Pay-Per-Install Analysis – Part Four

GoldInstall

Next we have a company called GoldInstall.

Image

This is how much they pay for 1000 installs per country.

Country  	Price
OTH 	13$
US 	150$
GB 	110$
CA 	110$
DE 	30$
BE 	20$
IT 	65$
CH 	20$
CZ 	20$
DK 	20$
ES 	30$
AU 	55$
FR 	30$
NL 	20$
NO 	20$
PT 	30$
LB 	6$
AL 	6$
LA 	6$
AF 	6$
KZ 	6$
AE 	6$
LU 	6$
AZ 	6$
BD 	6$
BH 	6$
MN 	6$
MO 	6$
BN 	6$
MV 	6$
BT 	6$
MY 	6$
NP 	6$
CN 	6$
OM 	6$
PH 	6$
PK 	6$
CY 	6$
QA 	6$
SA 	6$
SG 	6$
SY 	6$
TW 	6$
TH 	6$
FJ 	6$
TM 	6$
HK 	6$
ID 	6$
IL 	6$
IN 	6$
UZ 	6$
IQ 	6$
IR 	6$
VN 	6$
YE 	6$
JO 	6$
JP 	6$
KH 	6$
KP 	6$
KR 	6$
KW 	6$

One thing I found quiet funny, was these 2 entries in their FAQ.

Is your software a virus?

Definitely not! We don’t do anything against computer owner. If they choose to use an Goldinstall-supported service, it is identical to accepting the mechanisms we bring (such as popup advertisements). It’s just as simple as that.

So why does my antivirus classify you as trojan/worm/virus?

AV companies have a good interest in convincing you that the Internet is an insecure place full of danger, and that almost nothing is worth of any trust (unless you use their products). We don’t share such views.

So let me get this right. AV’s are wrong to detect an application that silently downloads and executes other malware? One being a rootkit in my tests, which incidentally had “botnet” in its internal PDB path.

