========================================================== #MalwareMustDie - @unixfreaxjp | Mon Oct 8 06:41:38 JST 2012 AN ANALYSIS OF IRC BOT FAKING SKYPE SOFTWARE FOUND IN SKYPE PROFILE (Yes, is not a new news but I just found infected one by myself just now) Below are my analysis regardingly; Took me 3hrs straight for this... *) I dedicated this work for #MalwareMustDie - Malware Crusaders - WHo CRACKs & NOT selling crap! ========================================================== Malicious Verdicts: ------------------------------------------------------------- 1. Faking picture in the skype profile 2. Hiding the Malicious PE download in ZIP by forwarded HTML 3. Faking legit SKYPE software 4. Dropped/renaming itself to the %AppData% 5. Setting Autorun at registry 6. Injected foreign memory with malicious process 7. Execution of the several system commands for malicious purpose 8. Sending unwanted http request contains privacy data to the remote hosts 9. Auto communicate (BOT) with the remote host with the IRC protocol ------------------------------------------------------------------------ // Found this link in the some retarted's skype profile pic url: http://goo.gl/UPhHf?img=supercichy1 //long urls which goes to the below forwarder html http://hotfile.com/dl/175180403/4b2da19/skype_06102012_image.zip.html // to download the zip file saved in hotfile.com http://s297.hotfile.com/get/0517a8a2bf3181c2b14a87b81211e0413caa4b4c/5071dd91/2/a1f58bc24f510dbf/a710a73/skype_06102012_image.zip // payload --04:55:39-- http://hotfile.com/dl/175180403/4b2da19/skype_06102012_image.zip.html => `skype_06102012_image.zip.html' Resolving hotfile.com... 199.7.177.216, 199.7.177.218, 199.7.177.220, ... Connecting to hotfile.com|199.7.177.216|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://s297.hotfile.com/get/d04765b246ffa0c1ab1686bc9d6a73e1b69aa53b/5071de33/2/a1f58bc24f510dbf/a710a73/skype_06102012_image.zip [following] --04:55:39-- http://s297.hotfile.com/get/d04765b246ffa0c1ab1686bc9d6a73e1b69aa53b/5071de33/2/a1f58bc24f510dbf/a710a73/skype_06102012_image.zip => `skype_06102012_image.zip' Resolving s297.hotfile.com... 74.120.10.77 Connecting to s297.hotfile.com|74.120.10.77|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 273,470 (267K) [application/octet-stream] 100%[====================================>] 273,470 160.62K/s 04:55:41 (160.08 KB/s) - `skype_06102012_image.zip' saved [273470/273470] // Just checcking.... 0x00001E 0x00001E 0 skype_06102012_image.exe 0x000059 0x000059 0 EEaDB 0x00007F 0x00007F 0 -K++k/ 0x00025A 0x00025A 0 iE-$j 0x000338 0x000338 0 W,+$y 0x00035C 0x00035C 0 [zsz= 0x000365 0x000365 0 -=k?xcL 0x00054F 0x00054F 0 xGhO}_ 0x000573 0x000573 0 Joi#am ↑an archive file..let's see inside↓ ---------------------------------------------------------------------------- Contains this binary: ---------------------------------------------------------------------------- filename: skype_06102012_image.exe md5: e8e2ba08f9aff27eed45daa8dbde6159 size: 947,200 bytes TimeStamp: 2012/10/06 13:23 Screenshot: https://lh5.googleusercontent.com/-3fiGrJpLZao/UHHlcYrCAuI/AAAAAAAAGMs/r11EoyIzaOQ/s398/001.jpg ----------------------------------------------------------------------------- Binary Analysis: [SUSPECTED 7/10] ----------------------------------------------------------------------------- CRC failed: Claimed: 0 Actual: 1012628 Compile Time: 0x50706727 [Sat Oct 06 17:15:19 2012 UTC] By: Borland C++ for Win32 1999/ Borland C++ DLL Entry Point: 0x1000 Packed w/Borland C++ trace at: Name: .rdata Entropy: 0.20448815744 Misc: 0x1000 Misc_PhysicalAddress: 0x1000 Misc_VirtualSize: 0x1000 VirtualAddress: 0xE000 SizeOfRawData: 0x200 PointerToRawData: 0xAE00 PointerToRelocations: 0x0 PointerToLinenumbers: 0x0 NumberOfRelocations: 0x0 NumberOfLinenumbers: 0x0 Characteristics: 0x50000040 ----------------------------------------------------------------------------- Faking SKYPE MESSAGES: ----------------------------------------------------------------------------- 0x0BE616 0x4C3E16 www.skype.com 0x0BE956 0x4C4156 Caption cannot be empty 0x0BEA84 0x4C4284 Cannot open clipboard: %s+Operation not supported on selected printer 0x0BF130 0x4C4930 %s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex 0x0BF4FC 0x4C4CFC Error creating window class+Cannot focus a disabled or invisible window 0x0C007C 0x4C587C Stream read error 0x0C0388 0x4C5B88 A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates ----------------------------------------------------------------------------- Faling SKYPE PRODUCTS: ----------------------------------------------------------------------------- 0x0D6E46 0x4DC646 CompanyName 0x0D6E60 0x4DC660 Skype Technologies S.A. 0x0D6E96 0x4DC696 FileDescription 0x0D6EB8 0x4DC6B8 Skype 0x0D6ECE 0x4DC6CE FileVersion 0x0D6EE8 0x4DC6E8 5.10.0.116 0x0D6F06 0x4DC706 InternalName 0x0D6F20 0x4DC720 Skype.exe 0x0D6F3A 0x4DC73A LegalCopyright 0x0D6F58 0x4DC758 (c) Skype Technologies S.A. 0x0D6F96 0x4DC796 OriginalFilename 0x0D6FB8 0x4DC7B8 Skype.exe 0x0D6FD2 0x4DC7D2 ProductName 0x0D6FEC 0x4DC7EC Skype 0x0D6FFE 0x4DC7FE ProductVersion 0x0D702E 0x4DC82E BuildTime 0x0D7044 0x4DC844 7/13/2012 1:28:41 PM 0x0D7076 0x4DC876 ResourcesEditedWith 0x0D70A0 0x4DC8A0 Restorator 2007 Trial 0x0D70D2 0x4DC8D2 ResourceEditorWWW 0x0D70F8 0x4DC8F8 http://www.bome.com/Restorator/ <==== wow 0x0D713E 0x4DC93E VarFileInfo 0x0D715E 0x4DC95E Translation 0x0BE614 0x4C3E14 www.skype.com 0x0BE632 0x4C3E32 Skype ----------------------------------------------------------------------------- Obviously NOT Skype:: ----------------------------------------------------------------------------- 0x0BE89E 0x4C409E %s requires Windows Vista or later 0x0BE8E4 0x4C40E4 %s requires themes to be enabled 0x0BFD14 0x4C5514 Cannot create file "%s". %s 0x0BFD4C 0x4C554C Cannot open file "%s". %s 0x0C077C 0x4C5F7C Access violation at address %p in module '%s'. %s of address %p ----------------------------------------------------------------------------- Calls/DLL Lists ----------------------------------------------------------------------------- 0040F0D8 CloseHandle KERNEL32 0040F0DC CreateFileA KERNEL32 <------wow wow 0040F0E0 ExitProcess KERNEL32 0040F0E4 GetACP KERNEL32 0040F0E8 GetCPInfo KERNEL32 0040F0EC GetCommandLineA KERNEL32 <------wow wow 0040F0F0 GetCurrentThreadId KERNEL32 0040F0F4 GetEnvironmentStrings KERNEL32 0040F0F8 GetFileType KERNEL32 0040F0FC GetLastError KERNEL32 0040F100 GetLocalTime KERNEL32 0040F104 GetModuleFileNameA KERNEL32 0040F108 GetModuleHandleA KERNEL32 0040F10C GetOEMCP KERNEL32 0040F110 GetProcAddress KERNEL32 0040F114 GetProcessHeap KERNEL32 0040F118 GetStartupInfoA KERNEL32 0040F11C GetStdHandle KERNEL32 0040F120 GetStringTypeW KERNEL32 0040F124 GetVersion KERNEL32 0040F128 GetVersionExA KERNEL32 0040F12C GlobalMemoryStatus KERNEL32 0040F130 HeapAlloc KERNEL32 0040F134 HeapFree KERNEL32 0040F138 LoadLibraryA KERNEL32 0040F13C RaiseException KERNEL32 0040F140 RtlUnwind KERNEL32 0040F144 SetConsoleCtrlHandler KERNEL32 0040F148 SetFilePointer KERNEL32 0040F14C SetHandleCount KERNEL32 0040F150 TlsAlloc KERNEL32 0040F154 TlsFree KERNEL32 0040F158 TlsGetValue KERNEL32 0040F15C TlsSetValue KERNEL32 0040F160 UnhandledExceptionFilter KERNEL32 0040F164 VirtualAlloc KERNEL32 0040F168 VirtualFree KERNEL32 0040F16C WriteFile KERNEL32 <-------wow wow 0040F188 AnimateWindow USER32 0040F18C EnumThreadWindows USER32 0040F190 MessageBoxA USER32 0040F194 wsprintfA USER32 ----------------------------------------------------------------------------- Functions Lists Analysis: [SUSPECTED 8/10] ----------------------------------------------------------------------------- start .text 0x401000 00000059 R . L . . . . __GetExceptDLLinfo .text 0x401059 00000005 R . L . . . . sub_40106C .text 0x40106C 0000000D R . . . . . . sub_4010F3 .text 0x4010F3 00000032 R . . . . . . Sysinit::__linkproc__ GetTls(void) .text 0x401140 0000000F R . L . . . . sub_401150 .text 0x401150 0000008B R . . . B . . sub_4011DC .text 0x4011DC 00000021 R . . . B . . WinMain .text 0x401200 00000167 R . . . B T . _calloc .text 0x401370 0000002B R . L . B T . __rtl_close .text 0x40139C 0000000F R . L . B T . __close .text 0x4013AC 0000000F R . L . B T . @_virt_reserve .text 0x4013BC 0000006A R . L . . . . @_virt_alloc .text 0x401428 00000027 R . L . . . . @_virt_commit .text 0x401450 00000x4B R . L . . T . @_virt_decommit .text 0x40149C 00000018 R . L . . T . @_virt_release .text 0x4014B4 00000019 R . L . . T . ___CRTL_MEM_GetBorMemPtrs .text 0x4014F0 0000007C R . L . B . . ___CRTL_MEM_CheckBorMem .text 0x40156C 00000003 R . L . . . . _malloc .text 0x401570 00000010 R . L . B T . _free .text 0x401580 00000010 R . L . B T . _realloc .text 0x401590 00000016 R . L . B T . ___CRTL_MEM_Revector .text 0x4015A8 00000x48 R . L . B . . sub_4015F0 .text 0x4015F0 00000018 R . L . B . . sub_401608 .text 0x401608 00000018 R . L . B . . sub_401620 .text 0x401620 0000001E R . L . B . . nullsub_5 .text 0x401640 00000001 R . L . . . . sub_401644 .text 0x401644 0000000B R . . . . . . __free_heaps .text 0x401650 00000010 R . L . . . . nullsub_1 .text 0x401660 00000001 R . . . . . . sub_401664 .text 0x401664 00000x40 R . L . . . . sub_4016A4 .text 0x4016A4 000000FF R . L . B . . sub_4017A4 .text 0x4017A4 000000EB R . L . B . . sub_401890 .text 0x401890 000002C2 R . L . B . . sub_401B54 .text 0x401B54 000000F1 R . L . B . . __internal_free .text 0x401C48 0000002B R . L . B . . sub_401C74 .text 0x401C74 00000107 R . L . B . . sub_401D7C .text 0x401D7C 0000003B R . L . B . . __internal_malloc .text 0x401DB8 00000027 R . L . B . . sub_401DE0 .text 0x401DE0 000001D6 R . L . B . . __phys_avail .text 0x401FB8 00000018 R . L . . . . __internal_free_heaps .text 0x401FD0 00000060 R . L . . . . __expand .text 0x402030 00000128 R . L . B T . sub_402158 .text 0x402158 000000B5 R . L . B T . __internal_realloc .text 0x402210 00000096 R . L . B . . __msize .text 0x4022A8 0000001A R . L . B T . nullsub_2 .text 0x4022C4 00000001 R . . . . . . nullsub_3 .text 0x4022C8 00000001 R . . . . . . _memcpy .text 0x4022CC 00000024 R . L . B T . _memmove .text 0x4022F0 00000x4A R . L . B T . _memset .text 0x40233C 0000008A R . L . B T . __wmemset .text 0x4023C8 00000018 R . L . B T . _strlen .text 0x4023E0 0000005A R . L . . T . _strncat .text 0x40243C 0000006E R . L . B T . _memcmp .text 0x4024AC 0000006C R . L . B T . _strdup .text 0x402518 00000032 R . L . B T . _wcslen .text 0x40254C 00000018 R . L . B T . _wcscpy .text 0x402564 0000003F R . L . B T . @__InitExceptBlockLDTC .text 0x4025A4 00000039 R . L . . . . unknown_libname_1 .text 0x402614 00000157 R . L . B . . sub_40276B .text 0x40276B 00000053 R . . . B . . sub_4027BE .text 0x4027BE 00000267 R . L . B . . sub_402A25 .text 0x402A25 000000A2 R . L . B . . sub_402AC8 .text 0x402AC8 00000037 R . L . B . . sub_402B00 .text 0x402B00 000000DB R . L . B . . __isCompatTypeID(tpid *,tpid *,int,tpid **) .text 0x402BDC 0000010F R . L . B . . __adjustClassAdr(void *,tpid *,tpid *) .text 0x402CEC 0000007A R . L . B . . _InitTermAndUnexPtrs(void) .text 0x402D68 00000027 R . L . . . . std::terminate(void) .text 0x402D90 00000x4F R . L . B . . std::unexpected(void) .text 0x402DE0 00000025 R . L . . . . sub_402E08 .text 0x402E08 0000002B R . . . . . . ___call_terminate .text 0x402E34 00000071 R . L . B . . ___call_unexpected .text 0x402EA8 00000035 R . L . . . . __ExceptInit .text 0x402EE0 00000x4B R . L . B . . __GetExceptDLLinfoInternal .text 0x402F2C 00000027 R . L . B . . unknown_libname_2 .text 0x402F54 0000000A R . L . B . . sub_402F60 .text 0x402F60 000000ED R . L . B . . __setexc .text 0x403050 0000001A R . L . B . . __unsetexc .text 0x40306C 0000000F R . L . B . . __SetUserHandler .text 0x40307C 00000013 R . L . B . . __init_except .text 0x40309C 00000015 R . L . . . . __exit_except .text 0x4030B4 00000011 R . L . . . . __InitDefaultHander .text 0x4030C8 00000011 R . L . . . . __SetExceptionHandler .text 0x4030DC 00000015 R . L . B . . __UnsetExceptionHandler .text 0x4030F1 0000002C R . L . B . . jump(void) .text 0x403124 00000006 R . L . . . . ___doGlobalUnwind .text 0x40312A 00000015 R . L . . . . invokeHnd(void) .text 0x40313F 00000007 R . L . . . . ___isatty .text 0x403148 0000002D R . L . B . . ___isatty_osfhandle .text 0x403178 00000017 R . L . B T . ___lseek .text 0x403190 00000076 R . L . B T . ___write .text 0x403208 0000011C R . L . B T . unknown_libname_3 .text 0x403324 00000011 R . L . B . . __flushall .text 0x403338 00000038 R . L . . T . __rtl_write .text 0x403370 00000x46 R . L . B T . __write .text 0x4033B8 00000019 R . L . B T . __allocbuf .text 0x4033D4 0000007D R . L . B . . _fflush .text 