Help - Search - Members - Calendar
Full Version: Nasty?
Malwarebytes Forum > Research Center > Newest Rogue Threats
salmon
Feb 2 2009, 05:34 PM
Could someone have a look at this? thanks.
Beware opens a pron page.

Result: 9/39 (23.08%)
http://www.virustotal.com/analisis/21466dd...7fafc8303bd7a6d

Download link:
hxxp://rapidshare.com/files/192993106/spyware_Sharereactor.com.zip

CIMA:
http://camas.comodo.com/cgi-bin/submit?fil...114b1a06c564ce3
Maniac
Feb 2 2009, 07:27 PM
I think it's dangerous! Here's what he does after being launched:

CODE
----------------------------------
Values added:8
----------------------------------
HKLM\SOFTWARE\Microsoft\DirectDraw\id: 0x0074DEEC
HKLM\SOFTWARE\Microsoft\DirectDraw\c: 0x00000000
HKLM\SOFTWARE\Microsoft\DirectDraw\s1: A8 A4 AC A9 A4 EB A8 AC A6 B7 AA B6 AA A3 B1 EB A6 AA A8
HKLM\SOFTWARE\Microsoft\DirectDraw\s2: B6 A8 B1 B5 EB A2 AA AA A2 A9 A0 EB A6 AA A8
HKLM\SOFTWARE\Microsoft\DirectDraw\h1: AD B1 B1 B5 FF EA EA F3 F3 EB F4 F4 FC EB F4 F7 F7 EB FC FC EA
HKLM\SOFTWARE\Microsoft\DirectDraw\h2: AD B1 B1 B5 FF EA EA F3 F1 EB F4 FC F4 EB F7 F7 EB F4 FD F4 EA
HKLM\SOFTWARE\Microsoft\DirectDraw\h3: AD B1 B1 B5 FF EA EA F3 F1 EB F4 FC F4 EB F7 F7 EB F4 FD F4 EA
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\Support\LOCALS~1\Temp\Temporary Directory 2 for spyware_Sharereactor.com.zip\spyware Sharereactor.com.exe: "spyware Sharereactor.com"

----------------------------------
Values modified:10
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: A9 BC 30 5B 8B 9D 99 53 29 A3 D2 72 0E 33 BB D3 F9 83 E2 86 FE 74 AC 4E 40 71 FF 3A 96 95 AF CF 9A E6 8D A2 D5 AB 67 05 02 2A FC 68 14 D8 73 59 F1 C9 C6 1B 93 BD A4 2A 75 66 5D 83 37 51 46 09 60 F5 71 CD 1F 8E 4C CA 3E E9 71 BE 51 C8 45 87
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 6B 5C 70 0B 38 15 CD 7B FC 3A 88 49 1B 4D 78 D3 F9 0C EE 99 D7 BE 1E BC C7 72 C7 40 50 59 0F 7E A9 8B F5 64 DF 7F 4D 20 76 E7 C7 40 D9 2A 61 3B AF 93 DF A1 F0 B3 9B 94 C7 8A BE 8D C8 AD F4 ED FA 17 0C 02 EB 1C 2A 8A 6C 2B 1E 62 0B 5F 2C 44
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000000F
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000011
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000B
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x0000000C
HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 36 30 38 42 2E 74 6D 70 00 00 00
HKLM\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 36 30 38 42 2E 74 6D 70 00 00 5C 53 79 73 74 65 6D 52 6F 6F 74 5C 73 79 73 74 65 6D 33 32 5C 63 6F 6E 66 69 67 5C 34 37 34 33 34 32 38 32 2E 45 76 74 00 5C 53 79 73 74 65 6D 52 6F 6F 74 5C 53 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 61 73 63 33 35 35 30 70 2E 73 79 73 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 53 75 70 70 6F 72 74 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 54 65 6D 70 6F 72 61 72 79 20 44 69 72 65 63 74 6F 72 79 20 32 20 66 6F 72 20 73 70 79 77 61 72 65 5F 53 68 61 72 65 72 65 61 63 74 6F 72 2E 63 6F 6D 2E 7A 69 70 5C 73 70 79 77 61 72 65 20 53 68 61 72 65 72 65 61 63 74 6F 72 2E 63 6F 6D 2E 65 78 65 00 00 00
HKLM\SYSTEM\ControlSet001\Services\srservice\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\srservice\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 36 30 38 42 2E 74 6D 70 00 00 00
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations: 5C 3F 3F 5C 63 3A 5C 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 4F 4C 44 36 30 38 42 2E 74 6D 70 00 00 5C 53 79 73 74 65 6D 52 6F 6F 74 5C 73 79 73 74 65 6D 33 32 5C 63 6F 6E 66 69 67 5C 34 37 34 33 34 32 38 32 2E 45 76 74 00 5C 53 79 73 74 65 6D 52 6F 6F 74 5C 53 79 73 74 65 6D 33 32 5C 64 72 69 76 65 72 73 5C 61 73 63 33 35 35 30 70 2E 73 79 73 00 5C 3F 3F 5C 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 53 75 70 70 6F 72 74 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 54 65 6D 70 6F 72 61 72 79 20 44 69 72 65 63 74 6F 72 79 20 32 20 66 6F 72 20 73 70 79 77 61 72 65 5F 53 68 61 72 65 72 65 61 63 74 6F 72 2E 63 6F 6D 2E 7A 69 70 5C 73 70 79 77 61 72 65 20 53 68 61 72 65 72 65 61 63 74 6F 72 2E 63 6F 6D 2E 65 78 65 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\srservice\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\srservice\Start: 0x00000003
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 AD B6 D1 ED 82 C9 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00 6F 00 6F 00 74 00 25 00 5C 00 54 00 45 00 4D 00 50 00 00 00 44 00 3B 00 2E 00 56 00 42 00 53 00 3B 00 2E 00 56 00 42 00 45 00 3B 00 2E 00 4A 00 53 00 3B 00 2E 00 4A 00 53 00 45 00 3B 00 2E 00 57 00 53 00 46 00 3B 00 2E 00 57 00 53 00 48 00 00 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 57 00 62 00 65 00 6D 00 00 00 00 00 00 00
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 AD B6 D1 ED 82 C9 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00 6F 00 6F 00 74 00 25 00 5C 00 54 00 45 00 4D 00 50 00 00 00 44 00 3B 00 2E 00 56 00 42 00 53 00 3B 00 2E 00 56 00 42 00 45 00 3B 00 2E 00 4A 00 53 00 3B 00 2E 00 4A 00 53 00 45 00 3B 00 2E 00 57 00 53 00 46 00 3B 00 2E 00 57 00 53 00 48 00 00 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 57 00 62 00 65 00 6D 00 00 00 00 00 00 00
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {10DF43C8-1DBE-11D3-8B34-006097DF5BD4} 0x401: 00 00 00 00 31 00 31 00 20 F9 42 60 6B 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {10DF43C8-1DBE-11D3-8B34-006097DF5BD4} 0x401: 00 00 00 00 31 00 31 00 00 3D 94 AB 6B 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\SessionInformation\ProgramCount: 0x00000002
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\SessionInformation\ProgramCount: 0x00000001