List of strings from the dropper, which was only packed with UPX, and compiled with Visual Basic 6.0.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
0x000001B0	0x00000005	.text
0x000001D7	0x00000006	`.data
0x00000200	0x00000005	.rsrc
0x0000127C	0x0000000C	AutoDownload
0x0000128D	0x00000007	  =   3
0x000012D4	0x0000000E	lientWidSocket
0x00001368	0x00000005	Form1
0x00001372	0x00000005	Form1
0x00001589	0x0000000A	DDDDDDDDD@
0x0000168B	0x00000005	Form1
0x000016AD	0x00000006	Timer3
0x000016CE	0x00000008	dpsocket
0x000016DA	0x00000013	AutoDownload.Socket
0x00001752	0x00000005	Text1
0x00001773	0x00000006	Timer2
0x00001795	0x0000000B	WebBrowser1
0x000017A4	0x00000015	SHDocVwCtl.WebBrowser
0x00001874	0x00000006	Timer1
0x00001896	0x0000000A	vb6chs.dll
0x00001911	0x0000000C	AutoDownload
0x000022B8	0x0000004A	*\AS:\Worker\tempvbp\AutoDownload.vbp
0x000025C9	0x00000013	AutoDownload.Socket
0x000025DD	0x00000006	Socket
0x00002760	0x0000000A	ReadyState
0x0000276B	0x0000000B	shdocvw.dll
0x00002777	0x00000015	SHDocVwCtl.WebBrowser
0x0000278D	0x0000000A	WebBrowser
0x00004700	0x00000009	moduleAPI
0x0000470C	0x0000000E	moduleRegister
0x0000471C	0x0000000D	moduleWinInet
0x0000472C	0x00000005	Form1
0x00004734	0x00000013	classApplicationLog
0x00004748	0x00000007	Module1
0x00004750	0x00000007	Module2
0x00004758	0x0000000F	modSocketMaster
0x00004768	0x0000000D	CSocketMaster
0x00004778	0x00000006	Socket
0x00004780	0x0000000C	AutoDownload
0x00004794	0x00000014	USER32.DLL
0x000047B0	0x00000018	KERNEL32.DLL
0x000047D0	0x00000018	ADVAPI32.DLL
0x000047F0	0x00000016	WININET.DLL
0x0000482C	0x00000008	kernel32
0x0000483C	0x0000000C	GetLastError
0x0000484C	0x0000000B	WebBrowser1
0x00004890	0x0000000C	LoadLibraryA
0x000048D8	0x0000000E	GetProcAddress
0x00004920	0x00000006	user32
0x0000492C	0x0000000F	CallWindowProcA
0x00004974	0x0000000B	FreeLibrary
0x000049B8	0x0000000D	RtlMoveMemory
0x00004A18	0x00000006	Timer3
0x00004A64	0x00000008	VBA6.DLL
0x00004A74	0x0000000D	InternetOpenA
0x00004AB0	0x0000001A	RegOpenKeyExA
0x00004AD0	0x00000007	wininet
0x00004B20	0x00000013	InternetCloseHandle
0x00004B6C	0x00000010	InternetOpenUrlA
0x00004BB8	0x0000000B	wininet.dll
0x00004BC8	0x0000000E	HttpQueryInfoA
0x00004C10	0x00000010	InternetReadFile
0x00004C5C	0x00000012	InternetSetOptionA
0x00004D1C	0x00000035	C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
0x00004D8C	0x00000005	Text1
0x00004DB4	0x0000001F	C:\WINDOWS\system32\shdocvw.oca
0x00004DD4	0x0000000A	SHDocVwCtl
0x00004E18	0x00000009	udpsocket
0x00004E24	0x00000006	Timer1
0x00004E2C	0x00000006	Timer2
0x00004E38	0x0000000C	advapi32.dll
0x00004E4C	0x0000000D	RegCreateKeyA
0x00004E94	0x0000000E	RegSetValueExA
0x00004EDC	0x0000000B	RegCloseKey
0x00004F20	0x0000000B	RegOpenKeyA
0x00004F64	0x00000005	Sleep
0x00004FA4	0x0000000B	shell32.dll
0x00004FB4	0x00000010	SHGetFolderPathA
0x00004FFC	0x0000000D	kjgfrtxdgqe63
0x00005014	0x00000007	udpstop
0x0000501C	0x0000000A	Decryption
0x00005028	0x00000007	GetItem
0x00005030	0x00000007	SetItem