0x403454 0000007F R . L . B T . __flushout .text 0x4034D4 0000005A R . L . . . . __initfmode .text 0x403530 0000000D R . L . B . . __initfileinfo .text 0x403540 00000013 R . L . B . . __get_handle .text 0x403554 00000x40 R . L . B . . __dup_handle .text 0x403594 00000068 R . L . B . . __free_handle .text 0x4035FC 00000019 R . L . B . . sub_403618 .text 0x403618 0000009A R . . . B . . __init_handles .text 0x4036B4 00000159 R . L . . . . ___IOerror .text 0x403810 00000x44 R . L . B . . ___NTerror .text 0x403874 00000012 R . L . . . . __init_streams .text 0x403888 000000BC R . L . . . . __exit_streams .text 0x403944 00000059 R . L . . . . __xfflush .text 0x4039A0 00000027 R . L . . . . __getLocaleNumericInfo .text 0x4039C8 00000051 R . L . B . . _isalnum .text 0x403A1C 00000016 R . L . B T . _isascii .text 0x403A34 00000012 R . L . B T . _isalpha .text 0x403A48 00000016 R . L . B T . _iscntrl .text 0x403A60 00000013 R . L . B T . _isdigit .text 0x403A74 00000013 R . L . B T . _isgraph .text 0x403A88 00000016 R . L . B T . _islower .text 0x403AA0 00000013 R . L . B T . _isprint .text 0x403AB4 00000016 R . L . B T . _ispunct .text 0x403ACC 00000013 R . L . B T . _isspace .text 0x403AE0 00000013 R . L . B T . _isupper .text 0x403AF4 00000013 R . L . B T . _isxdigit .text 0x403B08 00000016 R . L . B T . _iswalnum .text 0x403B20 00000017 R . L . B T . _iswascii .text 0x403B38 00000014 R . L . B T . _iswalpha .text 0x403B4C 00000017 R . L . B T . _iswcntrl .text 0x403B64 00000014 R . L . B T . _iswdigit .text 0x403B78 00000014 R . L . B T . _iswgraph .text 0x403B8C 00000017 R . L . B T . _iswlower .text 0x403BA4 00000014 R . L . B T . _iswprint .text 0x403BB8 00000017 R . L . B T . _iswpunct .text 0x403BD0 00000014 R . L . B T . _iswspace .text 0x403BE4 00000014 R . L . B T . _iswupper .text 0x403BF8 00000014 R . L . B T . _iswxdigit .text 0x403C0C 00000017 R . L . B T . ___isctype .text 0x403C24 00000x43 R . L . B . . ___iswctype .text 0x403C68 00000055 R . L . B T . __pow10 .text 0x403CC0 0000016C R . L . B . . __clear87 .text 0x403E48 00000013 R . L . B T . __control87 .text 0x403E5C 0000002F R . L . B T . unknown_libname_4 .text 0x403E8C 0000000C R . L . . . . sub_403E98 .text 0x403E98 0000000C R . . . . . . unknown_libname_5 .text 0x403EA4 0000000C R . L . . . . sub_403EB0 .text 0x403EB0 0000000C R . . . . . . __fpreset .text 0x403EBC 00000016 R . L . . T . _ftol(void) .text 0x403ED4 00000028 R . L . B . . __fuildq .text 0x403EFC 0000002D R . L . B . . __fuistq .text 0x403F2C 00000021 R . L . . . . __fxam .text 0x403F50 00000011 R . L . . . . ___ldtrunc .text 0x403F64 00000117 R . L . B . . ___longtoa .text 0x40407C 00000071 R . L . B . . ___utoa .text 0x4040F0 0000001B R . L . B . . __matherr .text 0x40410C 0000002A R . L . B T . __matherrl .text 0x404138 0000002E R . L . B T . __initmatherr .text 0x404168 00000016 R . L . B . . __qdiv10 .text 0x404180 00000025 R . L . B . . __qmul10 .text 0x4041A8 0000002E R . L . B . . sub_4041D8 .text 0x4041D8 00000x41 R . L . B . . sub_40421C .text 0x40421C 00000285 R . . . B . . sub_4044A4 .text 0x4044A4 00000016 R . . . B . . __cvt_init .text 0x4044BC 00000015 R . L . . . . sub_4044D4 .text 0x4044D4 00000x4A R . L . B . . sub_404520 .text 0x404520 000002B7 R . . . B T . sub_4047D8 .text 0x4047D8 00000016 R . . . B . . __cvt_initw .text 0x4047F0 00000015 R . L . . . . sub_404808 .text 0x404808 0000x449 R . . . B . . sub_404C54 .text 0x404C54 00000080 R . . . B . . sub_404CD4 .text 0x404CD4 00000015 R . . . . . . sub_404CEC .text 0x404CEC 0000x446 R . . . B . . sub_405134 .text 0x405134 00000080 R . . . B . . __scan_initw .text 0x4051B4 00000015 R . L . . . . ___xcvt .text 0x4051CC 000002D2 R . L . B T . ___xcvtw .text 0x4054A0 000002F1 R . L . B T . __setmbcp .text 0x405794 00000121 R . L . B T . __getmbcp .text 0x4058B8 00000006 R . L . . T . __initMBCSTable .text 0x4058C0 0000000D R . L . . . . __ismbcspace .text 0x4058D0 0000001A R . L . B . . __mbsrchr .text 0x4058EC 00000056 R . L . B . . sub_405944 .text 0x405944 00000x45 R . L . B T . __assert .text 0x40598C 0000005E R . L . B T . sub_4059EC .text 0x4059EC 00000x4E R . L . . . . __ErrorMessageHelper .text 0x405A3C 00000068 R . L . B T . Corbaobj::TCorbaImplementation::GetTypeInfoCount .text 0x405AA4 00000012 R . L . B T . sub_405AB8 .text 0x405AB8 00000x44 R . L . . . . __ErrorMessage .text 0x405AFC 0000011B R . L . B . . ___ErrorMessage .text 0x405C18 0000000F R . L . B . . __ErrorExit .text 0x405C28 00000017 R . L . B . . unknown_libname_6 .text 0x405C40 00000089 R . L . . . . __abort .text 0x405CCC 00000014 R . L . . . . _abort .text 0x405CE0 0000000E R . L . . T . nullsub_4 .text 0x405CF0 00000001 R . L . . . . sub_405CF4 .text 0x405CF4 00000051 R . L . B T . _exit .text 0x405D48 00000015 . . L . B T . __exit .text 0x405D60 00000015 . . L . B T . __cexit .text 0x405D78 0000000F R . L . . T . __c_exit .text 0x405D88 0000000F R . L . . T . __init_wild_handlers .text 0x405D98 0000001A R . L . B . . __argv_default_expand .text 0x405DB4 00000011 R . L . B . . __argv_default_expand_0 .text 0x405DC8 00000011 R . L . B . . __init_setargv_handlers .text 0x405DDC 00000027 R . L . B . . __setargv .text 0x405E04 00000088 R . L . . . . __exitargv .text 0x405E8C 00000031 R . L . . . . sub_405EC0 .text 0x405EC0 000000B0 R . . . B . . __handle_setargv .text 0x405F70 00000158 R . L . B . . __handle_exitargv .text 0x4060C8 00000019 R . L . . . . sub_4060E4 .text 0x4060E4 00000071 R . L . B . . __handle_wsetargv .text 0x406158 00000193 R . L . B . . __handle_wexitargv .text 0x4062EC 00000019 R . L . . . . sub_406308 .text 0x406308 00000077 R . L . B . . unknown_libname_7 .text 0x406380 00000037 R . L . . . . sub_4063B8 .text 0x4063B8 0000000D R . . . . . . sub_4063C8 .text 0x4063C8 00000031 R . . . . . . __expandblock .text 0x4063FC 0000014A R . L . . . . sub_406548 .text 0x406548 00000020 R . . . . . . sub_406568 .text 0x406568 0000001F R . L . B . . sub_406588 .text 0x406588 000001DF R . L . B . . HandlerRoutine .text 0x406768 00000025 R . L . B T . _signal .text 0x406790 0000005D R . L . B T . _raise .text 0x4067F0 00000070 R . L . B T . sub_406860 .text 0x406860 0000000E R . . . B T . sub_406870 .text 0x406870 00000003 R . . . . . . sub_406874 .text 0x406874 00000003 R . . . . . . sub_406878 .text 0x406878 000000D2 R . . . B . . sub_40694C .text 0x40694C 0000006B R . . . . . . __startup .text 0x4069B8 00000183 R . L . B . . sub_406B3C .text 0x406B3C 00000020 R . . . . . . ___CRTL_TLS_Alloc .text 0x406B5C 00000006 R . L . . . . ___CRTL_TLS_Free .text 0x406B64 00000010 R . L . B T . ___CRTL_TLS_GetValue .text 0x406B74 00000010 R . L . B T . ___CRTL_TLS_SetValue .text 0x406B84 00000014 R . L . B T . ___CRTL_TLS_InitThread .text 0x406B98 00000007 R . L . B . . ___CRTL_TLS_ExitThread .text 0x406BA0 00000007 R . L . B . . sub_406BAC .text 0x406BAC 0000002B R . . . . . . ___JumpToCatch__ .text 0x406BD7 00000006 R . L . . . . sub_406BDE .text 0x406BDE 00000x4A R . L . B T . sub_406C28 .text 0x406C28 0000002D R . L . B . . sub_406C55 .text 0x406C55 000000C6 R . L . B . . sub_406D1B .text 0x406D1B 0000010E R . L . B . . sub_406E29 .text 0x406E29 00000018 R . L . B . . ___raiseDebuggerException .text 0x406E41 0000001D R . L . B T . sub_406E5E .text 0x406E5E 000000D0 R . L . B . . sub_406F2E .text 0x406F2E 0000007E R . L . B . . sub_406FAC .text 0x406FAC 00000250 R . L . B T . _ThrowExceptionLDTC(void *,void *,.,uchar *,void *.text 0x4071FC 00000035 R . L . . . . _ReThrowException(uint,uchar *) .text 0x407231 0000006B R . L . B . . __Global_unwind .text 0x40729C 0000003F R . L . B . . sub_4072DB .text 0x4072DB 00000075 R . L . B . . sub_407350 .text 0x407350 00000088 R . L . B . . _CatchCleanup(void) .text 0x4073D8 000000EA R . L . B . . sub_4074C9 .text 0x4074C9 000002D4 R . L . B . . sub_40779D .text 0x40779D 0000016B R . L . B . . __Local_unwind .text 0x407908 00000013 R . L . B . . __Return_unwind .text 0x40791B 0000001C R . L . B . . sub_407937 .text 0x407937 00000x45 R . L . B . . ____ExceptionHandler .text 0x40797C 0000035D R . L . B . . sub_407CD9 .text 0x407CD9 000000F7 R . L . B . . sub_407DD0 .text 0x407DD0 00000x4B R . L . B . . sub_407E1B .text 0x407E1B 000002B0 R . L . B . . sub_4080CB .text 0x4080CB 00000124 R . L . B . . sub_4081EF .text 0x4081EF 00000087 R . L . B . . sub_408276 .text 0x408276 0000x484 R . L . B . . __CurrExcContext .text 0x4086FA 00000054 R . L . B . . CloseHandle .text 0x408750 00000006 R . . . . T . CreateFileA .text 0x408756 00000006 R . . . . T . ExitProcess .text 0x40875C 00000006 R . . . . T . GetACP .text 0x408762 00000006 R . . . . T . GetCPInfo .text 0x408768 00000006 R . . . . T . GetCommandLineA .text 0x40876E 00000006 R . . . . T . GetCurrentThreadId .text 0x408774 00000006 R . . . . T . GetEnvironmentStrings .text 0x40877A 00000006 R . . . . T . GetFileType .text 0x408780 00000006 R . . . . T . GetLastError .text 0x408786 00000006 R . . . . T . GetLocalTime .text 0x40878C 00000006 R . . . . T . GetModuleFileNameA .text 0x408792 00000006 R . . . . T . GetModuleHandleA .text 0x408798 00000006 R . . . . T . GetOEMCP <============= wow wow wow .text 0x40879E 00000006 R . . . . T . GetProcAddress .text 0x4087A4 00000006 R . . . . T . GetProcessHeap .text 0x4087AA 00000006 R . . . . T . GetStartupInfoA .text 0x4087B0 00000006 R . . . . T . GetStdHandle .text 0x4087B6 00000006 R . . . . T . GetStringTypeW .text 0x4087BC 00000006 R . . . . T . GetVersion .text 0x4087C2 00000006 R . . . . T . GetVersionExA .text 0x4087C8 00000006 R . . . . T . GlobalMemoryStatus .text 0x4087CE 00000006 R . . . . T . HeapAlloc .text 0x4087D4 00000006 R . . . . T . HeapFree .text 0x4087DA 00000006 R . . . . T . LoadLibraryA .text 0x4087E0 00000006 R . . . . T . RaiseException .text 0x4087E6 00000006 R . . . . T . RtlUnwind .text 0x4087EC 00000006 R . . . . . . SetConsoleCtrlHandler .text 0x4087F2 00000006 R . . . . T . SetFilePointer .text 0x4087F8 00000006 R . . . . T . SetHandleCount .text 0x4087FE 00000006 R . . . . T . TlsAlloc .text 0x408804 00000006 R . . . . T . TlsFree .text 0x40880A 00000006 R . . . . T . TlsGetValue .text 0x408810 00000006 R . . . . T . TlsSetValue .text 0x408816 00000006 R . . . . T . UnhandledExceptionFilter .text 0x40881C 00000006 R . . . . T . VirtualAlloc .text 0x408822 00000006 R . . . . T . VirtualFree .text 0x408828 00000006 R . . . . T . WriteFile .text 0x40882E 00000006 R . . . . T . AnimateWindow .text 0x408834 00000006 R . . . . T . EnumThreadWindows .text 0x40883A 00000006 R . . . . T . MessageBoxA <------ wow wee .text 0x408840 00000006 R . . . . T . wsprintfA <======wow wow why? .text 0x408846 00000006 R . . . . T . PS: The used of the "xxtype.cpp" (DORK it!) evil Libs/headers detected ----------------------------------------------------------------------------- BEHAVIOUR ANALYSIS [SUSPECTED 10/10] ----------------------------------------------------------------------------- Drops/self renaming to: %AppData%\Scxaxs.exe (for the overall malicious main tasks daemon) Renamed the copy also into: %AppData%\1.exe // to be self deleted %AppData%\1.tmp // to be self deleted C:\Documents and Settings\Administrator\Cookies\administrator@wipmania[1].txt // junk! ----------------------------------------------------------------------------- Autorun in registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Scxaxs = "%AppData%\Scxaxs.exe" ----------------------------------------------------------------------------- Foreign Memory injected with: services.exe %System%\services.exe 319,488 bytes alg.exe %System%\alg.exe 319,488 bytes svchost.exe (Parrent: SAMPLE; COMMAND LINE ="C:\WINDOWS\system32\svchost -k rpcss ") svchost.exe (Parrent: SAMPLE; COMMAND LINE ="C:\WINDOWS\System32\svchost.exe -k netsvcs ") svchost.exe (Parrent: SAMPLE; COMMAND LINE ="C:\WINDOWS\system32\svchost.exe -k NetworkService ") svchost.exe (Parrent: SAMPLE; COMMAND LINE ="C:\WINDOWS\system32\svchost.exe -k LocalService") smss (Parrent: SAMPLE; COMMAND LINE="C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 ") spoolsv.exe (Parrent: SAMPLE; COMMAND LINE="C:\WINDOWS\system32\spoolsv.exe ) mscorsvw.exe (Parrent: SAMPLE; COMMAND LINE="C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe ") wuauclt.exe (Parrent: SAMPLE; COMMAND LINE="C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[2a8]SUSDSf0c7666bfc54a04ca39ec51a6dc8d2fd ") ctfmon.exe : etc : msmsgs.exe : etc : reader_sl.exe : : : wscntfy.exe : : : jreiea.exe : : : zbtous.exe : : ----------------------------------------------------------------------------- NETWORK ANALYSIS [SUSPECIOUS 10/10] ----------------------------------------------------------------------------- DNS: 1. api.wipmania.com 2. hotfile.com 3. s486.hotfile.com 4. venus.timeinfo.pl HTTP: 1. To 199.15.234.7:80 (api.wipmania.com) Request: GET / Response: 200 2. To 199.7.177.244:80 (hotfile.com) Request: GET /dl/175181702/5b50219/09j0f3jj.html response: 302 To 199.7.177.244:80 (hotfile.com) Request: GET /get/2737e9fb413cb1f128707b029580099790449bcc/507073b8/2/3a27b432100110d3/a710f86/09j0f3jj response: 200 (Use referer! Non Tor!) COMMUNICATION WITH THE MOTHERSHIP (IRC PROTOCOL) ======================================= SUSPICIOUS DATA SENT: 1603 0000 4101 0000 3d03 004d 6ed3 18ec ....A...