Fake Flash Player and Trojan DNSChanger.gen

Steve has found a very interesting sample in the wild that looks like a fake flash player that installs the DNSChanger trojan in the victim’s computer. The malicious file is named FlashPlayer.v..exe:

Image of fake flash player

Report Generated 10.12.2008 at 16.48.20 (GMT 1)
Filename: FlashPlayer.v..exe
File size: 78 KB
MD5 Hash: D2EBDAB38246882A8A39F819DB44736D
SHA1 Hash: 4226D3B1C92EC7BE33E9785ABA669427EC86E172
CRC32: 1111798076
Application Type: Executable (EXE) 32bit
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 5 on 24

Antivirus Result
a-squared –
Avira AntiVir –
Avast Win32:Fasec [Trj] (0)
AVG Trojan horse Downloader.Zlob.AHRH
BitDefender –
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA –
IkarusT3 –
Kaspersky –
McAfee Generic.dx trojan
MHR –
NOD32 v3 a variant of Win32/Kryptik.CN trojan
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos Mal/BadNSIS
TrendMicro –
VBA32 –
VirusBuster –

When I executed the malicious file, it established a connection with this IP:

1
94.247.2.104 (hs.2-104.zlkon.lv)

Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Protocol          : TCP
Remote Address    : 94.247.2.104
Local Port        : 1209
Remote Port       : 80
Service Name      : http
Packets           : 302
Data Size         : 177.593 Bytes
Total Size        : 189.798 Bytes
Capture Time      : 10/12/2008 15.27.53:796
==================================================
 
POST /cgi-bin/generator  HTTP/1.0
Conten tLength: 294
HTTP/1.1 200 OK
Date: Wed, 10 Dec 2008 14:27:46 GMT
Server: Apache/2.0.63 (FreeBSD) PHP/5.2.6 with SuhosinPatch
Time: r57:62464 e0:114688
ContentLength: 177209
Connection: close
ContentType: text/html
...

A new window appeared on the screen and asked me where to install a program named homeview:

Image of homeview program

The program creates the following files:

1
2
3
4
5
6
7
8
%User%\LOCALS~1\Temp\jah30006.exe
C:\autorun.inf
C:\Program Files\homeview
C:\Program Files\homeview\Uninstall.exe
%User%\Start Menu\Programs\homeview\Uninstall.lnk
C:\resycled\boot.com
C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys
C:\WINDOWS\system32\msqpdxosvnnrse.dll

We can see that it has dropped a rootkit driver in C:\WINDOWS\system32\drivers\, called msqpdxpqxtoiqh.sys, after the hidden execution of a file called jah30006.exe. Another interesting file is C:\autorun.inf that is used by the trojan to spread itself on removable devices such as USB Drives.

Scan report of jah30006.exe:

Report Generated 10.12.2008 at 16.05.55 (GMT 1)
Filename: jah30006.exe
File size: 31 KB
MD5 Hash: 9883BB653A59CC988F7B88C59021F378
SHA1 Hash: 02425C4E7C5E28773AC3DD776344DA576FDC30E8
CRC32: 2335540674
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 6 on 24

Antivirus Result
a-squared –
Avira AntiVir TR/Crypt.XPACK.Gen
Avast Win32:Fasec [Trj] (0)
AVG –
BitDefender –
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA Win32:Fasec [Trj] B
IkarusT3 –
Kaspersky –
McAfee –
MHR –
NOD32 v3 a variant of Win32/Kryptik.CN trojan
Norman –
Panda –
QuickHeal Suspicious
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster Trojan.FakeAlert.Gen!Pac.2

Scan report of msqpdxpqxtoiqh.sys:

Report Generated 10.12.2008 at 17.01.14 (GMT 1)
Filename: msqpdxpqxtoiqh_sys
File size: 61 KB
MD5 Hash: 17A2B5116B87C12E28BAEBECC60F7304
SHA1 Hash: BF8A4034925E4767093FA10BA5AFA6174A77AA0C
CRC32: 1004260316
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 0 on 24

With RkU we can see the malware hooks some functions in ring0:

ring0 hooks

It also detected stealth code:

Stealth code detected

We can see the registry key of the rootkit driver in regedit:

Registry keys of the rootkit driver

But we cannot delete the key because of the hooks that protect the registry key from being deleted by the user:

Error deleting the rootkit driver registry key

Following files are hidden from explorer search because of the hooks that obfuscate the presence of the files:

1
2
C:\WINDOWS\system32\msqpdxosvnnrse.dll
C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys

During the analysis, the malware was always establishing connections with:

1
85.255.116.74

We noticed some DNS/Domain requests:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Protocol: UDP
Remote IP: 85.255.116.74
Remote Port: 53
 
