NoVirusThanks Blog » inject http://blog.novirusthanks.org Security News and Malware Analysis Wed, 01 Feb 2012 13:34:38 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Rootkit.Siberia2 + Rootkit.Cutwail.A – Analysis http://blog.novirusthanks.org/2008/11/rootkitcutwaila-rootkitsiberia2-analysis/ http://blog.novirusthanks.org/2008/11/rootkitcutwaila-rootkitsiberia2-analysis/#comments Thu, 20 Nov 2008 18:04:54 +0000 admin http://novirusthanks.org/blog/?p=289

Analysis Content: Rootkit.Siberia2 + Rootkit.Cutwail.A – Analysis
Released: 20.11.2008
Author of Analysis: Robert
Contact: robert@novirusthanks.org
Website: http://novirusthanks.org

Steve sent me another rootkit sample and here is the analysis : )

The file I received was named mtnjmcjubjjuyto.exe and below there is the report of the scan:

Report Generated 20.11.2008 at 16.47.12 (GMT 1)
Time for scan: 22 seconds
Filename: mtnjmcjubjjuyto.exe
File size: 9 KBF
MD5 Hash: 7499B7C5951B6A46689E5C387EFADC66
SHA1 Hash: 056FE023F0906C9C99E16674D6E673C39823BF84
CRC32: 1125039963
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 9 on 23

Antivirus Result
a-squared Trojan.Win32.Meredrop!IK
Avira AntiVir HEUR/Crypted
Avast Nothing found!
AVG Trojan horse Downloader.Generic_r.BT
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan-Downloader.Win32.Agent.apsz A
IkarusT3 Trojan.Win32.Meredrop
Kaspersky Trojan-Downloader.Win32.Agent.apsz
McAfee Generic Dropper trojan
NOD32 v3 probably a variant of Win32/Kryptik.BJ trojan
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Sus/Behav-273
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

After the execution of the above file, were created new files:

C:\ebafud.exe
C:\WINDOWS\system32\rs32net.exe

And a new process was visible in Task Manager with the name of rs32net.exe.

Below there is the report of the scan:

Report Generated 20.11.2008 at 16.53.35 (GMT 1)
Time for scan: 29 seconds
Filename: rs32net.exe
File size: 22 KB
MD5 Hash: D3185511968F2F5A8A68FA9F67CCED2F
SHA1 Hash: 4254F0920877984724446BF6BCF0E764E27ADF07
CRC32: 1940657006
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 1 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir TR/Dropper.Gen
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

New files were created after some seconds:

C:\njkkjh.exe
C:\nfgo.exe
C:\duhtvwns.exe
C:\WINDOWS\system32\jsne87fidgf.dll
C:\DOCUME~1\user899\LOCALS~1\Temp\winlogin.exe

Report Generated 20.11.2008 at 16.51.56 (GMT 1)
Time for scan: 26 seconds
Filename: jsne87fidgf.dll
File size: 9 KB
MD5 Hash: 619BF3607989002B551E830ED151E8D9
SHA1 Hash: C0776DD69B723793D477CD05A0C18236A319491D
CRC32: 3590387388
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 3 on 23

Antivirus Result
a-squared Trojan-Clicker.Win32.Klik!IK
Avira AntiVir TR/Fakealert.HO
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Troj/Agent-IHC
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

We can see that this .DLL looks like a BHO (Browser Helper Objects) and it is injected into 2 processes:
-IEXPLORE.EXE
-explorer.exe

Below there is the report of the scan of winlogin.exe:

Report Generated 20.11.2008 at 17.00.37 (GMT 1)
Time for scan: 29 seconds
Filename: winlogin.exe
File size: 14 KB
MD5 Hash: FA14206DC72A8EC78B0D3E07F1DB8F73
SHA1 Hash: 1ABD0114E7AEFA3381B95BADCE96AE9294D0D7AF
CRC32: 4292284846
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 5 on 23

Antivirus Result
a-squared Trojan-Clicker.Win32.Klik!IK
Avira AntiVir TR/Fakealert.HO
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Generic FakeAlert.d trojan
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Troj/Dloadr-CAD
TrendMicro Nothing found!
VBA32 Win32 Shadow AutoStart Install
VirusBuster Nothing found!