0x00005038	0x0000000C	SaveFileText
0x00005048	0x0000000C	ReadFileText
0x00005058	0x0000000E	IsWowInstalled
0x00005068	0x0000000C	firstfucktag
0x00005078	0x00000007	SConfig
0x000050E4	0x0000000B	GlobalAlloc
0x000050F0	0x0000000C	SocketHandle
0x00005100	0x00000007	connect
0x00005140	0x0000000A	GlobalFree
0x00005184	0x0000000A	ws2_32.dll
0x00005194	0x0000000A	WSAStartup
0x000051D8	0x0000000A	WSACleanup
0x0000521C	0x00000015	WSAAsyncGetHostByName
0x0000526C	0x0000000E	WSAAsyncSelect
0x000052B4	0x0000000F	CreateWindowExA
0x000052C4	0x00000008	CloseSck
0x00005308	0x0000000D	DestroyWindow
0x00005350	0x00000008	lstrlenA
0x00005394	0x00000008	lstrcpyA
0x000053D8	0x00000008	SetTimer
0x0000541C	0x00000009	KillTimer
0x00005460	0x00000008	IsWindow
0x0000547C	0x0000000D	BytesReceived
0x000054CC	0x0000000E	GetWindowLongA
0x00005514	0x0000000E	SetWindowLongA
0x0000555C	0x00000010	GetModuleHandleA
0x00005640	0x00000005	Class
0x00005648	0x00000008	Protocol
0x00005654	0x00000022	C:\WINDOWS\system32\msvbvm60.dll\3
0x00005678	0x00000005	VBRUN
0x000056AC	0x00000006	socket
0x000056EC	0x0000000A	GlobalLock
0x00005730	0x0000000C	GlobalUnlock
0x00005778	0x00000005	htons
0x000057B8	0x00000005	ntohs
0x000057F8	0x00000007	connect
0x00005844	0x0000000B	gethostname
0x00005888	0x0000000D	gethostbyname
0x00005910	0x0000000B	getsockname
0x00005954	0x0000000B	getpeername
0x00005998	0x00000009	inet_addr
0x00005A10	0x00000006	sendto
0x00005A50	0x0000000A	getsockopt
0x00005A94	0x0000000A	setsockopt
0x00005B18	0x00000008	recvfrom
0x00005B5C	0x00000015	WSACancelAsyncRequest
0x00005B74	0x00000005	State
0x00005B7C	0x0000000D	LocalHostName
0x00005B8C	0x00000007	LocalIP
0x00005BD0	0x00000006	listen
0x00005C10	0x00000006	accept
0x00005C50	0x00000009	inet_ntoa
0x00005C94	0x0000000B	ioctlsocket
0x00005CD8	0x0000000B	closesocket
0x00005D18	0x00000007	WndProc
0x00005D20	0x0000000A	RemotePort
0x00005D2C	0x0000000A	RemoteHost
0x00005D38	0x0000000C	RemoteHostIP
0x00005D48	0x00000009	LocalPort
0x00005D58	0x00000008	SendData
0x00005D64	0x00000007	GetData
0x00005D6C	0x00000008	PeekData
0x00005D78	0x00000006	Listen
0x00005D80	0x00000006	Accept
0x00005D88	0x00000011	ConnectionRequest
0x00005D9C	0x0000000B	DataArrival
0x00005DA8	0x00000005	Error
0x00005DB0	0x0000000C	SendComplete
0x00005DC0	0x0000000C	SendProgress
0x00005F00	0x0000000C	netapi32.dll
0x00005F18	0x00000007	Netbios
0x00005F58	0x0000000E	GetProcessHeap
0x00005FA0	0x00000009	HeapAlloc
0x00005FE4	0x00000008	HeapFree
0x00006094	0x0000000D	GetVersionExA
0x00006100	0x0000000B	CreateFileA
0x00006144	0x0000000F	DeviceIoControl
0x0000618C	0x0000000B	CloseHandle
0x000061D0	0x00000015	GetVolumeInformationA
0x00006284	0x00000012	GetModuleFileNameA
0x000062D0	0x00000013	GetCurrentProcessId
0x00006320	0x00000008	FlushLog
0x00006358	0x00000015	cmSocket_SendProgress
0x0000638C	0x0000001C	CreateShortcut
0x000063AC	0x00000014	TargetPath
0x000063D8	0x00000020	WorkingDirectory
0x00006434	0x00000012	ExecQuery
0x00006448	0x00000014	MACAddress