Domains requested:
fhubwxkgmq.com
qmmjwtrjct.com
tjonvuhvgv.com
asxnrzfdfr.com
dabewiktps.com
qiymojdore.com
drnjrnynzu.com
vamjhejtdp.com
lvdmruupam.com
vopnqghkod.com
wmjdkvisas.com
hybcbhvdsn.com
jrvwyuxtph.com
iaamqweyjs.com
nqztypflph.com
hqzwkrdlbh.com
scjrozdgvo.com
fozzwjsety.com
tfdbwksekz.com
qpemkihnno.com
evinsyxmhf.com
quqinwobrm.com
elgoylwubi.com
kzusbnjhho.com
ssqnqjvhgj.com
daxtdftkwc.com
pgxbfosrrf.com
lcusdjkcct.com
nycmxxcioa.com
gvelbfneqn.com
lgewdcehgy.com
wqnkwlicjg.com
hgqlzvkrod.com
jkcqecilmu.com
kzsidyqwgc.com
vemibooppc.com
kqiruvpjrt.com
byazjnmwbu.com
zyaiufmmsd.com
bkwgesporj.com
syieqxtbvb.com
mzibepwflm.com
engtpajzdh.com
ijgvtheraq.com
yecttchanp.com
rtavqgowqv.com
juvaajbjhy.com
aaqsjtulbt.com
bpgesmjpyp.com
dhynqijxcb.com
gkyjwezchl.com
bdzumfarmj.com
yridxcjcgt.com
hmehdpaxuy.com
xhyrqgrhid.com
thwyujthry.com
plhmbziqga.com
tmtpnehras.com
ewosixkvmt.com
jjmtfedacq.com
uppyviajwu.com
azhexmards.com

Below there is the HiJackThis log with the malware traces:

O17 – HKLM\System\CCS\Services\Tcpip\..\{B84DA37B-654A-4425-ACA3-DE03D2022067}: NameServer = 85.255.116.74;85.255.112.167
O17 – HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167
O17 – HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167

We can see that the malware change the Tcpip Parameters and everytime you visit a site you will send traffic to these IPs:

1
2
85.255.116.74
85.255.112.167

Fyyre has unpacked the rootkit driver and we can extract interesting strings from the code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
msqpdx
%s%s%s
\systemroot\system32\drivers\msqpdxserv.sys
\systemroot\system32\msqpdxl.dll
file system
\\?\globalroot
iexplore.exe
firefox.exe
svchost.exe
msqpdxl.dll
NtFlushInstructionCache
LoadLibraryExA
chkdsk.exe
System
TDL2 Loaded
%.*S
ntoskrnl.exe
hal.dll
ExAllocateFromPagedLookasideList
KeI386GetLid
IoDeviceHandlerObjectSize
RtlxAnsiStringToUnicodeSize
InbvSolidColorFill
tolower
READ_PORT_UCHAR
HalReportResourceUsage
HalAllocateAdapterChannel
HalInitSystem
HalGetBusData
IoSetPartitionInformation
HalAllocateCrashDumpRegisters
HalGetInterruptVector
HalReadDmaCounter
\registry\machine\system\currentcontrolset\services\msqpdxserv.sys\modules
\registry\machine\system\currentcontrolset\services\msqpdxserv.sys
\registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv\0000\control
\registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv\0000
\registry\machine\system\currentcontrolset\enum\root\legacy_msqpdxserv
start
type
mgroup
imagepath
msqpdx
\registry\machine\software\msqpdx\injector
l*\KERNEL32.DLL
*\NTDLL.DLL
\registry\machine\software\msqpdx\disallowed
registry\machine\software\msqpdx\trusted
\registry\machine\software\msqpdx\connections
\FileSystem\FltMgr
*\msqpdx*
*\TEMP\msqpdx*
\filesystem\fastfat
\filesystem\ntfs
\driver\tcpip
\driver\ftdisk
\driver\volsnap
iexplore.exe
ntdll.dll
kernel32.dll

How to remove Trojan DNSChanger.gen ?

1] Boot in Safe Mode (F8)

2] Find and delete all the files related to the trojan, in my case:

1
2
3
4
5
6
7
8
%User%\LOCALS~1\Temp\jah30006.exe
C:\autorun.inf
C:\Program Files\homeview
C:\Program Files\homeview\Uninstall.exe
%User%\Start Menu\Programs\homeview\Uninstall.lnk
C:\resycled\boot.com
C:\WINDOWS\system32\drivers\msqpdxpqxtoiqh.sys
C:\WINDOWS\system32\msqpdxosvnnrse.dll

3] Remove the hijacked Tcpip Parameters in the registry:

1
2
HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167
HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.74;85.255.112.167

4] Remove the registry keys created by the malware:

1
2
3
4
5
6
7
8
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MSQPDXSERV.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msqpdxserv.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\msqpdxvx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msqpdxserv.sys

If the registry keys related to the rootkit driver cannot be deleted with regedit.exe use regedt32.exe (suggested by Simon).

Random Posts

Previous Posts