After, new files were created:

C:\psqrhqn.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\bat9.tmp.bat
C:\mfglmypk.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\BAT9TM~1.BAT
C:\cvqkuk.exe
C:\naxv.exe
C:\WINDOWS\system32\fklame32.dll
C:\cvqkuk.exe
C:\nriljal.exe

Report Generated 20.11.2008 at 17.06.19 (GMT 1)
Time for scan: 23 seconds
Filename: fklame32.dll
File size: 22 KB
MD5 Hash: F049A08DD65E4AB04575B3667E56A408
SHA1 Hash: 1F0270794587CB51B514CFDA5B040C08CDD18212
CRC32: 733835836
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 9 on 23

Antivirus Result
a-squared Trojan.Win32.BHO.d!IK
Avira AntiVir TR/BHO.Gen
Avast Nothing found!
AVG Nothing found!
BitDefender Trojan.Generic.1134607
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan.Win32.BHO.ibp A
IkarusT3 Trojan.Win32.BHO.d
Kaspersky Trojan.Win32.BHO.ibp
McAfee Generic.dx trojan
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Mal/Emogen-G
TrendMicro Nothing found!
VBA32 Trojan.Win32.BHO.ibp
VirusBuster Nothing found!

Report Generated 20.11.2008 at 17.11.00 (GMT 1)
Time for scan: 26 seconds
Filename: naxv.exe
File size: 172 KB
MD5 Hash: 1EDB6B045A907E4F63EAFBCA43E8660E
SHA1 Hash: E7B6CF6D1BC634F3F96D8EDA786F056B614EA6BC
CRC32: 1878180187
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 3 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 W32/FakeAlert.3!Maximus
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 a variant of Win32/Kryptik.BX trojan
Norman Nothing found!
Panda Nothing found!
QuickHeal Suspicious
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

The file named fklame32.dll was injected in 2 processes:
-IEXPLORE.EXE
-explorer.exe

Another files were created:

C:\DOCUME~1\user899\LOCALS~1\Temp\newbot.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\csrssc.exe => Has attribute +H (Hidden)
C:\DOCUME~1\user899\LOCALS~1\Temp\loader.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\2029295898.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\2155777770.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\2165992458.exe
C:\WINDOWS\system32\bdedabafadb.dll

Report Generated 20.11.2008 at 17.17.38 (GMT 1)
Time for scan: 27 seconds
Filename: newbot.exe
File size: 71 KB
MD5 Hash: 29A9BDF7B39FFDC8AC8AE4EFEB540E35
SHA1 Hash: 681E92D08A374E8086303A9E453727BF609B283B
CRC32: 2651006629
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 2 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan.Win32.Inject.kdz A
IkarusT3 Nothing found!
Kaspersky Trojan.Win32.Inject.kdz
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

After, the file named bdedabafadb.dll was injected in explorer.exe and another file was created:

C:\Documents and Settings\user899\Application Data\gadcom\gadcom.exe

And was created also a new directory:

C:\WINDOWS\tsd532

Report Generated 20.11.2008 at 17.26.58 (GMT 1)
Time for scan: 24 seconds
Filename: gadcom.exe
File size: 55 KB
MD5 Hash: 3C4A94886E1A2C015CA9758E69A4A33B
SHA1 Hash: 6D86EB185C7DEC2E1FD7C4BD3291D5357CA2CA2B
CRC32: 1614352094
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 5 on 23

Antivirus Result
a-squared Trojan.Win32.Matcash!IK
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan.Win32.Agent.aorq A
IkarusT3 Trojan.Win32.Matcash
Kaspersky Heur.Trojan.Generic
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Win32.Trojan-Downloader
VirusBuster Nothing found!

