Malware Domain List

Malware Related => Malware Analysis => Topic started by: Kayrac on August 05, 2008, 09:42:43 am

Title: 4.exe and what it does
Post by: Kayrac on August 05, 2008, 09:42:43 am
so i ran 4.exe from mdl's list file here

Code: [Select]
aaa.ns-ok.com/down/4.exe
and holy crap look at what this does

PS i just found out how to export from totaluninstall so i'm happy


to much spam in it, so gotta figure out what to exclude, if anyone knows registry keys/folders i can exclude from change scanning, please let me know :)
Title: Re: 4.exe and what it does
Post by: sowhat-x on August 05, 2008, 05:02:59 pm
Here you go...(Note: .rar is NOT password-protected)
Title: Re: 4.exe and what it does
Post by: sowhat-x on August 05, 2008, 05:19:18 pm
The "Changes.txt" you attached above has way too many info,no way I can actually step through it...
In short,by quickly looking at the .exe,it seems to be enumerating process at first,
checking priviledges and setting them accordingly (SeBackupPriviledge),
deletes Microsoft's verclsid.exe (because it's meant to validates shell extensions),
extracts the .dll above from the executable's resources,
adds the .reg entry included above via /s ('silent' switch),
.reg entry sets the .dll so that it starts along with explorer.exe (ShellExecuteHooks)...
Title: Re: 4.exe and what it does
Post by: Serg on August 05, 2008, 06:02:28 pm
it's standard onlinegame trojan. Main code is here
Code: [Select]
LocalAlloc(0x0 -> NONZEROLPTR | LMEM_FIXED, 0x29)
DeleteFileA(0x001517a8 -> "C:\\WINDOWS\\system32\\Verclsid.exe")
Sleep(0x5dc)
UnhookWindowsHookEx(0x4464)
SetWindowsHookExA(0x3 -> WH_GETMESSAGE, 0x0011639c, 0x00110000, 0x0)
SetWindowsHookExA(0x7 -> WH_MOUSE, 0x001163dc, 0x00110000, 0x0)0x0
SetWindowsHookExA(0x2 -> WH_KEYBOARD, 0x0011641c, 0x00110000, 0x0)
LocalAlloc(0x0 -> NONZEROLPTR | LMEM_FIXED, 0x19)
injected dll is C\WINDOWS\SYSTEM32\TDFFDL.DLL
reg file C\WINDOWS\SYSTEM32\winsys.reg
shell extention is C0595A7E-2E2F-4B34-A83A-019270A0A464
password will be saved C\WINDOWS\SYSTEM32\tdffdl.dll.log
// I'll keep quit where are stolen passwords :p

8-)
Title: Re: 4.exe and what it does
Post by: sowhat-x on August 05, 2008, 06:06:00 pm
Quote
I'll keep quit where is stolen passwords
Rotflmao  :D
Title: Re: 4.exe and what it does
Post by: Serg on August 05, 2008, 09:44:25 pm
Quote
I'll keep quit where is stolen passwords
Rotflmao  :D
it's not funny if u r 80+ overlord   ::)
Title: Re: 4.exe and what it does
Post by: Kayrac on August 06, 2008, 10:53:12 am
yeah what i need is a 'whitelist', i got someone that said they'd send me one, so just waiting patiently :)