=..Mn... f138 5ddd 3a9a 8af8 c830 8251 a9fe 2c20 .8].:....0.Q.., 13ad 5c34 68d9 922e ad88 5900 0016 0004 ..\4h.....Y..... 0005 000a 0009 0064 0062 0003 0006 0013 .......d.b...... 0012 0063 0100 ...c.. REPLIED COMING WITH SOME OBVIOUS TEXT: 1603 0000 2a02 0000 2603 0050 7062 c4f2 ....*...&..Ppb.. 446d c027 3b5a bd0d bfad 8a83 2469 902a Dm.';Z......$i.* 2bec c00b 6608 ecbf 44c7 ad00 0004 0016 +...f...D....... 0300 02b8 0b00 02b4 0002 b100 02ae 3082 ..............0. 02aa 3082 0213 a003 0201 0202 0900 b7a1 ..0............. 9fae a9aa c501 300d 0609 2a86 4886 f70d ......0...*.H... 0101 0505 0030 4331 0b30 0906 0355 0406 .....0C1.0...U.. 1302 5553 3111 300f 0603 5504 0813 084e ..US1.0...U....N 6577 2059 6f72 6b31 1230 1006 0355 040a ew York1.0...U.. 1309 4952 4320 6765 656b 7331 0d30 0b06 ..IRC geeks1.0.. 0355 040b 1304 4952 4364 301e 170d 3132 .U....IRCd0...12 3130 3035 3135 3237 3134 5a17 0d31 3331 1005152714Z..131 3030 3531 3532 3731 345a 3043 310b 3009 005152714Z0C1.0. 0603 5504 0613 0255 5331 1130 0f06 0355 ..U....US1.0...U 0408 1308 4e65 7720 596f 726b 3112 3010 ....New York1.0. 0603 5504 0a13 0949 5243 2067 6565 6b73 ..U....IRC geeks 310d 300b 0603 5504 0b13 0449 5243 6430 1.0...U....IRCd0 819f 300d 0609 2a86 4886 f70d 0101 0105 ..0...*.H....... 0003 818d 0030 8189 0281 8100 bf00 16cb .....0.......... 3997 d363 a0ce e87f 82b2 d441 eccf 9675 9..c.......A...u eb1b b01f b1f7 440a bba3 3f03 bd23 5cbb ......D...?..#\. a414 6849 d5b6 f35a 50bc 064b 1a5b 1ea3 ..hI...ZP..K.[.. ec4a 308c 41e8 9661 2c37 168d fa0b 0ef8 .J0.A..a,7...... 31ca e722 6b15 42c7 b1c6 22b1 3389 c31a 1.."k.B...".3... 126a 68a6 96e4 8b7f 41df 9bae a061 8537 .jh.....A....a.7 a155 c233 1fb3 df18 8f0c ddfb 49ff 216d .U.3........I.!m 586b f562 3881 02be 3c8e 8ee7 0203 0100 Xk.b8...<....... 01a3 81a5 3081 a230 1d06 0355 1d0e 0416 ....0..0...U.... 0414 ff06 115e 3548 a252 2003 2961 364b .....^5H.R .)a6K 0457 75de 4a06 3073 0603 551d 2304 6c30 .Wu.J.0s..U.#.l0 6a80 14ff 0611 5e35 48a2 5220 0329 6136 j.....^5H.R .)a6 4b04 5775 de4a 06a1 47a4 4530 4331 0b30 K.Wu.J..G.E0C1.0 0906 0355 0406 1302 5553 3111 300f 0603 ...U....US1.0... 5504 0813 084e 6577 2059 6f72 6b31 1230 U....New York1.0 1006 0355 040a 1309 4952 4320 6765 656b ...U....IRC geek 7331 0d30 0b06 0355 040b 1304 4952 4364 s1.0...U....IRCd 8209 00b7 a19f aea9 aac5 0130 0c06 0355 ...........0...U 1d13 0405 3003 0101 ff30 0d06 092a 8648 ....0....0...*.H 86f7 0d01 0105 0500 0381 8100 b503 421b ..............B. 5fc7 78a4 0947 4ea3 cd6c ab72 22c7 029c _.x..GN..l.r"... e52d 9fb3 a374 7037 27ac 809e fac1 b797 .-...tp7'....... 7b6e 6da4 f1f8 8697 006d d308 774a 8bfb {nm......m..wJ.. 3fa9 0a6d 837a df10 6e98 a0ed e3a5 69aa ?..m.z..n.....i. d43c 0eb0 c831 f0ea 8017 3b6e dd78 9ede .<...1....;n.x.. a7c6 e547 45b7 1cd3 b166 9bb2 1145 e962 ...GE....f...E.b cb55 1fc4 6fc6 d4c8 f3b6 ded9 d460 cbeb .U..o........`.. 963f d160 4f38 c16c c5e1 cb4b 1603 0000 .?.`O8.l...K.... 0d0d 0000 0502 0102 0000 0e00 0000 .............. ANOTHER SUSPICIOUS DATA SENT: 1503 0000 0201 2916 0300 0084 1000 0080 ......)......... 969b a79b bb5d 6f57 8042 c2f3 9d99 d8a7 .....]oW.B...... 1624 732f 2b12 161c 3a0e c689 8ff9 8b51 .$s/+...:......Q 4479 037b 7006 1da8 4bc0 e0e0 e755 fa0c Dy.{p...K....U.. 81d5 ea1f 10f5 ec8c f3e8 2eb2 8392 4a2b ..............J+ 589c 1720 6a50 2fcd e788 0e14 cf0a aa06 X.. jP/......... 427d 22cf 54ed 07b4 ce2a f7a9 145b bdfd B}".T....*...[.. 455f 1dae f27e aedd c8cc b7a5 0793 20d6 E_...~........ . 1582 9d58 0ffb 449e 9006 dfa1 609f d510 ...X..D.....`... 1403 0000 0101 1603 0000 385b 74f6 5c3b ..........8[t.