Hello, I am Foxxy (Qvuen), I am currently learning malware analysis, so enjoy! I

1. Hello, I am Foxxy (Qvuen), I am currently learning malware analysis, so enjoy! I apologize for reading and flow issues, I was writing this while I was doing the analysis. Also, please note, most of the words in the analysis that are misspelled like "symantic" were done so by the malware author, not me.
2.  
3. Name: Gruel
4.  
5. Basic Static Analysis
6.  
7. File Type: Portable Executable
8. Language: Microsoft Visual Basic 5.0/6.0
9. Compiled: Tuesday, July 14, 2003 at 3:00 am/pm
10. Packed: No
11. Dependencies:
12.  
13. Kernel32.dll - Imported to spawn processes and file editing.
14. User32.dll - Used for windows forms.
15. GDI32.dll - Used to draw on the screen (windows forms).
16. AdvAPI32.dll - Imported to edit the registry.
17. OLE32.dll - Object linking and embedding functions.
18. OLEAUT32.dll - Used for visual basic applications.
19.  
20. Virus Total: 46/50 of AV engines detected Gruel.exe as malware.
21.  
22. Basic Dynamic Analysis
23.  
24. Behaviors: The worm shows a fake error message, and when Send And Close is selected the worm opens all of the control panel options, it then proceeds to display a message box ranting about Windows. It then adds registry keys that disable viewing drives, using the Run tool, it also attempts to disable taskmgr.exe completely by adding the value "DisableTaskMgr", however, this was either not implemented, or it is broken.
25.  
26. Gruel saves itself to the C:\ directory as Rundll32.exe. It then kills the explorer.exe process. The worm also appears to attempt to copy itself to your shared folders under the name "Norton 2003 pro.exe".
27.  
28. It also tries to open your CD drive, however, this attempt fails. (This may have been due to the fact I ran this in a VM)
29.  
30. The worm spreads itself through the Microsoft Outlook application. The email, according to the strings of gruel.exe, would look something like this:
31.  
32. Subject: Symantic: New serious virus found
33.  
34. Body: Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ).
35.  
36.  
37. RegShot Logs
38. Regshot 1.9.0 x86 Unicode
39. Comments:
40. Datetime: 2014/2/15 20:00:48 , 2014/2/15 20:04:24
41. Computer: FOXXY-21468ACD7 , FOXXY-21468ACD7
42. Username: Administrator , Administrator
43.  
44. ----------------------------------
45. Keys added: 50
46. ----------------------------------
47. The key where gruel hides it's startup value
48. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MediaPath\
49.  
50. The following keys were created, but they do not show up in a registry editor. (I may have accidentally deleted them at some point)
51. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}
52. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon
53. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32
54. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell
55. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open
56. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command
57. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx
58. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers
59. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}
60. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder
61.  
62. Creates a useless, nameless, and blank option in the control panel.
63. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}
64.  
65. There were no values contained in this key, however, it was created by gruel.
66. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}
67.  
68. I do not know what this key does at this time.
69. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-527237240-152049171-682003330-500\Extension-List\{c6dc5466-785a-11d2-84d0-00c04fb169f7}
70.  
71. I don't think this is important, but I will know later on.
72. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
73.  
74. I do not know what these do, however, one of them contained assembly code.
75. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\VB and VBA Program Settings\KILLERGUATE
76. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\VB and VBA Program Settings\KILLERGUATE\KILLERGUATE
77. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\kIlLeRgUaTe 1.03
78.  
79. ----------------------------------
80. Values deleted: 2
81. ----------------------------------
82. Not important
83. ----------------------------------
84. Values added: 108
85. ----------------------------------
86. Start C:\rundll32.exe (gruel) on startup
87. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MediaPath\: "C:\rundll32.exe"
88. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Rundll32: "C:\Rundll32.exe"
89. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\DevicePath: "C:\Rundll32.exe"
90.  
91. I do not know why gruel added this key.
92. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\NetCache: "C:\Rundll32.exe"
93.  
94. I do not know why gruel added this key.
95. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProxyDevice: "C:\Rundll32.exe"
96.  
97. I do not know what these keys do, I will look into it later.
98. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\: "kIlLeRgUaTe 1.03"
99. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InfoTip: "kIlLeRgUaTe 1.03"
100. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\: "C:\Documents and Settings\Administrator\Desktop\gruel.exe,0"
101.  