0x000064B8	0x0000000C	EbMode
0x000064CC	0x0000001C	SetWindowLongA
0x000064F0	0x0000001E	CallWindowProcA
0x00006514	0x00000014	WSACleanup
0x00006530	0x00000012	KillTimer
0x00006568	0x0000000C	user32
0x0000657C	0x0000000C	ws2_32
0x0000658C	0x0000000E	cmSocket_Error
0x0000659C	0x00000015	cmSocket_SendComplete
0x00006628	0x0000000B	UserControl
0x00006634	0x00000008	cmSocket
0x00006640	0x00000011	cmSocket_CloseSck
0x00006654	0x00000010	cmSocket_Connect
0x00006668	0x0000001A	cmSocket_ConnectionRequest
0x00006684	0x00000014	cmSocket_DataArrival
0x000066A0	0x00000012	LocalPort
0x000066C8	0x00000010	Protocol
0x000066E0	0x00000014	RemoteHost
0x000066FC	0x00000014	RemotePort
0x00006784	0x00000006	Socket
0x0001B39C	0x00000025	SAFE_rGX8EhiOOnz7qnE0cOpCKcNDUhe57Sli
0x0001B3C4	0x00000025	SAFE_wXfFU0GiYdAvUQ86skySPaU80AmMHnmw
0x0001B3EC	0x00000025	SAFE_4fDBPXBwTcNF4WpeuDSuwqcW3psMwB0f
0x0001B414	0x00000025	SAFE_CU5ZIkuee8iXHaYeF0XH07I12WnVk4NM
0x0001B43C	0x00000025	SAFE_Ukw8ASw6d514KXPxkGUCxCJ89lOobEip
0x0001B464	0x00000006	iSplit
0x0001B46C	0x00000025	SAFE_TzIyaWLC083eHor12AAAXyzARroaoCl7
0x0001B494	0x00000025	SAFE_lF9XRDNe05MAKliKXQ75U40IY6PsfM6a
0x0001B4BC	0x00000025	SAFE_n5qnjCxOP7ZeVOOX2TLLvDCogYRVYSUI
0x0001B4E4	0x00000025	SAFE_Uj0uzUEwwlL7B4YJJgs45Rdz2oEQLD8U
0x0001B50C	0x00000025	SAFE_mzrUqCGPviedE1Pcoxpz2We782pjCNUw
0x0001B534	0x00000025	SAFE_X8QUuSJSJc12iEyzfDnXJgOweBRL5Bts
0x0001B55C	0x00000025	SAFE_8mGmoaasaLRD5fHYjqVi04xGvoTiqark
0x0001B590	0x00000025	SAFE_eTgd1MK7Yy2XtTCJ2xKTBn5ayGXzlGi9
0x0001B5B8	0x00000025	SAFE_wjXCs4MaYvL4wQ3cWDHO8t6i5V8HcQ3c
0x0001B5E0	0x00000025	SAFE_xaESA2wJxxZY73kp2GVdZ2HFDxAuVWSL
0x0001B608	0x00000025	SAFE_Fp521kylwus4A0b8WWSYV7IMKClDLhno
0x0001B630	0x00000025	SAFE_WYQHz1fvKVyxUS2HORFM9RioUYC8UsUi
0x0001B658	0x00000025	SAFE_p7w6cFENZMIBQFccDq7StOvuDjNVqpIL
0x0001B680	0x00000025	SAFE_xjzfjrRvFgBPyI9Ly7RSulUXFJRDsgm5
0x0001B6A8	0x00000025	SAFE_9S0STCtgN17H8PFHBODi0juoUEuZBReV
0x0001B6D0	0x00000025	SAFE_sYcsc0R6Dngoyzvsj9HSEAwZjIvmvX46
0x0001B6F8	0x00000025	SAFE_mOf9lycdfUgnHchmTmCVrEGKeNU0qLFx
0x0001B720	0x00000025	SAFE_fnIuiVsEdGGHBupQQDw8R6lV8rCKRlEH
0x0001B748	0x00000025	SAFE_T571D8NHgN0hn6pJqX9ssVAJPflUAka5
0x0001B770	0x00000025	SAFE_lLyb4qPjfKJEq4gcKn6npaBRVuMn1uvY
0x0001B798	0x00000025	SAFE_RdiVDGLIzkh9zIdkFamXWBxLKNsKF985
0x0001B7C0	0x00000025	SAFE_OX7ybJucwnBnYa0uh44S3EAdOoyyUW3F
0x0001B7E8	0x00000025	SAFE_POnEsHULLpOHjDh7D7JhUOMAWG0aNcSx
0x0001B810	0x00000025	SAFE_heeojzWnKmhomAYQhNGcQTNIdVbtEnnQ
0x0001B838	0x00000025	SAFE_mZH4O1J1aXfWesOSmxySseAFZeDEShAK
0x0001B860	0x00000025	SAFE_oQxKf0tkzZt0pV5gH0CiJnMmh6GrLnZ2
0x0001B888	0x00000025	SAFE_pGeaxyUTOa6Uz8mtm2QxkxYIqZJTEuxl
0x0001B8B0	0x00000025	SAFE_GqZAWhIKHz2Tu42yAKSO68W8O0uBp8PG
0x0001B8D8	0x00000009	requestID
0x0001B8E4	0x0000000A	bytesTotal
0x0001B8F0	0x00000006	Number
0x0001B8F8	0x0000000B	Description
0x0001B904	0x00000005	sCode
0x0001B90C	0x00000006	Source
0x0001B914	0x00000008	HelpFile
0x0001B920	0x0000000B	HelpContext
