Interesting Stuff

[cyb3rl0rd1867]

Here are some interesting samples I came across while disinfecting someone's machine. Let me know if you come across something interesting!

Kaspersky Names: Trojan.win32.scar.bzuz

Password:tuts4you

syre32.rar

Edited April 29, 2010 by cyb3rl0rd1867

[JMC31337]

any info on what the machine symptoms were after infection or is it a file you just picked up? Did ya try to run it under ollydbg with Linux or Immunity debugger??

I'll look at it 4 ya

Edited May 14, 2010 by JMC31337

[JMC31337]

FILE:

NDLL.EXE

6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 4C 00

6F 00 61 00 64 00 2E 00 65 00 78 00 65 . . . . . .

O r i g i n a l F i l e n a m e L o a d . e x e

Botnets use Load.exe exploits with kits to load up php(MZ) injection

=================================================

4D 53 56 42 56 4D 36 30 2E 44 4C 4C 00 00 00 00

4D 65 74 68 43 61 6C 6C 45 6E 67 69 6E . . . . . .

MSVBVM60.DLL __vbaExceptHandle

BotNets use VB

Starting at address 250 we see a long buffer of (00's) that's prob. why our ollydbg crashes for ver < 2.0

I'm not sure about olly 1b version

Ollydbg 2.0 crashes under linux environment upon loadng of exe (code has IsDebuggerPresent/Anti Debug)

Its encrypted/obfuscated code, but we knew that from our virus scanners right away

Prob base64 but dont hold me to that either

(GOOGLE SEARCH SHOWS Rootkit injects userland bot code on load. Userland code is simply XORed....)

Addres D240: Product Name : Projekt1 ?? interesting name (GERMAN)

Head over to sunbelt software since i dont feel like running this trojan on my cpu, its been added to the sandbox database, how nice for us...

some reg entries keyboard layouts etc...

so it sounds shady to me...

Edited May 14, 2010 by JMC31337

[cyb3rl0rd1867]

any info on what the machine symptoms were after infection or is it a file you just picked up? Did ya try to run it under ollydbg with Linux or Immunity debugger??

I'll look at it 4 ya

umdmgr added itself to the startup registry but crashed when windows started. The other .exe in there just kept making copies of itself in memory, slowing the system down to a crawl. I thought they were malfunctioning but I'm not really sure. I took a look at in a vb decompiler but it was incomprehensible so it kind of slipped to they wayside, but thanks for taking a look at it. If you find out any more info please post!

[JMC31337]

analyzed under wine: heres the output

FILE:

ndll.exe

fixme:shdocvw:navigate_url Unsupported arguments

fixme:mshtml:HlinkTarget_SetBrowseContext (0x136f18)->((nil))

fixme:shdocvw:ClOleCommandTarget_QueryStatus (0x1221dc)->((null) 1 0x34ddd4 (nil))

fixme:shdocvw:ClOleCommandTarget_Exec (0x1221dc)->((null) 25 2 0x34dde8 (nil))

fixme:shdocvw:ClOleCommandTarget_Exec (0x1221dc)->((null) 26 2 0x34dde8 (nil))

fixme:mshtml:on_change_dlcontrol unsupported dlcontrol 0034dda0

fixme:mshtml:OleControl_OnAmbientPropertyChange not supported AMBIENT_USERAGENT

fixme:mshtml:OleControl_OnAmbientPropertyChange not supported AMBIENT_PALETTE

fixme:shdocvw:ClientSite_GetContainer (0x1221dc)->(0x34de24)

fixme:shdocvw:ClOleCommandTarget_Exec (0x1221dc)->({000214d1-0000-0000-c000-000000000046} 37 0 0x34df18 (nil))

fixme:win:WIN_CreateWindowEx Parent is HWND_MESSAGE

fixme:mshtml:BSCServiceProvider_QueryService (0x13a398)->({79eac9e4-baf9-11ce-8c82-00aa004ba90b} {79eac9e4-baf9-11ce-8c82-00aa004ba90b} 0x13b540)

fixme:mshtml:InternetBindInfo_GetBindString (0x13a398)->(10 0x34ca34 1 0x34ca48)

