Analysis Content: Rustock Rootkit Variants and TDSServ Kit
Released: 21.12.2008
Author of Analysis: Robert (robert@novirusthanks.org)
Sample submitted by: Steve (steve@novirusthanks.org)
Thanks to: Fyyre (www.fyyre.net)
Website: http://www.novirusthanks.org

Today we will analyze another rustock rootkit variant and the famous TDSServ Kit.

Rustock Rootkit Part

-Files analyzed:

After the execution of the file named rus.exe these new files were dropped in the system:

C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\dllcache\beep.sys.new
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\33ffd873.sys

And look like the common rustock trick infecting the file beep.sys and copying it under C:\WINDOWS\system32\dllcache\ and after, renaming the file in beep.sys.
The real rootkit driver is 33ffd873.sys and below there is the scan report:

Report Generated 25.12.2008 at 18.15.27 (GMT 1)
Time for scan: 22 seconds
Filename: 33ffd873.sys
File size: 92 KB
MD5 Hash: 3A60061C7AB4BCC8A0948FCED7ED8018
SHA1 Hash: 6FA1732658A6CEF329B3E4B253D2083E58A3F994
CRC32: 1348671792
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 12 on 24

Antivirus Result
a-squared Backdoor.Winnt!IK
Avira AntiVir TR/Rootkit.Gen
Avast Win32:Rootkit-gen [Rtk]
AVG BackDoor.Generic10.AEFE
BitDefender Backdoor.Rustock.NET
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Win32:Rootkit-gen [Rtk] B
IkarusT3 Backdoor.Winnt
Kaspersky Nothing found!
McAfee Generic BackDoor trojan
MHR (Malware Hash Registry) Nothing found!
NOD32 v3 Win32/Rustock.NGG
Norman Trojan W32/Rootkit.AAFD
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Mal/Generic-A
TrendMicro Nothing found!
VBA32 Malware-Cryptor.Win32.General.3
VirusBuster Nothing found!

The SSDT hooks that were detected are these:
-NtCreateEvent
-NtCreateKey
-NtOpenKey

Code hook:

From images below we can see that the beep.sys installed hooks in:
-Ntfs.sys
-Tcpip.sys

And in the image below I used NIAPAntiRootkitTools to detect FSD Dispatch Hooks and SystemCallbacks installed by the file beep.sys:

TDSServ Kit part

Fyyre has unpacked the TDSServ files ,analyzed the hook procedures and he found a lot of interesting stuff:

.data:1000BDB8 00000032 C \\\\?\\globalroot\\systemroot\\system32TDSSservers.dat
.data:1000BDEC 0000002D C hxxp://findxproportal1.com/tdss2/crcmds/main
.data:1000BE1C 0000002B C hxxp://stableclickz1.com/tdss2/crcmds/main
.data:1000BE48 00000029 C hxxp://updatemics1.com/tdss2/crcmds/main
.data:1000BE74 0000002D C hxxp://findsproportal1.com/tdss2/crcmds/main
.data:1000BEA4 0000002D C hxxp://findzproportal1.com/tdss2/crcmds/main
.data:1000BED4 00000027 C hxxp://91.203.92.121/tdss2/crcmds/main
.data:1000BEFC 00000028 C hxxp://younewsblog.net/tdss/crcmds/main
.data:1000BF24 00000029 C hxxp://yournewsblog.net/tdss/crcmds/main
.data:1000BF50 00000029 C hxxp://yourblognews.net/tdss/crcmds/main
.data:1000BF7C 00000028 C hxxp://youblognews.net/tdss/crcmds/main
.data:1000BFA4 00000025 C hxxp://web1inst.com/tdss/crcmds/main
.data:1000BFCC 00000025 C hxxp://web2inst.com/tdss/crcmds/main
.data:1000BFF4 00000025 C hxxp://web3inst.com/tdss/crcmds/main
.data:1000C01C 00000025 C hxxp://web4inst.com/tdss/crcmds/main

Running the .exe goes through a long unpacking process – which dumps .tmp into
%USERPROFILE%\Temp – installs a service, then starts the service – which loads a driver
(TDSServ.sys) installs the following kernel mode hooks:

IofCallDriver –>>

E1A58E3A: E973E157D8 jmp B9FD6FB2h

NtEnumerateKey –>>

E10A05D4: E9F971F3D8 jmp B9FD77D2h

NtFlushInstructionCache –>>

E118FFDC: E9177BE4D8 jmp B9FD7AF8h

IofCompleteRequest –>>

B9FD76BB: 55 push ebp
B9FD76BC: 8BEC mov ebp, esp
B9FD76BE: 81EC28020000 sub esp, 00000228h
B9FD76C4: 53 push ebx
B9FD76C5: 8BD9 mov ebx, ecx
B9FD76C7: 837B1800 cmp [ebx+18h], 00000000h
B9FD76CB: 8855FC mov [ebp-04h], dl
B9FD76CE: 0F8CF0000000 jl B9FD77C4h
B9FD76D4: 56 push esi
B9FD76D5: 57 push edi
B9FD76D6: 8B7B60 mov edi, [ebx+60h]
B9FD76D9: 8B7714 mov esi, [edi+14h]
B9FD76DC: 85F6 test esi, esi
B9FD76DE: 0F84DE000000 jz B9FD77C2h
B9FD76E4: F6461C40 test byte ptr [esi+1Ch], 40h
B9FD76E8: 0F85AD000000 jnz B9FD779Bh
B9FD76EE: 8B4608 mov eax, [esi+08h]
B9FD76F1: 3B05940EFEB9 cmp eax, [B9FE0E94h]
B9FD76F7: 740C jz B9FD7705h
B9FD76F9: 3B05700EFEB9 cmp eax, [B9FE0E70h]
B9FD76FF: 0F8596000000 jnz B9FD779Bh
B9FD7705: E889F4FFFF call B9FD6B93h
B9FD770A: 803F0C cmp byte ptr [edi], 0Ch
B9FD770D: 750C jnz B9FD771Bh
B9FD770F: 807F0101 cmp byte ptr [edi+01h], 01h
B9FD7713: 7506 jnz B9FD771Bh
B9FD7715: 53 push ebx
B9FD7716: E84FFAFFFF call B9FD716Ah
B9FD771B: 803F00 cmp byte ptr [edi], 00h
B9FD771E: 757B jnz B9FD779Bh
B9FD7720: 66F7470800207473 test word ptr [edi+08h], 73742000h
B9FD7728: 8D45E8 lea eax, [ebp-18h]
B9FD772B: 50 push eax
B9FD772C: 8D85D8FDFFFF lea eax, [ebp-00000228h]
B9FD7732: 50 push eax
B9FD7733: 6810020000 push 00000210h
B9FD7738: 6A09 push 00000009h
B9FD773A: FF7718 push [edi+18h]
B9FD773D: FF152890FDB9 call [B9FD9028h]
B9FD7743: 85C0 test eax, eax
B9FD7745: 7C54 jl B9FD779Bh
B9FD7747: 8B85D8FDFFFF mov eax, [ebp-00000228h]
B9FD774D: 668945F4 mov [ebp-0Ch], ax
B9FD7751: 668945F6 mov [ebp-0Ah], ax
B9FD7755: 6A00 push 00000000h
B9FD7757: 8D85DCFDFFFF lea eax, [ebp-00000224h]
B9FD775D: 8945F8 mov [ebp-08h], eax
B9FD7760: 6A01 push 00000001h
B9FD7762: 8D45F4 lea eax, [ebp-0Ch]
B9FD7765: 50 push eax
B9FD7766: 8D45EC lea eax, [ebp-14h]
B9FD7769: 50 push eax
B9FD776A: 66C745EC0E00 mov word ptr [ebp-14h], 000Eh
B9FD7770: 66C745EE1000 mov word ptr [ebp-12h], 0010h
B9FD7776: C745F03095FDB9 mov [ebp-10h], B9FD9530h
B9FD777D: FF150490FDB9 call [B9FD9004h]

Scan report:

Report Generated 25.12.2008 at 17.58.13 (GMT 1)
Time for scan: 22 seconds
Filename: TDSSERV_DMP.SYS
File size: 68 KB
MD5 Hash: FBDD5411951E9055F06509E8707BC17A
SHA1 Hash: 3E0D8D8AE65428CF767A0C5EF604A14F7AFFA6BB
CRC32: 3315504602
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
ASCII Strings: View
Detection Rate: 7 on 24

Antivirus Result
a-squared Virus.Win32.DNSChanger.VJ!IK
Avira AntiVir TR/Agent.8704.76
Avast Win32:Fasec [Trj]
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Win32:DNSChanger-VJ [Trj] B
IkarusT3 Virus.Win32.DNSChanger.VJ
Kaspersky HEUR:Trojan.Win32.Generic
McAfee Nothing found!
MHR (Malware Hash Registry) Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Embedded.Win32.Agent.ODG
VirusBuster Nothing found!

Now lets see some interesting text extracted from the file named TDSServ.sys:

%.*S
TDSS
%s%s%s
\systemroot\system32\drivers\TDSSserv.sys
\systemroot\system32\TDSSl.dll
file system
\\?\globalroot
svchost.exe
TDSSl.dll
chkdsk.exe
System
TDL2 Loaded
flcquhrm.dll
Xsaergwivo
lJBuEx
NTOSKRNL.EXE
CcRepinBcb
ZwCreateFile
ExFreePool
HAL.DLL
HalGetAdapter
KeLowerIrql

\registry\machine\system\currentcontrolset\services\TDSSserv.sys\modules
\registry\machine\system\currentcontrolset\services\TDSSserv.sys
start
type
mgroup
imagepath
TDSS
\registry\machine\software\TDSS\injector
*\KERNEL32.DLL
*\NTDLL.DLL
\registry\machine\software\TDSS\disallowed
\registry\machine\software\TDSS\trusted
\registry\machine\software\TDSS\connections
\FileSystem\FltMgr
*\TDSS*
*\TEMP\TDSS*
\filesystem\fastfat
\filesystem\ntfs
\driver\tcpip
\driver\ftdisk
\driver\volsnap
svchost.exe
ntdll.dll
kernel32.dll

Now lets look the file named TDSSl.dll:

Report Generated 25.12.2008 at 17.57.44 (GMT 1)
Time for scan: 21 seconds
Filename: TDSSl.dll
File size: 21 KB
MD5 Hash: 3989FBBFDE71E212611E362E0180C087
SHA1 Hash: 4321B846840D14F706A0B6D7A2AD399F665854D2
CRC32: 1152938758
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Not a valid PE file
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 6 on 24

Antivirus Result
a-squared Virus.Win32.DNSChanger.VJ!IK
Avira AntiVir TR/Agent.8704.76
Avast Win32:DNSChanger-VJ [Trj]
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 W32/Damaged_File.gen!Eldorado
G DATA Win32:DNSChanger-VJ [Trj] B
IkarusT3 Virus.Win32.DNSChanger.VJ
Kaspersky Nothing found!
McAfee Nothing found!
MHR (Malware Hash Registry) Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

Interesting text extracted from the code:

%.*S
%s%s%x.tmp
id=%s
%s=%u.%u.%u.%u
TDSS
Update
error while reading %s
TDSSerrors.log
%[^.].%[^(](%[^)])
%s/%s
winsta0
Impersonating as HWND 0x%x (0x%x)
\\?\globalroot\systemroot\system32TDSSservers.dat
hxxp://findxproportal1.com/tdss2/crcmds/main
hxxp://stableclickz1.com/tdss2/crcmds/main
hxxp://updatemics1.com/tdss2/crcmds/main
hxxp://findsproportal1.com/tdss2/crcmds/main
hxxp://findzproportal1.com/tdss2/crcmds/main
hxxp://91.203.92.121/tdss2/crcmds/main
hxxp://younewsblog.net/tdss/crcmds/main
hxxp://yournewsblog.net/tdss/crcmds/main
hxxp://yourblognews.net/tdss/crcmds/main
hxxp://youblognews.net/tdss/crcmds/main
hxxp://web1inst.com/tdss/crcmds/main
hxxp://web2inst.com/tdss/crcmds/main
hxxp://web3inst.com/tdss/crcmds/main
hxxp://web4inst.com/tdss/crcmds/main
\\?\globalroot\systemroot\system32\drivers\TDSSserv.sys
%*x %255s
%s?id=%s&new=%s
%x OK
%s (%d)
file=%s&address=0x%xI=%s&code=0x%x&info=%s&id=%s
\\?\globalroot\systemroot\system32\TDSSl.dll
\\?\globalroot\systemroot\system32
%s\%s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
POST
Content-Type: application/x-www-form-urlencoded
4: download %s error: 0x%x (0x%x – %s)
file downloaded ok
\\?\globalroot
tdll.dll
CheckValue
CmdExec
CmdExecAffID
CmdExecBotID
CmdExecBuild
CmdExecSubID
CmdExecType
CmdExecVersion
CopyAffID
CopySubID
CryptKeySet
FileDownload
FileDownloadRandom
FileDownloadRandomUnxor
FileDownloadUnxor
ImpersonateAsInput
Knock
ModuleDownload
ModuleDownloadUnxor
ModuleLoad
ModuleUnload
ModulesVersionLog
SetCmdDelay
SetInputDesktop
SetLoadedURL
SetTimeout
software\microsoft\internet explorer\main\featurecontrol\feature_enable_ie_compression
loaded_url
\registry\machine\software\TDSS
timeout
cmddelay
\registry\machine\software\TDSS\versions
build
type
affid
subid
\registry\machine\software\microsoft\windows nt\currentversion\tdssdata
serversdown
\registry\machine\software\TDSS\connections
\registry\machine\software\TDSS\disallowed
\registry\machine\software\TDSS\injector
\registry\machine\system\currentcontrolset\services\TDSSserv.sys\Enum
\registry\machine
\system\currentcontrolset\services\TDSSserv.sys
\device\namedpipe\TDSScmd
\TdlStartMutex
TDSS

Note that from previous extracted text we can see also some parts that should be the Bot Commands (CMD stand for COMMAND and AffID should stand for AffiliateID):

CmdExec
CmdExecAffID
CmdExecBotID
CmdExecBuild
CmdExecSubID
CmdExecType
CmdExecVersion
CopyAffID
CopySubID
CryptKeySet
FileDownload
FileDownloadRandom
FileDownloadRandomUnxor
FileDownloadUnxor
ImpersonateAsInput
Knock
ModuleDownload
ModuleDownloadUnxor
ModuleLoad
ModuleUnload
ModulesVersionLog

And from the text below we can see the possible queries that the malware will do to the webpages:

%s?id=%s&new=%s
file=%s&address=0x%xI=%s&code=0x%x&info=%s&id=%s

And below there is the TDSS.exe dumped by Fyyre:

Report Generated 25.12.2008 at 18.50.38 (GMT 1)
Time for scan: 24 seconds
Filename: TDSS_DMP.ppp
File size: 240 KB
MD5 Hash: AE9B3C7031D209DA77E7FC95764C212A
SHA1 Hash: F34044472E4DBDF12680729C19A8B470C47259E0
CRC32: 2477991722
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found*
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
ASCII Strings: View
Detection Rate: 7 on 24

Antivirus Result
a-squared Virus.Win32.DNSChanger.VJ!IK
Avira AntiVir TR/Agent.8704.76
Avast Win32:DNSChanger-VJ [Trj]
AVG Nothing found!
BitDefender Trojan.FakeAlert.ANM
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web BackDoor.Tdss.30
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Win32:DNSChanger-VJ [Trj] B
IkarusT3 Virus.Win32.DNSChanger.VJ
Kaspersky Nothing found!
McAfee Nothing found!
MHR (Malware Hash Registry) Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Nothing found!
VirusBuster Nothing found!