0x0001B92C	0x0000000D	CancelDisplay
0x0001B93C	0x00000009	bytesSent
0x0001B948	0x0000000E	bytesRemaining
0x0001B958	0x00000025	SAFE_YoiwczIxR2qYF6Prg6qac9HgIRnEY8PX
0x0001B994	0x0000003F	Returns/Sets the port to be connected to on the remote computer
0x0001B9D4	0x00000007	lngPort
0x0001B9DC	0x00000020	Returns/Sets the socket protocol
0x0001BA00	0x0000000B	enmProtocol
0x0001BA0C	0x0000003A	Returns/Sets the name used to identify the remote computer
0x0001BA48	0x00000007	strHost
0x0001BA50	0x00000022	Returns the remote host IP address
0x0001BA74	0x00000030	Returns/Sets the port used on the local computer
0x0001BAA8	0x0000002A	Returns the state of the socket connection
0x0001BAD4	0x0000001E	Returns the local machine name
0x0001BAF4	0x00000024	Returns the local machine IP address
0x0001BB1C	0x00000037	Returns the number of bytes received on this connection
0x0001BB54	0x00000019	Returns the socket handle
0x0001BB70	0x00000050	Returns or sets an expression that stores any extra data needed for your program
0x0001BBC4	0x00000006	strTag
0x0001BBCC	0x00000025	Accept an incoming connection request
0x0001BBF4	0x00000009	LocalPort
0x0001BC00	0x00000007	LocalIP
0x0001BC08	0x00000029	Binds socket to specific port and adapter
0x0001BC34	0x00000018	Close current connection
0x0001BC50	0x0000000A	RemoteHost
0x0001BC5C	0x0000000A	RemotePort
0x0001BC68	0x0000001E	Connect to the remote computer
0x0001BC90	0x00000007	varType
0x0001BC98	0x00000006	maxLen
0x0001BCA0	0x00000029	Retrieve data sent by the remote computer
0x0001BCCC	0x00000027	Listen for incoming connection requests
0x0001BCF4	0x00000039	Look at incoming data without removing it from the buffer
0x0001BD30	0x0000001C	Send data to remote computer
0x0001BD50	0x00000034	Occurs when a remote client is attempting to connect
0x0001BD8C	0x0000003B	Occurs when data has been received from the remote computer
0x0001BDC8	0x0000000E	Error occurred
0x0001BDD8	0x0000002B	Occurs after a send operation has completed
0x0001BE04	0x00000025	Occurs during process of sending data
0x000536A0	0x0000000C	MSVBVM60.DLL
0x000536B0	0x00000018	EVENT_SINK_GetIDsOfNames
0x000536CA	0x0000000E	MethCallEngine
0x000536DA	0x00000011	EVENT_SINK_Invoke
0x000536EE	0x00000012	Zombie_GetTypeInfo
0x00053702	0x00000011	EVENT_SINK_AddRef
0x00053716	0x0000000F	DllFunctionCall
0x00053728	0x00000017	Zombie_GetTypeInfoCount
0x00053742	0x00000012	EVENT_SINK_Release
0x00053756	0x00000019	EVENT_SINK_QueryInterface
0x00053772	0x00000012	__vbaExceptHandler
0x00053786	0x0000000E	ProcCallEngine
0x0005413E	0x0000000C	CONFIG
0x00054339	0x0000000A	DDDDDDDDD@
0x00054452	0x0000001E	VS_VERSION_INFO
0x000544AE	0x00000016	VarFileInfo
0x000544CE	0x00000016	Translation
0x000544F2	0x0000001C	StringFileInfo
0x00054516	0x00000010	080404B0
0x0005452E	0x00000016	CompanyName
0x00054552	0x00000016	ProductName
0x0005457A	0x00000016	FileVersion
0x000545A6	0x0000001C	ProductVersion
0x000545D6	0x00000018	InternalName
0x00054602	0x00000020	OriginalFilename
0x00054624	0x00000010	dick.exe