102. I do not know what these keys do, I will look into it later, they don't seem to exist inside the registry. (Again, I may have deleted them on accident)
103. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\: "Shell32.dll"
104. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ThreadingModel: "Apartment"
105. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"
106. HKLM\SOFTWARE\Classes\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder\Attributes: 00 00 00 00
107.  
108. This sets your internet explorer window to contain this text.
109. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Internet Explorer\Main\Window Title: "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!"
110.  
111. This key disables the ability to search in explorer.exe
112. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind: "1"
113.  
114. This Key disables the Windows+R (run) ability
115. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: "1"
116.  
117. This key disables your ability to see or access any drives, CD-ROM, C:\, network, etc.
118. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives: "4"
119.  
120. This key makes sure that gruel doesn't pop up all of the control panel stuff and the messagebox.
121. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\kIlLeRgUaTe 1.03\FirstRun: "No"
122.  
123. I believe the author created a way to control his malware for testing purposes, it searches for gruel.exe.cfg on the desktop.
124. HKU\S-1-5-21-527237240-152049171-682003330-500\Software\kIlLeRgUaTe 1.03\Password: (NULL!)
125.  
126. ----------------------------------
127. Values modified: 32
128. ----------------------------------
129.  
130. The following as you might imagine, force Windows to use gruel.exe as the default file parser for .bat, .com, .exe, .hta, .ht, and .pif files.
131.  
132. He neglected to force .scr files to open with gruel, which allows you to use a standalone registry editing tool like Registrar Registry Manager if you change the extension to .scr
133.  
134. HKLM\SOFTWARE\Classes\batfile\shell\open\command\: ""%1" %*"
135. HKLM\SOFTWARE\Classes\batfile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"
136.  
137. HKLM\SOFTWARE\Classes\comfile\shell\open\command\: ""%1" %*"
138. HKLM\SOFTWARE\Classes\comfile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"
139.  
140. HKLM\SOFTWARE\Classes\exefile\shell\open\command\: ""%1" %*"
141. HKLM\SOFTWARE\Classes\exefile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"
142.  
143. HKLM\SOFTWARE\Classes\exefile\shell\runas\command\: ""%1" %*"
144. HKLM\SOFTWARE\Classes\exefile\shell\runas\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"
145.  
146. HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command\: "C:\WINDOWS\system32\mshta.exe "%1" %*"
147. HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"
148.  
149. HKLM\SOFTWARE\Classes\htfile\shell\open\command\: ""C:\Program Files\Windows NT\HYPERTRM.EXE" %1"
150. HKLM\SOFTWARE\Classes\htfile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"
151.  
152. HKLM\SOFTWARE\Classes\piffile\shell\open\command\: ""%1" %*"
153. HKLM\SOFTWARE\Classes\piffile\shell\open\command\: ""C:\Documents and Settings\Administrator\Desktop\gruel.exe" %1"
154.  
155. The following keys force the OS to parse autoexec.bat and actually use it, instead of ignoring it. I do not know why, because there is no autoexec.bat in the directory "C:\"
156. HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec: 31 00 00 00 18 //From 0 (false)
157. HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec: 31 00 00 00 D8 //To 1 (true)
158.  
159. HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec: 31 00 00 00 18
160. HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec: 31 00 00 00 D8
161.  
162. ----------------------------------
163. Total changes: 192
164. ----------------------------------
165.  
166. Conclusion, this worm was quickly and sloppily created, as evidenced by many spelling and coding errors, for example, at one point it tried to open "C:\rundll33.exe" instead of rundll32.exe. This worm, while persistent, is not impossible to remove. They covered all of the executable file extensions except one ".SCR". The .SCR extension allows most executables to run, therefore, you can copy a standalone registry editing tool, change its extension to .SCR and remove the keys yourself. After this is complete, restart the computer and delete C:\rundll32.exe and wherever the initial worm was stored.
167.  
168. Upon viewing the strings of the program, I believe that the program would delete or create a new driver at serton times and dates. For example, Kbdclass.sys gets deleted or created on March 10 1997.
169.  
170. Thank you for reading, I was able to successfully clean my Windows XP SP3 virtual machine manually following this analysis. This was my first "live" analysis of malware following the book "Practical Malware Analysis". If anyone wants, I can make a video explaining the analysis and manual removal of gruel.exe. I have also included the ProcMon logs if anyone wishes to view those. Remember to use the filter "Process Name: Gruel.exe Include".