\; e1ab 0b20 d103 936d ca2c 4059 ed9b f6bb ... ...m.,@Y.... 7721 4efa 6897 4fc5 4680 ec1d dbc8 5a5a w!N.h.O.F.....ZZ e8ca 8b64 696b 4038 96ee ff03 8847 3079 ...dik@8.....G0y 2c44 61 ,Da AND ANOTHER DATA RECEIVED: 1703 0000 1249 952d fece 5777 f845 4709 .....I.-..Ww.EG. ef65 a498 2d04 35 .e..-.5 MORE DATA SENT AND RECEIVED: SENT: a50c 636b 63e8 de6c 9246 3a62 4fd9 d978 ..ckc..l.F:bO..x d94c ce6f 36b1 f34d 71cf 812a 8217 0300 .L.o6..Mq..*.... 0027 bee6 7d22 c4c5 666c 42c4 da03 293a .'..}"..flB...): 0c22 ca4b 0791 905e ea4c 37a0 142a 5db5 .".K...^.L7..*]. b3e9 97d4 397f b2fc b317 0300 002b b21c ....9........+.. 1cb0 f6a5 4062 9d50 07ad a0c5 6786 1b6d ....@b.P....g..m fa5c 37c1 b121 2e67 ebc6 51b7 0915 0d87 .\7..!.g..Q..... 17b9 1c22 11ac 4889 23 ..."..H.# RECVD: 1703 0000 f8fa f613 4c8c 511c 7086 fe5c ........L.Q.p..\ 4017 4c84 6db3 c1fa 136c 7679 ba52 13a2 @.L.m....lvy.R.. bfe5 35ed 2fa5 65b1 10ff 27a4 7b93 ac79 ..5./.e...'.{..y 9141 629a 6502 000c c945 0de5 8fdf 7456 .Ab.e....E....tV 3218 833f 79aa 352e fa02 8573 6f02 ef2a 2..?y.5....so..* 8c47 3288 3d61 ac95 89e6 7694 e64d 503d .G2.=a....v..MP= be1b 4cad 456b 20f9 4e63 cc6a 3708 0785 ..L.Ek .Nc.j7... 36c0 8798 cbc8 6ef9 5a4e 06f6 ff51 bd07 6.....n.ZN...Q.. 0d25 ef22 736b 193a 3362 21e5 8964 6d22 .%."sk.:3b!..dm" fa30 6850 fff4 b7cd 9acb f56c 4160 2353 .0hP.......lA`#S be16 62e6 f43d 5bf2 cfb1 9a76 b8ac 3f81 ..b..=[....v..?. 5a3c e26a f836 5fe8 249d c31a c78d bb15 Z<.j.6_.$....... 2586 635e 7e23 c89d 02de 1ca1 dd99 0aae %.c^~#.......... 3471 c1b4 c0b1 b6f1 26ea e743 c8f5 550a 4q......&..C..U. 8a5c 7a16 ba8f 8731 43a1 0630 82f6 f4a6 .\z....1C..0.... f86b b721 01b1 c13f 4a4b c0c9 60 .k.!...?JK..` SENT: 9c9d 3464 d85e fa1d a00b 077c 51cc e2c9 ..4d.^.....|Q... 7be5 d39a b953 073f e734 ceb2 a847 ded6 {....S.?.4...G.. 0f22 dc69 ecb8 9757 4aa3 f8e0 d2fe a377 .".i...WJ......w f8d2 c314 08d4 e4b3 47fe 029a a4aa aae4 ........G....... d503 022f 8783 fa4b c91a 0905 4049 f212 .../...K....@I.. 584c f57e 73c6 ac62 773c 46f7 4779 1e37 XL.~s..bw1.b.e.SQ.. da0d 4da2 f3f5 f648 f281 e96a 5b66 7613 ..M....H...j[fv. d67f 0aa0 ee23 925a 0ddc 8b4a 5457 a668 .....#.Z...JTW.h 1921 3207 a361 2d98 6ceb 6d9c aacc 4d9d .!2..a-.l.m...M. 72 r RECVD: Data received: 1703 0000 852b 1f19 d75a 51fe 87f9 a308 .....+...ZQ..... c00e b60c 7294 0d99 9601 b544 5b1e 007d ....r......D[..} d9ed 6cb9 ea14 587c 07ac 798a 52a3 6b11 ..l...X|..y.R.k. fac1 e15c 4ce5 2171 3aa1 c1c4 73e3 93d5 ...\L.!q:...s... 8baa 4575 69ff fc2d 0ca9 4180 bfd2 9b69 ..Eui..-..A....i 007b 0443 1ad3 5e20 6728 6cda 9c2e f485 .{.C..^ g(l..... cb55 f383 0218 1923 d68f b9b8 a921 894a .U.....#.....!.J b8c8 a70f d2a8 8810 d79b 5ff2 6106 dea4 .........._.a... b49e 2a85 ab93 da0a 26c3 ..*.....&. -------------------------------------------------------------- WHAT VIRUS T0TAL SAID: https://www.virustotal.com/file/51100553d15597e9d0ca98aa0f3be3ab5a49c0ca10808456b7a92884296e1b68/analysis/ --------------------------------------------------------------- MD5: e8e2ba08f9aff27eed45daa8dbde6159 <==== SEEK THIS MD5 File size: 925.0 KB ( 947200 bytes ) File name: skype_06102012_image.exe File type: Win32 EXE Tags: peexe Detection ratio: 5 to 19 / 43(44) Analysis date: 2012-10-07 21:22:52 UTC ( 8 分 ago ) DrWeb : BackDoor.IRC.NgrBot.42 GData : Trojan.Generic.KDV.750742 VIPRE : Backdoor.Win32.Hupigon (v) AntiVir : Worm/Dorkbot.I.385 Norman : W32/Injector.BMHF ESET-NOD32 : Win32/Dorkbot.B TrendMicro-HouseCall : TROJ_GEN.RC1H1J6 Sophos : Troj/Agent-YCW nProtect : Trojan.Generic.KDV.750742 Kaspersky : Trojan.Win32.Bublik.jdb BitDefender : Trojan.Generic.KDV.750742 McAfee : Generic BackDoor!fdj Ikarus : Trojan.Win32.Bublik Panda : Trj/CI.A AhnLab-V3 : Trojan/Win32.Ransomlock Fortinet : W32/Bublik.JDB!tr Microsoft : Worm:Win32/Dorkbot.I ViRobot : Trojan.Win32.A.Bublik.947200 Comodo : UnclassifiedMalware --------------------------------------------------- CrossCheck Analysis Reference: --------------------------------------------------- http://www.threatexpert.com/report.aspx?md5=e8e2ba08f9aff27eed45daa8dbde6159 http://camas.comodo.com/cgi-bin/submit?file=51100553d15597e9d0ca98aa0f3be3ab5a49c0ca10808456b7a92884296e1b68 --------------------------------------------------- MALWARE MUST DIE!!!! Mon Oct 8 06:34:14 JST 2012 #MalwareMustDie! Analysis by @unixfreaxjp ----------end----------