More malware from ircer.pl
The guys running the Virut botnet are dealing out new malware again. The new file being downloaded is about 30k in size, and it’s packed with UPX. The some kind of obscuring layer on top of UPX, but it’s pretty trivial to bypass.
It deploys lot of bogus code, and has some anti-debug features, mainly an obscured version of the debugger detection through the timestamp counter (rdtsc). Once the protective layer is bypassed, we come to the original UPX stub. After unpacking the UPX we land onto yet another useless obscuring layer:
After the obscuring is passed, the file will extract an dll it has carried in the resource section. The DLL is also packed with UPX, and has the same protection on top of UPX as it’s “mother” had. The DDL is injected into winlogon.exe as well as registered as a BHO (Browser Helper Object). The DLL will register itself to it’s creators by sending a message to http://65.243.103.80/80
ASÂ Â Â Â Â | IPÂ Â Â Â Â Â Â Â Â Â Â Â Â Â | CC | AS Name
15146Â Â | 65.243.103.80Â Â Â | US | CABLEBAHAMAS - Cable Bahamas Ltd.
According to virustotal.com, the AV detection was a bit scarce on these, but I reckon they’ll improve in few days.
April 19th, 2007 at 10:12 pm
I just found a cookie on my machine referencing 65.243.103.80
Any names available yet as to the files it drops?
April 21st, 2007 at 8:49 am
The files are dropped into the sysdir (C:\windows\system32 for most systems) under a 5 digit random character filename ending in .dll
April 24th, 2007 at 12:18 am
the file can contains more then 5 random digits… this is bull shit has some stupid modifications… for example, in my system it was ddcdaay.dll … i remove it under system self mode, after dissalow permitions to write anybody to this registry path (like dll name) — HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcdaay
April 30th, 2007 at 3:33 pm
Thanks. This IP address just flashed up on my firewall. AVG & Windows Defender don’t pick up the dll as anything bad, but I found the offending dll (mine was called ssqromk.dll) and entries in the registry (winlogon notify) and clsid {4FFADED8-CE19-4FC5-9547-7881FDB5D120}. Registered as a Browser Help object quickly picked up in Ace Utilities.
April 30th, 2007 at 4:35 pm
Glad the entry was of help. I’m not aware of all the ways they can push that malware to victims. You might want to check for any suspicious connections on your computer. Some of the DNS names they’ve used are:
zief.pl
proxima.ircgalaxy.pl
The botnet C&C has usually been at port 65520.
May 26th, 2007 at 5:39 am
A new release, 8 May 2007 GTM+1, dropper file is download via website, the files are now packed with PEC2.
Source: http://secubox.aldria.com/topic-post1867.html
______________________________________________________________
.text >> 0000a228 ( 1000a228 ) >> SeDebugPrivilege
.text >> 0000a23c ( 1000a23c ) >> explorer.exe
.text >> 0000a24c ( 1000a24c ) >> WINLOGON.EXE
.text >> 0000a25c ( 1000a25c ) >> rundll32.exe
.text >> 0000a270 ( 1000a270 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
.text >> 0000a2b4 ( 1000a2b4 ) >> Time
.text >> 0000a2bc ( 1000a2bc ) >> g_InstallPath
.text >> 0000a2cc ( 1000a2cc ) >> g_InstallDLL
.text >> 0000a2dc ( 1000a2dc ) >> xWovqdo
.text >> 0000a2e4 ( 1000a2e4 ) >> Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
.text >> 0000a324 ( 1000a324 ) >> Logon
.text >> 0000a32c ( 1000a32c ) >> Logoff
.text >> 0000a338 ( 1000a338 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
.text >> 0000a380 ( 1000a380 ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
.text >> 0000a3cc ( 1000a3cc ) >> SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
.text >> 0000a3fc ( 1000a3fc ) >> MSServer
.text >> 0000a408 ( 1000a408 ) >> CLSID\
.text >> 0000a410 ( 1000a410 ) >> Asynchronous
.text >> 0000a420 ( 1000a420 ) >> DllName
.text >> 0000a428 ( 1000a428 ) >> Impersonate
.text >> 0000a434 ( 1000a434 ) >> Logon
.text >> 0000a43c ( 1000a43c ) >> Logoff
.text >> 0000a448 ( 1000a448 ) >> awx_mutant
.text >> 0000a454 ( 1000a454 ) >> AD-AWARE.EXE
.text >> 0000a464 ( 1000a464 ) >> %08x
.text >> 0000a470 ( 1000a470 ) >> Kernel32
.text >> 0000a47c ( 1000a47c ) >> LoadLibraryA
.text >> 0000a48c ( 1000a48c ) >> PSAPI.dll
.text >> 0000a498 ( 1000a498 ) >> EnumProcessModules
.text >> 0000a4ac ( 1000a4ac ) >> GetModuleFileNameExA
.text >> 0000a4c4 ( 1000a4c4 ) >> psapi.dll
.text >> 0000a4d0 ( 1000a4d0 ) >> %s\tmp%08x
.text >> 0000a4dc ( 1000a4dc ) >> rundll32.exe %s,Activate
.text >> 0000a4f8 ( 1000a4f8 ) >> HookProc
.text >> 0000a504 ( 1000a504 ) >> %s\%s
.text >> 0000b620 ( 1000b620 ) >> http://65.243.103.80/80
.text >> 0000b638 ( 1000b638 ) >> SOFTWARE\Microsoft\Installer
.text >> 0000b65c ( 1000b65c ) >> Identities
.text >> 0000b668 ( 1000b668 ) >> URLDownloadToFileA
.text >> 0000b67c ( 1000b67c ) >> urlmon.dll
.text >> 0000b690 ( 1000b690 ) >> uid=
.text >> 0000b698 ( 1000b698 ) >> %s/%s
.text >> 0000b6a8 ( 1000b6a8 ) >> SOFTWARE\Microsoft\zxc5
.text >> 0000b6c0 ( 1000b6c0 ) >> 0123456789ABCDEFopen
.text >> 0000b6dc ( 1000b6dc ) >> ShellExecuteA
.text >> 0000b6ec ( 1000b6ec ) >> shell32.dll
.text >> 0000b700 ( 1000b700 ) >> %s/%s?i=%s&v=%x_%x_%x_%x_%s&g=%s&t=%04i_%02i_%02i_%02i_%02i&d=%i%s&a=%i
.text >> 0000b748 ( 1000b748 ) >> &s=1
.text >> 0000b750 ( 1000b750 ) >> &m=1
.text >> 0000b758 ( 1000b758 ) >> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
______________________________________________________________
Regards,