Sandbox report of the dropper.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Detailed report of suspicious malware actions:
 
Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE274.tmp
Defined file type copied to Windows folder: C:\WINDOWS\system32\drivers\zgiejqbqy7.sys
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\geurge.exe
Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\ewrgetuj = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\geurge.exe
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\DisplayName = zgiejqbqy7
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\ImagePath = system32\drivers\zgiejqbqy7.sys
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\Start = 01000000
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\Type = 01000000
Internet connection: C:\Documents and Settings\Administrator\Local Settings\Temp\geurge.exe Connects to "122.224.6.48" on port 88 (TCP).
Internet connection: C:\Documents and Settings\Administrator\current\Local Settings\Temp\geurge.exe Connects to "93.174.92.220" on port 80 (TCP - HTTP).
Query DNS: config.perfectexe.com
Query DNS: ghucom.com
 
Risk evaluation result: High

Strings from the rootkit driver I spoke of earlier.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
0x00000377	0x00000006	h.text
0x0000039F	0x00000006	h.data
0x000003C8	0x00000006	.cdata
0x00000418	0x00000006	.reloc
0x00001EA9	0x00000005	8SVWh
0x000024AD	0x00000005	VVVVh
0x00002564	0x00000005	WWWWh
0x0000C0EC	0x0000001A	\Driver\NTICE
0x0000C108	0x00000016	\Driver\npf
0x0000C120	0x00000016	\SystemRoot
0x0000C142	0x00000006	.cdata
0x0000C14A	0x0000000A	hwldi
0x0000C156	0x0000000A	hwsht
0x0000C170	0x00000010	TransportAddress
0x0000C182	0x00000011	ConnectionContext
0x0000C19E	0x00000006	      
0x0000C1A6	0x0000000A	hwbcr
0x0000C39C	0x00000009	opera.exe
0x0000C3A8	0x0000000A	thebat.exe
0x0000C3B4	0x0000000F	thunderbird.exe
0x0000C3C4	0x00000009	msimn.exe
0x0000C3D0	0x0000000A	telnet.exe
0x0000C708	0x0000002D	e:\eclipse\botnet\drivers\Bin\i386\kernel.pdb
0x000103AE	0x00000008	hfisa@Pj
0x00010920	0x00000019	%08x %ws+0x%x (%08x:%08x)
0x0001093A	0x0000001D	%08x unknown+0x%x (%08x:%08x)
0x00010958	0x00000012	 (0x%08X-->0x%08X)
0x00010978	0x0000000A	hwbcr
0x00010984	0x00000012	IofCompleteRequest
0x00010998	0x0000000D	IofCallDriver
0x00010A6E	0x0000001E	FILE: unknown+0x%x (%08x:%08x)
0x00010A94	0x0000000C	 (%08x:%08x)
0x00010AA2	0x00000005	+0x%x
0x00010AA8	0x00000009	FILE: %ws
0x00010ADA	0x00000025	BugCheck %X, {%08x, %08x, %08x, %08x}
0x00010B00	0x00000006	.cdata
0x00011610	0x0000000C	CreateModule
0x00011620	0x0000000C	DeleteModule
0x00012CF6	0x00000014	ObfDereferenceObject
0x00012D0E	0x00000017	ObReferenceObjectByName
0x00012D28	0x00000012	IoDriverObjectType
0x00012D3E	0x00000014	RtlInitUnicodeString
0x00012D57	0x00000014	xAllocatePoolWithTag
0x00012D6E	0x00000006	memset
0x00012D78	0x00000012	IofCompleteRequest
0x00012D8E	0x0000000C	PoCallDriver
0x00012D9E	0x00000013	PoStartNextPowerIrp
0x00012DB4	0x0000000E	IoDeleteDevice
0x00012DC6	0x0000001B	IoAttachDeviceToDeviceStack
0x00012DE4	0x0000000E	IoCreateDevice
0x00012DF6	0x00000012	ObfReferenceObject
0x00012E0C	0x00000018	IoGetRelatedDeviceObject