And now 2 interesting files were created in C:\WINDOWS\system32\drivers\:

C:\WINDOWS\system32\drivers\ati5ssxx.sys
C:\WINDOWS\system32\drivers\tcpsr.sys

Report Generated 20.11.2008 at 15.21.44 (GMT 1)
Time for scan: 24 seconds
Filename: ati5ssxx.kdmp
File size: 32 KB
MD5 Hash: F8D0B66BD259EBC5D1C9B4C347CC684B
SHA1 Hash: CEB0ED5C79626383158E2396F248C0CA8A796A06
CRC32: 3826122122
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
ASCII Strings: View
Detection Rate: 8 on 23

Antivirus Result
a-squared Rootkit.Win32.Protector!IK
Avira AntiVir RKIT/Protector.BC
Avast Nothing found!
AVG Trojan horse Rootkit-Agent.AV
BitDefender Trojan.Kobcka.FB
ClamAV Trojan.Rootkit.Protector-1
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Rootkit.Win32.Protector
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Rootkit.Siberia.Gen

Below there are some interested strings extracted from the code:

ntoskrnl.exe
RSDS
d:\programs\siberia2\protect\objfre_wxp_x86\i386\protect.pdb
services.exe
d:\programs\siberia2\innerdrv\objfre_wxp_x86\i386\InnerDrv.pdb

RtlAppendUnicodeStringToString
wcslen
memset
ObfDereferenceObject
strcmp
PsLookupProcessByProcessId
PsTerminateSystemThread
KeDelayExecutionThread
ZwClose
PsCreateSystemThread
wcsncpy
ZwQueryValueKey
RtlInitUnicodeString
ZwOpenKey
wcsncat
wcscpy
PsSetCreateProcessNotifyRoutine
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
IofCompleteRequest
ZwWriteFile
ZwCreateFile
IoRegisterFsRegistrationChange
KeInitializeMutex
ObReferenceObjectByName
IoDriverObjectType
RtlAppendUnicodeToString
ZwQueryDirectoryObject
ZwOpenDirectoryObject
KeReleaseMutex
KeWaitForSingleObject
memcpy
ExAllocatePoolWithTag
ExFreePoolWithTag
MmIsAddressValid
CmRegisterCallback
ExInitializeResourceLite
KeLeaveCriticalRegion
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
KeEnterCriticalRegion
RtlCopyUnicodeString
RtlCompareUnicodeString
ExAcquireResourceSharedLite
ObQueryNameString
ZwEnumerateValueKey
ExQueueWorkItem
ZwSetValueKey
ZwCreateKey
ZwQuerySystemInformation
PsLookupThreadByThreadId
wcscmp
KeUnstackDetachProcess
KeStackAttachProcess
ZwAllocateVirtualMemory
ZwOpenProcess
KeInsertQueueApc
KeInitializeApc
NtBuildNumber
ntoskrnl.exe

memcpy
ExFreePoolWithTag
ExAllocatePoolWithTag
ZwQuerySystemInformation
ntoskrnl.exe

\SystemRoot\system32\drivers\
services.exe
ImagePath
Start
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\
\DosDevices\Prot3
\Device\Prot3
\FileSystem
CSDVersion
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Windows

So this rootkit looks like to has got a name:
siberia2

We can see that the driver add itself to the Safe Boot:

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\

This mean that if you will start Windows in Safe Mode the driver will be automatic loaded with the other trusted drivers !

Report of the scan of tcpsr.sys:

Report Generated 20.11.2008 at 15.21.44 (GMT 1)
Time for scan: 24 seconds
Filename: tcpsr.dmp
File size: 8 KB
MD5 Hash: D29B23728B03BED296C9DF4AC1B34303
SHA1 Hash: 34BCB3149A57C9B7A95BE29EA96EA5B18E678E42
CRC32: 2830732520
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 2 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Trojan horse SpamBot.G
BitDefender Rootkit.Cutwail.A
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

We can extract other interested strings from the code:

hxxp://bestdiabetesdrugs.com/?
hxxp://mexicandrugstor.com/?
hxxp://superdrugsworld.com/?
hxxp://superdrugssite.com/?
hxxp://bestanxietydrugs.com/?
hxxp://georgescheapdrugs.com/?
hxxp://buydrugsonlinehere.com/?
hxxp://ulcerdrugsonline.com/?
hxxp://bestdrugsinternational.com/?
hxxp://besttopicaldrugs.com/?

