Some new files were created in the system:

1
2
3
4
5
6
7
8

C:\Program Files\Common Files\AvBAG57jkrx.exe
C:\Program Files\Common Files\dRp6PJ57WU.exe
C:\Program Files\Common Files\Ndm357a2rL.exe
C:\WINDOWS\system32\svch?st.exe
%AllUsers%\Application Data\Microsoft\ipdll.dll
%AllUsers%\Application Data\Microsoft\bits.dll
C:\WINDOWS\system32\sl81731.dll
C:\WINDOWS\system32\xsl81731.dll

New processes were started:

1
2

Ndm357a2rL.exe
svch?st.exe

The file named Ndm357a2rL.exe injected code into another process named csrss.exe, that is a system process, and the malware also installed a browser helper objects:

1

xsl81731.dll -> XML parser library

Registry keys used to startup:

1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe

After I opened Internet Explorer, new files were imediatlely created:

1
2

C:\WINDOWS\system32\monhftd.dll
C:\WINDOWS\system32\ropfnqz.exe

The file named monhftd.dll is a BHO and now lets look an image of the svchost.exe file created:

Looks like there are 2 files with the same name in the same folder, but with different sizes! The file named svchost.exe that is 14 kb is the real and clean file, the other svchost.exe that is 60 kb is the infected file. Below there are some interested strings extracted from the svchost.exe infected file (60 kb):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

N/A (security restriction)
N/A (error)
bits.dll
bits.dll
ipdll.dll
\Microsoft\profile.dat
chrome.exe
opera.exe
firefox.exe
iexplore.exe
-_.!~*'()
Download
\Microsoft\
Start
WinUpdaterMuXXX
@SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate
SusClientId
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductId
0123456789ABCDEF
hxxp://i5i.in/xdone2n.php
\Microsoft\profile.dat

Posted by admin on Monday, December 29th, 2008 at 11:26 pm and filed under Malware Analysis with tags wmpcdcs.exe, xsl81731.dll, Zlob Trojan, Zlob.Gen. You can leave a response, or trackback from your own site.