({79eac9e4-baf9-11ce-8c82-00aa004ba90b} {79eac9e4-baf9-11ce-8c82-00aa004ba90b} 0x13b540)fixme:mshtml:InternetBindInfo_GetBindString (0x13a398)->(10 0x34ca34 1 0x34ca48)fixme:urlmon:ObtainUserAgentString (0, 0x34ca53, 0x34ca4c): stubfixme:urlmon:ObtainUserAgentString (0, 0x13da18, 0x34ca4c): stubfixme:shdocvw:ClOleCommandTarget_Exec (0x1221dc)->((null) 29 2 0x34dc08 (nil))fixme:shdocvw:DocHostUIHandler_GetDropTarget (0x1221dc)err:ole:CoGetClassObject apartment not initialisedfixme:win:WIN_CreateWindowEx Parent is HWND_MESSAGEfixme:urlmon:ObtainUserAgentString (0, 0x7915e50b, 0x7915e504): stubfixme:urlmon:ObtainUserAgentString (0, 0x13ee40, 0x7915e504): stubafter running i also get a message saying that it wants GECKO to download=====================================================File:umdmgr.exewine: Unhandled page fault on write access to 0x00000000 at address 0x7efc7a36 (thread 0009), starting debugger...fixme:shdocvw:OleControl_FreezeEvents (0x123530)->(1)fixme:shdocvw:PersistStreamInit_Load (0x123530)->(0xa5e804)fixme:shdocvw:ViewObject_SetAdvise (0x123530)->(1 00000000 0xa5f734)fixme:shdocvw:WebBrowser_QueryInterface (0x123530)->({3af24292-0c96-11ce-a0cf-00aa00600ab8} 0x34f93c) interface not supportedfixme:shdocvw:WebBrowser_QueryInterface (0x123530)->({55980ba0-35aa-11cf-b671-00aa004cd6d8} 0x34f984) interface not supportedfixme:shdocvw:OleControl_FreezeEvents (0x123530)->(0)fixme:shdocvw:WebBrowser_Stop (0x123530)----------------err:ole:CoGetClassObject class {0d43fe01-f093-11cf-8940-00a0c9054228} not registerederr:ole:create_server class {0d43fe01-f093-11cf-8940-00a0c9054228} not registerederr:ole:CoGetClassObject no class object {0d43fe01-f093-11cf-8940-00a0c9054228} could be created for context 0x5after exiting under wine even my linux kept trying to run the prog from konsolesyre32.exe did the same exact thing tried to copy/access something on d:\ and tried to run prog on my wine linux konsole. Even after breaking outta the program it still was trying to GetClassObjectsalso noticed a TEA encryption description... wiki saysIn cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of codeTEA operates on 64-bit blocks and uses a 128-bit key. It has a Feistel structure with a suggested 64 rounds, typically implemented in pairs termed cycles. It has an extremely simple key schedule, mixing all of the key material in exactly the same way for each cycle. Different multiples of a magic constant are used to prevent simple attacks based on the symmetry of the rounds. The magic constant, 2654435769 or 9E3779B916 is chosen to be 232/ϕ, where ϕ is the golden ratio. TEA has a few weaknesses. Most notably, it suffers from equivalent keys—each key is equivalent to three others, which means that the effective key size is only 126 bitsI may run this under immunity debugger and get back to ya Edited May 15, 2010 by JMC31337