d:\programs\mailgrab\drv\objchk_wxp_x86\i386\filt.pdb
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
IofCompleteRequest
IoDeleteSymbolicLink
ExFreePoolWithTag
ExAllocatePool
memcpy
memset
MmMapLockedPages
KeTickCount
KeBugCheckEx
ntoskrnl.exe
KfReleaseSpinLock
KfAcquireSpinLock
HAL.dll
NdisDeregisterProtocol
NdisRegisterProtocol
NdisInitUnicodeString
NDIS_BUFFER_TO_SPAN_PAGES
NdisQueryBufferOffset
NdisAllocateMemory
NdisFreeMemory
NDIS.SYS

\DosDevices\Filt
\Device\Filt
ndarProtocol

So this rootkit should be named as:
mailgrab

And should be used for spam activity as we can see also from the detection name of AVG:
Trojan horse SpamBot.G

And now lets do a little analysis:

This rootkit variants seem pretty nasty, there aren’t SSDT / ShadowSSDT Hooks detected, if you use certain Anti-Rootkit software you’ll get a BSOD, rootkit driver is started also in Safe Mode Normal / Network Support, you cannot modify/change/delete any registry key that is related to the rootkit drivers, you cannot modify/change/delete the 2 files with extension .SYS that were created !!! The drivers seem to install hooks not only in Ntfs.sys and Fastfat.sys, but (if I am not wrong) also in:
-FltMgr.sys
-mrxdav.sys
-mrxsmb.sys
-Msfs.sys
-Mup.sys
-Npsf.sys
-Netbios.sys
-rdbss.sys
-sr.sys
-srv.sys

Also if you boot Windows in Safe Mode (at least in my case) the second driver named tcpsr.sys will be automatic deleted !

Apparently this rootkit seems to be the boss of the OS : )

Now lets see some images:

Suspicious drivers modifications/hooks:












No SSDT hooks detected

Stealth code detected

Visible processes

Kernel Modifications (here I used Kernel Detective by GamingMasteR of at4re)

registry startup keys

Below there is some (different from the other analysis) Internet Traffic that we received with the malware:

GET /?bot_id=0&mode=1 HTTP/1.1
User-Agent: imrabot
Host: sys368.3fn.net:3084
Cache-Control: no-cache

When I browsed the link it looked like a Spam Control Panel or similar related to spam:

<form name = “request” action=”./?bot_id=1998477142″ method=”POST”>
<input type=hidden name=”bot_id” value=”1998477142″>

<szXML>
<SCID>1100000</SCID>
<Cookie>*@live[*</Cookie>
<Cookie>*.live[*</Cookie>
<Cookie>*hotmail*</Cookie>
<Cookie>*@msn[*</Cookie>
<Cookie>*.msn[*</Cookie>
<Cookie>*@msnaccountservices.*</Cookie>
<Cookie>*@atdmt[*</Cookie>
<Cookie>*@advertising[*</Cookie>
<Cookie>*msnportal*</Cookie>
<Cookie>*pointroll[*</Cookie>
<Cookie>*doubleclick[*</Cookie>
<scriptRegAcc>
<Navigate>http://get.live.com/mail/overview</Navigate>
<WaitAnyPagesWithText>
<Debug>2, fail wait page with GetFree button</Debug>
<Text>OmnitureInterface.buttonNotification</Text>
</WaitAnyPagesWithText>

<!--button get free-->
<ToLink>
<Debug>3, fail click GetFree button</Debug>
<TagName>a</TagName>
<outerHTML>OmnitureInterface.buttonNotification</outerHTML>
</ToLink>
<WaitAnyPagesWithText>
<Debug>4, fail wait reg page</Debug>
<Text>join.msn.com</Text>
<Text>signup.live.com</Text>
<Text>logout.aspx</Text>
</WaitAnyPagesWithText>
<!--LOG OUT-->
<If_ValidateInBodyHTML>logout.aspx</If_ValidateInBodyHTML>
<Then_ToLink>
<TagName>a</TagName>
<outerHTML>logout.aspx</outerHTML>
</Then_ToLink>
<WaitAnyPagesWithText>
<Debug>14, fail wait reg page after logout</Debug>
<Text>join.msn.com</Text>
<Text>signup.live.com</Text>
</WaitAnyPagesWithText>