----------------------------------
Files added:35
----------------------------------
C:\Documents and Settings\Support\Local Settings\Temp\Temporary Directory 2 for spyware_Sharereactor.com.zip\spyware Sharereactor.com.exe
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\aDollHouse_final[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cCryptStyles[1].css
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r2_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r3_c2[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r3_c6[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r7_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r8_c1[2].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r8_c7[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\login[1].htm
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\signupMainSexy[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\ALittleCumster_final_anal1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\allAmericanAnal_final_anal2[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\AmateurHardcore_final_amat1[2].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\cc_r1_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\cc_r3_c3[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\highDefLesbians_final_lesbi[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\mainBG[2].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\midBG[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\cc_r3_c5[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\cc_r4_c2[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\cc_r8_c3[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\cc_r9_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\interracial_lust_final[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\ladyAssLickers19_final[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\signupRightColBG[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\cc_r3_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\cc_r5_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\ChasingWhiteBooty_final_int[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\eroticSensations_final_amat[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\index[1]
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\MeSoAsian_final_asian[2].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\mommyIsAMilf_final_mature[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\porkedPussiesOnParade_final_amat[1].jpg
C:\WINDOWS\system32\config\47434282.Evt

----------------------------------
Files deleted:30
----------------------------------
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\allAmericanAnal_final_anal2[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r1_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r3_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r3_c5[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r4_c2[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r8_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\cc_r9_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\interracial_lust_final[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\midBG[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\AmateurHardcore_final_amat1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\cc_r3_c2[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\cc_r3_c6[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\cc_r8_c3[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\ChasingWhiteBooty_final_int[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\mommyIsAMilf_final_mature[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\porkedPussiesOnParade_final_amat[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\cc_r3_c3[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\cc_r5_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\cc_r8_c7[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\eroticSensations_final_amat[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\highDefLesbians_final_lesbi[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\mainBG[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\QJYPOGR2\ppd13-LesbianCollegeCoeds_f[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\aDollHouse_final[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\ALittleCumster_final_anal1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\cCryptStyles[1].css
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\cc_r2_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\cc_r7_c1[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\ladyAssLickers19_final[1].jpg
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\MeSoAsian_final_asian[1].jpg

----------------------------------
Files[attr]modified:10
----------------------------------
C:\Documents and Settings\Support\Cookies\index.dat
C:\Documents and Settings\Support\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Support\Local Settings\History\History.IE5\MSHist012009020220090203\index.dat
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Support\NTUSER.DAT.LOG
C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf
C:\WINDOWS\system32\CatRoot2\edb.chk
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG

----------------------------------
Folders added:2
----------------------------------
C:\Documents and Settings\Support\Local Settings\Temp\Temporary Directory 2 for spyware_Sharereactor.com.zip
C:\WINDOWS\Temp\settings

----------------------------------
Total changes:95
----------------------------------


What do you think? smile.gif
salmon
Feb 2 2009, 07:33 PM
oooo how do you do that? fancy happy.gif

C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\I5OJB3KP\ChasingWhiteBooty_final_int[1].jpg laugh.gif
Maniac
Feb 2 2009, 07:56 PM
Wow.... Here's the log file from MBAM after I was infected:

QUOTE
Malwarebytes' Anti-Malware 1.33
Database version: 1716
Windows 5.1.2600 Service Pack 3

2/2/2009 9:52:08 PM
mbam-log-2009-02-02 (21-52-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 59464
Time elapsed: 22 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\47434282.Evt (Rootkit.Agent.H) -> Delete on reboot.


Still, you are interested in whether it's dangerous? biggrin.gif
salmon
Feb 2 2009, 08:01 PM
No i meant what do you use to analyse the file tongue.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.