fixme:urlmon:ObtainUserAgentString (0, 0x34ca53, 0x34ca4c): stub

fixme:urlmon:ObtainUserAgentString (0, 0x13da18, 0x34ca4c): stub

fixme:shdocvw:ClOleCommandTarget_Exec (0x1221dc)->((null) 29 2 0x34dc08 (nil))

fixme:shdocvw:DocHostUIHandler_GetDropTarget (0x1221dc)

err:ole:CoGetClassObject apartment not initialised

fixme:win:WIN_CreateWindowEx Parent is HWND_MESSAGE

fixme:urlmon:ObtainUserAgentString (0, 0x7915e50b, 0x7915e504): stub

fixme:urlmon:ObtainUserAgentString (0, 0x13ee40, 0x7915e504): stub

after running i also get a message saying that it wants GECKO to download

=====================================================

File:

umdmgr.exe

wine: Unhandled page fault on write access to 0x00000000 at address 0x7efc7a36 (thread 0009), starting debugger...

fixme:shdocvw:OleControl_FreezeEvents (0x123530)->(1)

fixme:shdocvw:PersistStreamInit_Load (0x123530)->(0xa5e804)

fixme:shdocvw:ViewObject_SetAdvise (0x123530)->(1 00000000 0xa5f734)

fixme:shdocvw:WebBrowser_QueryInterface (0x123530)->({3af24292-0c96-11ce-a0cf-00aa00600ab8} 0x34f93c) interface not supported

fixme:shdocvw:WebBrowser_QueryInterface (0x123530)->({55980ba0-35aa-11cf-b671-00aa004cd6d8} 0x34f984) interface not supported

fixme:shdocvw:OleControl_FreezeEvents (0x123530)->(0)

fixme:shdocvw:WebBrowser_Stop (0x123530)

----------------

err:ole:CoGetClassObject class {0d43fe01-f093-11cf-8940-00a0c9054228} not registered

err:ole:create_server class {0d43fe01-f093-11cf-8940-00a0c9054228} not registered

err:ole:CoGetClassObject no class object {0d43fe01-f093-11cf-8940-00a0c9054228} could be created for context 0x5

after exiting under wine even my linux kept trying to run the prog from konsole

syre32.exe did the same exact thing tried to copy/access something on d:\ and tried to run prog on my wine linux konsole. Even after breaking outta the program it still was trying to GetClassObjects

also noticed a TEA encryption description... wiki says

In cryptography, the Tiny Encryption Algorithm (TEA) is a block cipher notable for its simplicity of description and implementation, typically a few lines of code

TEA operates on 64-bit blocks and uses a 128-bit key. It has a Feistel structure with a suggested 64 rounds, typically implemented in pairs termed cycles. It has an extremely simple key schedule, mixing all of the key material in exactly the same way for each cycle. Different multiples of a magic constant are used to prevent simple attacks based on the symmetry of the rounds. The magic constant, 2654435769 or 9E3779B916 is chosen to be 232/ϕ, where ϕ is the golden ratio. TEA has a few weaknesses. Most notably, it suffers from equivalent keys—each key is equivalent to three others, which means that the effective key size is only 126 bits

I may run this under immunity debugger and get back to ya

Edited May 15, 2010 by JMC31337

[JMC31337]

File:

Umdmgr.exe

It didnt really have anti debugging, SO I WAS WRONG ABOUT THAT...

Most of the dll entry point calls are encrypted

We start with USER32.DLL

Text strings referenced in USER32:.text, item 239

Text string=UNICODE "hh.exe" <----better look for that

UNICODE "indicdll.dll" <-- not in my sys32

UNICODE "kbdjpn.dll" <-- japan keyboard layout ---i didnt have this in sys32

UNICODE "kbdkor.dll" <-- korean layout ---- nor this

UNICODE "kbdus.dll" <-- u.s. layout

USER32.DLL ENTRY POINT CALLS:

ASCII "RAZKCHKIOXXIINZQE" 17 chars

ASCII "LoadIconA" PLAINTEXT

ASCII "FindWindowA" PLAINTEXT

ASCII "GXERREIPDNCOX" 13 chars

ASCII "SSACDZMTPIYAKY" 14 chars

ASCII "WGJNIYCCCEQT" 12 chars

ASCII "PGHRGIPUFLFYMXWKBKD" 21 chars

ASCII "SetWindowTextA" PLAINTEXT

ASCII "SetWindowLongA" PLAINTEXT

ASCII "RegisterWindowMessageA" PLAINTEXT

ASCII "LoadCursorA" PLAINTEXT

ASCII "OJQVNNGGUYE" 12 chars

ASCII "BECIRYCDHTRFGWAJNI" 18 chars

ASCII "IJUIKRWHOHAOZYND" 16 chars

ASCII "AISTYDAPXGQAXSHMMLO" 19 chars

ASCII "XEVEXZMGFBLJVFSV" 16 chars

ASCII "UKTMOBVURAZKVHK" 15 chars

ASCII "UWJXCZIHSD" 10 chars

ASCII "PGHRGIPNELYYMQWKUK" 18 chars

ASCII "OGDGWCCKMNJVDZ" 14 chars

ASCII "RegisterWindowMessageA" PLAINTTEXT

ASCII "LoadCursorFromFileA" PLAINTEXT

ASCII "OJQVNNGGUYE" 11 chars

ASCII "BECIRYCDHTRFGWAJNI" 18 chars

ASCII "AQSCQSZYPWIJW" 13 chars

ASCII "IJUIKRWHOHAOZYND" 16 chars

ASCII "AISTYDAPXGQAXSHMMLO" 19 chars

ASCII "XEVEXZMGFBLJVFSV" 16 chars

ASCII "PGHRGIPNELYYMQWKUK" 18 chars

ASCII "NRSXJGVWMPZD" 12 chars

ASCII "LLKNFJMVIIQLMIU" 15 chars

ASCII "ISBYTJOONPIEIXEDLNP" 19 chars

ASCII "RYEVVOIVGNUKTMOBVU" 18 chars

ASCII "WEUXHLGVTTTV" 12 chars

ASCII "MJSQCUZCAGOPZAF" 15 chars

ASCII "MTYIPJCQBAOFO" 13 chars

ASCII "WHTWUACJUVZECQ" 14 chars

ASCII "MSABMMRDTIQGJTX" 15 chars

ASCII "GetClassNameA" PLAINTEXT

ASCII "VOQDXWSCAMWJMK" 14 chars

ASCII "GetWindowTextA" PLAINTEXT

ASCII "SystemParametersInfoA" PLAINTEXT

ASCII "IEQFUMKEPKFM" 12 chars

ASCII "BZZYBTXAIWVDYA" 14 chars

ASCII "XLNUAKRKERCCQHP" 15 chars

ASCII "YXZLOSHONVXYUHOLDUV" 19 chars

ASCII "WGEQHNQOUC" 10 chars

ASCII "JSSDDIULZHX" 11 chars

ASCII "OJZwwwYRNRGTMU" 14 chars

ASCII "KAFFEHZWZOVUCEGC" 16 chars

ASCII "RHRUYSINNMPAEHXD" 16 chars

ASCII "KFSZWOFGQEHOT" 13 chars

ASCII "LoadStringA" PLAINTEXT

ASCII "RQTEILAHGPQSOAIE" 16 chars

ASCII "MZMROYPBSYB" 11 chars

ASCII "BEOSNDAAACVRVK" 14 chars

ASCII "KNCQJRSUQCRGYWQ" 15 chars

ASCII "MUIHPKMHUIYXO" 13 chars

ASCII "YLPWKUJVEREKHQITLQT" 19 chars

now thats just for the USER32.DLL... your job is to go through user32 with dll export viewer and find which ones match those encrypted strings j/k

i'll see if i cant find the easy ones first like the 19 chars long calls

also some other VB dll's are being loaded

such as:

VBA6.DLL STKIT432.DLL neither of which i have in my sys32

The file vba6.dll is a part of the Visual Basic for Applications Development Environment under Microsoft Corporation

STKIT432.DLL could be a part of Visual Basic Setup Toolkit Library DLL. Check out if STKIT432.DLL is a virus or a legitimate application.

This DLL was originally part of the Visual Basic 4.0 SETUP project that was distributed with VB4

Reg entries are encrypted

I may run VMWare .... i'll keep posting as i get more

Edited May 15, 2010 by JMC31337