<!--To english page registration-->
<Navigate>https://signup.live.com/newuserdl.aspx?mkt=en-us&amp;revipc=US&amp;ru=http://mail.live.com/?newuser=yes&amp;rx=http://get.live.com/mail/options&amp;rollrs=04&amp;lic=1</Navigate>
<WaitAnyPagesWithText>
<Debug>5, fail wait English reg page</Debug>
<Text>submitForCP</Text>
<Text>reg</Text>
<Text>logout.aspx</Text>
</WaitAnyPagesWithText>
<!--LOG OUT-->
<If_ValidateInBodyHTML>logout.aspx</If_ValidateInBodyHTML>
<Then_ToLink>
<TagName>a</TagName>
<outerHTML>logout.aspx</outerHTML>
</Then_ToLink>

<!--Anketa-->
<!--Name-->
<AttrFillForm>
<AttrName>id</AttrName>
<AttrValueNI>iFirstName</AttrValueNI>
<ValueForFillRndFromBase>Names</ValueForFillRndFromBase>
</AttrFillForm>
<!--Surname-->
<AttrFillForm>
<AttrName>id</AttrName>
<AttrValueNI>iLastName</AttrValueNI>
<ValueForFillRndFromBase>Surnames</ValueForFillRndFromBase>
</AttrFillForm>
<!--Sex-->
<ClickTag>
<TagName>input</TagName>
<AttrName>id</AttrName>
<AttrValueNI>iGenderMale</AttrValueNI>
<Click/>
</ClickTag>
<!--Born-->
<AttrFillForm>
<AttrName>id</AttrName>
<AttrValueNI>iBirthYear</AttrValueNI>
<ValueForFillRndFromBase>YearsOfBorn</ValueForFillRndFromBase>
</AttrFillForm>

...

...

After, started again the same aggressive Spam Activity as all the other rootkit analysis.

And below there is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:12:49 PM, on 11/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\winlogin.exe
C:\Documents and Settings\user899\Application Data\gadcom\gadcom.exe
C:\WINDOWS\system32\wscntfy.exe

O2 - BHO: C:\WINDOWS\system32\jsne87fidgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll (file missing)
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 – HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\user899\LOCALS~1\Temp\winlogin.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 – HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 – HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\user899\LOCALS~1\Temp\winlogin.exe
O4 – HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\user899\LOCALS~1\Temp\csrssc.exe
O4 – HKCU\..\Run: [gadcom] “C:\Documents and Settings\user899\Application Data\gadcom\gadcom.exe” 61A847B5BBF72813349838466188719AB689201522886B092CBD44BD8689220221DD3257
O4 – HKCU\..\Run: [12CFG94-z641-2SF-N31P-5M1ER6H6L1] C:\RECYCLER\S-1-5-21-3997352701-5278103066-943349985-9760\winigon.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O20 – Winlogon Notify: bdedabafadb – C:\WINDOWS\system32\bdedabafadb.dll
O22 – SharedTaskScheduler: Browseui preloader – {438755C2-A8BA-11D1-B96B-00A0C90312E1} – C:\WINDOWS\system32\browseui.dll
O22 – SharedTaskScheduler: Component Categories cache daemon – {8C7461EF-2B13-11d2-BE35-3078302C2030} – C:\WINDOWS\system32\browseui.dll
O22 – SharedTaskScheduler: mcb7uehuj3n8weuhejsw – {C5BF49A2-94F3-42BD-F434-3604812C897D} – C:\WINDOWS\system32\jsne87fidgf.dll (file missing)

End of Analysis.

]]> http://blog.novirusthanks.org/2008/11/rootkitcutwaila-rootkitsiberia2-analysis/feed/ 0