Jump to content

Malwarebytes

serverr.exe ; Fly Crypter v1b -22.06.09 update.exe

Started by B-boy/StyLe/, Jun 26 2009 07:51 PM

1 reply to this topic

#1
B-boy/StyLe/
Posted 26 June 2009 - 07:51 PM

    Elite Member

  • Trusted Advisors
  • PipPipPipPipPip
  • 658 posts
  • Gender:Male
  • Location:Bulgaria
VirusTotal (2/41)

Quote

----------------------------------
Keys added:1
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{C70D5713-1CC8-78D4-3AC0-E91B91DD5262}

----------------------------------
Values added:28
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{C70D5713-1CC8-78D4-3AC0-E91B91DD5262}\StubPath: 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 3A 77 69 6E 6C 6F 67 6F 6E 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsock.exe: 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 3A 77 69 6E 6C 6F 67 6F 6E 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:Q:\freiree.rkr: 02 00 00 00 06 00 00 00 60 14 EA 16 91 F6 C9 01
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\MinPos1024x768(1).x: 0xFFFFFFFF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\MinPos1024x768(1).y: 0xFFFFFFFF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\MaxPos1024x768(1).x: 0xFFFFFFFF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\MaxPos1024x768(1).y: 0xFFFFFFFF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\WinPos1024x768(1).left: 0x00000016
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\WinPos1024x768(1).top: 0x0000001D
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\WinPos1024x768(1).right: 0x00000336
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\WinPos1024x768(1).bottom: 0x00000275
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\Rev: 0x00000000
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\WFlags: 0x00000000
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\ShowCmd: 0x00000001
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\FFlags: 0x00000001
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\HotKey: 0x00000000
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\Buttons: 0xFFFFFFFF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\Links: 0x00000000
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\Address: 0xFFFFFFFF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\Vid: "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\Mode: 0x00000006
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\ScrollPos1024x768(1).x: 0x00000000
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\ScrollPos1024x768(1).y: 0x00000000
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\Sort: 0x00000000
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\SortDir: 0x00000001
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\Col: 0xFFFFFFFF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\42\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:\serverr.exe: "serverr"

----------------------------------
Values modified:11
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 01 FD D6 12 06 52 76 A0 59 4E 2B 06 84 ED 79 D2 5C 42 33 61 AD 82 83 F8 BF C8 5A 90 31 55 00 21 D2 17 4A 11 1A FD C6 BD D5 CA 45 47 4C A7 D3 1B B4 70 53 67 7E 1B 42 2C 5E 55 09 95 D5 78 E2 31 2B 0D B1 22 ED 81 A8 CF 45 62 59 EA 8E FE AE 90
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: AC 59 DE F2 39 BB 86 C4 69 AC B2 D2 CF DF 7E 92 45 6A 04 75 51 BF 2C 1F DE A9 DA 03 88 8C 7E 2E DA 83 77 3F A8 DE 53 E3 9B 06 B2 A2 1D 3D 80 00 42 1F 62 7B B2 50 AA 31 19 23 73 D9 0E 88 E2 FF C7 80 D2 EA 41 50 54 0C B0 99 D0 93 77 DE D1 91
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\MRUListEx: 03 00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\MRUListEx: 00 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 1D 00 00 00 70 E6 3C 0F 91 F6 C9 01
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 1E 00 00 00 60 EB ED 13 91 F6 C9 01
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 27 00 00 00 F0 32 0B 10 91 F6 C9 01
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 29 00 00 00 60 14 EA 16 91 F6 C9 01
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}: 02 00 00 00 12 00 00 00 60 DC 64 0B 91 F6 C9 01
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}: 02 00 00 00 13 00 00 00 00 72 EF 13 91 F6 C9 01
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 04 00 00 00 00 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 04 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\WinPos1024x768(1).left: 0x0000006E
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\WinPos1024x768(1).left: 0x0000002C
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\WinPos1024x768(1).top: 0x0000008A
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\WinPos1024x768(1).top: 0x0000003A
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\WinPos1024x768(1).right: 0x0000038E
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\WinPos1024x768(1).right: 0x0000034C
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\WinPos1024x768(1).bottom: 0x000002E2
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\2\Shell\WinPos1024x768(1).bottom: 0x00000292
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\SessionInformation\ProgramCount: 0x00000002
HKU\S-1-5-21-1202660629-842925246-1343024091-1003\SessionInformation\ProgramCount: 0x00000001

----------------------------------
Total changes:40

Some drops:

Quote

ComboFix 09-06-26.02 - B-boy-VM 06.2009 г. 22:08.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.511.422 [GMT 3:00]
Running from: D:\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Help\agt0405.hlp
c:\windows\Help\agt0408.hlp
c:\windows\Help\agt0415.hlp
c:\windows\Help\agt0419.hlp

.
((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-06-26 )))))))))))))))))))))))))))))))
.

2009-06-26 18:59 . 2009-06-26 18:59 -------- d-----w- c:\program files\Sandboxie
2009-06-26 12:52 . 2009-03-30 07:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-26 12:52 . 2009-03-24 13:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-26 12:52 . 2009-02-13 09:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-26 12:52 . 2009-02-13 09:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-26 12:52 . 2009-06-26 12:52 -------- d-----w- c:\program files\Avira
2009-06-26 12:52 . 2009-06-26 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-06-26 12:46 . 2009-06-26 12:47 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-26 12:46 . 2009-06-26 12:46 -------- d-----w- c:\program files\Intel
2009-06-26 12:46 . 2009-04-09 06:47 53248 ----a-r- c:\windows\system32\CSVer.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 15:43 . 2009-05-28 15:43 12328 ----a-w- c:\documents and settings\B-boy-VM\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 15:36 . 2009-05-28 15:36 -------- d-----w- c:\program files\microsoft frontpage
2009-05-28 15:35 . 2009-05-28 15:35 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-28 15:33 . 2009-05-28 15:33 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26.6.2009 г. 15:52 108289]
S3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [28.5.2009 г. 16:32 108032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SBIESVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C70D5713-1CC8-78D4-3AC0-E91B91DD5262}]
c:\windows\system32:winlogon.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-winsock.exe - c:\windows\system32:winlogon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-26 22:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winsock.exe = c:\windows\system32:winlogon.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32:winlogon.exe 118824 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-06-26 22:10
ComboFix-quarantined-files.txt 2009-06-26 19:10

Pre-Run: 2 103 103 488 bytes free
Post-Run: 2 094 600 192 bytes free

72

The file 'Fly Crypter v1b -22.06.09 update.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Crypt.CFI.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module.

VirusTotal (5/41)

Both + Drops (help.zip)

http://www.mediafire.com/?sharekey=6fc96c02c2ca62fdd6baebe61b361f7c6b575e06d7c60edb5621d66e282a0ee8

Not hit with => Database version: 2339 :D
Posted Image

#2
Raid
Posted 28 June 2009 - 10:00 AM

    Malware Researcher

  • Experts
  • PipPipPipPipPipPip
  • 1,549 posts
  • Gender:Male
  • Location:United States

View PostB-boy/StyLe/, on Jun 26 2009, 02:51 PM, said:

VirusTotal (2/41)

Thanks for the samples. I snagged all 3 available from the link.
Back to Newest Rogue Threats · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Research Center
  3. Newest Rogue Threats

Products

About

Partners

Follow Us