0x00012E28	0x00000019	ObReferenceObjectByHandle
0x00012E44	0x0000000C	IoCreateFile
0x00012E54	0x00000006	memcpy
0x00012E5E	0x0000000D	IofCallDriver
0x00012E6E	0x0000000E	IoAttachDevice
0x00012E80	0x00000009	_purecall
0x00012E8C	0x00000013	IoGetCurrentProcess
0x00012EA3	0x00000010	xFreePoolWithTag
0x00012EB6	0x00000008	_stricmp
0x00012EC2	0x00000012	KeGetCurrentThread
0x00012ED8	0x00000015	KeWaitForSingleObject
0x00012EF0	0x0000000D	IoAllocateIrp
0x00012F00	0x0000000C	KeClearEvent
0x00012F10	0x00000010	IoFileObjectType
0x00012F24	0x00000006	strcmp
0x00012F2E	0x00000007	strncat
0x00012F38	0x00000018	NtQuerySystemInformation
0x00012F54	0x00000007	ZwClose
0x00012F5E	0x00000018	KeServiceDescriptorTable
0x00012F7A	0x00000010	MmIsAddressValid
0x00012F8E	0x00000007	sprintf
0x00012F98	0x0000000C	KeBugCheckEx
0x00012FA8	0x0000000C	PsGetVersion
0x00012FB8	0x0000001D	IoBuildDeviceIoControlRequest
0x00012FD8	0x00000011	KeInitializeEvent
0x00012FEC	0x0000000A	KeSetEvent
0x00012FFA	0x00000014	RtlFreeUnicodeString
0x00013012	0x00000017	RtlCompareUnicodeString
0x0001302C	0x00000014	RtlCopyUnicodeString
0x00013044	0x00000019	MmGetSystemRoutineAddress
0x00013060	0x00000011	RtlFreeAnsiString
0x00013074	0x0000001C	RtlUnicodeStringToAnsiString
0x00013094	0x00000016	RtlQueryRegistryValues
0x000130AE	0x0000001E	IoRegisterShutdownNotification
0x000130D0	0x00000013	KeSetPriorityThread
0x000130E6	0x00000014	PsCreateSystemThread
0x000130FE	0x00000019	RtlUnicodeStringToInteger
0x0001311A	0x00000013	RtlTimeToTimeFields
0x00013130	0x00000007	_allmul
0x0001313A	0x00000015	RtlWriteRegistryValue
0x00013152	0x00000014	RtlCreateRegistryKey
0x0001316A	0x00000008	swprintf
0x00013176	0x00000016	RtlDeleteRegistryValue
0x00013190	0x00000011	ObQueryNameString
0x000131A4	0x00000009	IoFreeIrp
0x000131B0	0x0000000E	ObInsertObject
0x000131C2	0x0000001E	SeSetAccessStateGenericMapping
0x000131E4	0x00000011	RtlMapGenericMask
0x000131F8	0x00000013	SeCreateAccessState
0x0001320E	0x0000000E	ObCreateObject
0x00013220	0x00000009	IoFreeMdl
0x0001322C	0x0000000D	MmUnlockPages
0x0001323C	0x0000000B	IoCancelIrp
0x0001324A	0x00000013	MmProbeAndLockPages
0x00013260	0x0000000D	IoAllocateMdl
0x00013270	0x00000018	KeWaitForMultipleObjects
0x0001328C	0x0000000C	KeResetEvent
0x0001329C	0x00000012	KeNumberProcessors
0x000132B2	0x00000008	_aulldiv
0x000132BE	0x0000001C	RtlAnsiStringToUnicodeString
0x000132DE	0x00000011	RtlInitAnsiString
0x000132F2	0x0000000B	KeTickCount
0x000132FE	0x0000000C	ntoskrnl.exe
0x0001330F	0x0000000F	eGetCurrentIrql
0x00013323	0x0000000A	fRaiseIrql
0x00013331	0x0000000A	fLowerIrql
0x0001333F	0x00000010	fReleaseSpinLock
0x00013353	0x00000010	fAcquireSpinLock
0x00013364	0x00000007	HAL.dll
0x0001336E	0x00000007	strncpy
0x00013378	0x00000007	wcsncpy
0x00013382	0x00000006	strlen
0x0001338C	0x00000010	RtlCompareMemory
0x000133A0	0x0000000A	ZwReadFile
0x000133AE	0x0000000B	ZwWriteFile
0x000133BC	0x00000011	KeQuerySystemTime
0x000133D0	0x00000006	strchr
0x000133DA	0x00000006	wcschr
0x000133E4	0x00000009	RtlUnwind
0x00013C39	0x00000009	;$;);2;9;

There you can see the “botnet” string, nothing good about that file. That also looks to see if kernel mode debugger is running.

To be continued…

Random Posts

Previous Posts