JMC31337 Posted May 15, 2010 Posted May 15, 2010 (edited) File: Umdmgr.exe It didnt really have anti debugging, SO I WAS WRONG ABOUT THAT... Most of the dll entry point calls are encrypted We start with USER32.DLL Text strings referenced in USER32:.text, item 239 Text string=UNICODE "hh.exe" <----better look for that UNICODE "indicdll.dll" <-- not in my sys32 UNICODE "kbdjpn.dll" <-- japan keyboard layout ---i didnt have this in sys32 UNICODE "kbdkor.dll" <-- korean layout ---- nor this UNICODE "kbdus.dll" <-- u.s. layout USER32.DLL ENTRY POINT CALLS: ASCII "RAZKCHKIOXXIINZQE" 17 chars ASCII "LoadIconA" PLAINTEXT ASCII "FindWindowA" PLAINTEXT ASCII "GXERREIPDNCOX" 13 chars ASCII "SSACDZMTPIYAKY" 14 chars ASCII "WGJNIYCCCEQT" 12 chars ASCII "PGHRGIPUFLFYMXWKBKD" 21 chars ASCII "SetWindowTextA" PLAINTEXT ASCII "SetWindowLongA" PLAINTEXT ASCII "RegisterWindowMessageA" PLAINTEXT ASCII "LoadCursorA" PLAINTEXT ASCII "OJQVNNGGUYE" 12 chars ASCII "BECIRYCDHTRFGWAJNI" 18 chars ASCII "IJUIKRWHOHAOZYND" 16 chars ASCII "AISTYDAPXGQAXSHMMLO" 19 chars ASCII "XEVEXZMGFBLJVFSV" 16 chars ASCII "UKTMOBVURAZKVHK" 15 chars ASCII "UWJXCZIHSD" 10 chars ASCII "PGHRGIPNELYYMQWKUK" 18 chars ASCII "OGDGWCCKMNJVDZ" 14 chars ASCII "RegisterWindowMessageA" PLAINTTEXT ASCII "LoadCursorFromFileA" PLAINTEXT ASCII "OJQVNNGGUYE" 11 chars ASCII "BECIRYCDHTRFGWAJNI" 18 chars ASCII "AQSCQSZYPWIJW" 13 chars ASCII "IJUIKRWHOHAOZYND" 16 chars ASCII "AISTYDAPXGQAXSHMMLO" 19 chars ASCII "XEVEXZMGFBLJVFSV" 16 chars ASCII "PGHRGIPNELYYMQWKUK" 18 chars ASCII "NRSXJGVWMPZD" 12 chars ASCII "LLKNFJMVIIQLMIU" 15 chars ASCII "ISBYTJOONPIEIXEDLNP" 19 chars ASCII "RYEVVOIVGNUKTMOBVU" 18 chars ASCII "WEUXHLGVTTTV" 12 chars ASCII "MJSQCUZCAGOPZAF" 15 chars ASCII "MTYIPJCQBAOFO" 13 chars ASCII "WHTWUACJUVZECQ" 14 chars ASCII "MSABMMRDTIQGJTX" 15 chars ASCII "GetClassNameA" PLAINTEXT ASCII "VOQDXWSCAMWJMK" 14 chars ASCII "GetWindowTextA" PLAINTEXT ASCII "SystemParametersInfoA" PLAINTEXT ASCII "IEQFUMKEPKFM" 12 chars ASCII "BZZYBTXAIWVDYA" 14 chars ASCII "XLNUAKRKERCCQHP" 15 chars ASCII "YXZLOSHONVXYUHOLDUV" 19 chars ASCII "WGEQHNQOUC" 10 chars ASCII "JSSDDIULZHX" 11 chars ASCII "OJZwwwYRNRGTMU" 14 chars ASCII "KAFFEHZWZOVUCEGC" 16 chars ASCII "RHRUYSINNMPAEHXD" 16 chars ASCII "KFSZWOFGQEHOT" 13 chars ASCII "LoadStringA" PLAINTEXT ASCII "RQTEILAHGPQSOAIE" 16 chars ASCII "MZMROYPBSYB" 11 chars ASCII "BEOSNDAAACVRVK" 14 chars ASCII "KNCQJRSUQCRGYWQ" 15 chars ASCII "MUIHPKMHUIYXO" 13 chars ASCII "YLPWKUJVEREKHQITLQT" 19 chars now thats just for the USER32.DLL... your job is to go through user32 with dll export viewer and find which ones match those encrypted strings j/k i'll see if i cant find the easy ones first like the 19 chars long calls also some other VB dll's are being loaded such as: VBA6.DLL STKIT432.DLL neither of which i have in my sys32 The file vba6.dll is a part of the Visual Basic for Applications Development Environment under Microsoft Corporation STKIT432.DLL could be a part of Visual Basic Setup Toolkit Library DLL. Check out if STKIT432.DLL is a virus or a legitimate application. This DLL was originally part of the Visual Basic 4.0 SETUP project that was distributed with VB4 Reg entries are encrypted I may run VMWare .... i'll keep posting as i get more Edited May 15, 2010 by JMC31337
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now