Interesting text extracted:

.tdl
ntdll.dll
TDSS
test
TDSS
.tdl
TDSS
\\?\globalroot\systemroot\system32\advapi32.dll
\\?\globalroot\systemroot\system32\advapi32.dll
msiserver
|iDH

\TdlStartMutex
\device\namedpipe\TDSScmd
\knowndlls\dll.dll
l\TDKD
\knowndlls\advapi32.dll

Analysis Content: Next Generation of Rustock.Rootkit variants ?
Released: 18.11.2008
Author of Analysis: Robert
Contact: robert@novirusthanks.org
Website: http://novirusthanks.org

My friend Steve sent me today a new possible variant of the famous Rustock.Rootkit !

The file I received was named unprotdmp and below there is the report of the scan:

Report Generated 17.11.2008 at 23.05.50 (GMT 1)
Time for scan: 26 seconds
Filename: unprotdmp
File size: 48 KB
MD5 Hash: 4D5F159DFBDEC338F6E8E83BAAA0B26F
SHA1 Hash: 26E87BE9EC0D41965DA6860AE617AF56A449778F
CRC32: 2928629155
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
ASCII Strings: View
Detection Rate: 3 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir TR/Dropper.Gen
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Malware-Cryptor.Win32.General.3
VirusBuster Nothing found!

We can see a lot of very interesting strings inside the code of the file:

ExAllocatePool
ExFreePool
ZwQuerySystemInformation
ZwOpenKey
ZwCreateKey
%win
svchost.exe
ZwCreateEvent
TransportAddress
ConnectionContext
C:\progz\NewWork\driver\objfre\i386\driver.pdb
LoadLibraryA
GetProcAddress
SetEvent
Init
CreateThread
SleepEx
FATAL_UNHANDLED_HARD_ERROR

wcschr
ZwClose
ZwSetValueKey
wcslen
ZwCreateKey
RtlInitUnicodeString
ZwUnmapViewOfSection
ExFreePoolWithTag
swprintf
ExAllocatePoolWithTag
ZwMapViewOfSection
ZwOpenSection
PsTerminateSystemThread
KeDelayExecutionThread
ZwCreateEvent
ZwOpenEvent
PsCreateSystemThread
PsGetCurrentProcessId
ZwQuerySystemInformation
IoGetCurrentProcess
ZwDeleteKey
ZwEnumerateKey
ZwOpenKey
IoGetRelatedDeviceObject
ZwCreateFile
ZwReadFile
ZwQueryInformationFile
KeReleaseMutex
KeWaitForSingleObject
KeInitializeEvent
KeInsertQueueApc
KeInitializeApc
KeClearEvent
ObfDereferenceObject
PsLookupThreadByThreadId
IoFreeMdl
KeDetachProcess
MmMapLockedPages
KeAttachProcess
MmBuildMdlForNonPagedPool
IoAllocateMdl
MmUnmapLockedPages
NtSetInformationProcess
ObReferenceObjectByHandle
PsLookupProcessByProcessId
PsSetCreateProcessNotifyRoutine
KeInitializeMutex
wcstombs
IofCompleteRequest
ProbeForRead
KeGetCurrentThread
KeSetEvent
KeServiceDescriptorTable
MmProbeAndLockPages
ObfReferenceObject
SeDeleteAccessState
RtlCopyUnicodeString
SeSetAccessStateGenericMapping
RtlMapGenericMask
SeCreateAccessState
ObCreateObject
IoFileObjectType
IoFreeIrp
IoAllocateIrp
ZwOpenFile
IoReuseIrp
IoGetDeviceObjectPointer
ProbeForWrite
MmUnlockPages
IoCancelIrp
IofCallDriver
_allmul
KeUnstackDetachProcess
KeStackAttachProcess
ntoskrnl.exe
_except_handler3
ExReleaseFastMutex
ExAcquireFastMutex
HAL.dll
NDIS.SYS

IoGetRelatedDeviceObject
KeInitializeEvent
DbgPrint
IoAllocateMdl
KeInitializeDpc
ntoskrnl.exe

ImagePath
Type
Start
ErrorControl
\BaseNamedObjects\5B37FB3B-984D-1E57-FF38-AA681BE5C8D8
\registry\machine\system\CurrentControlSet\Services\%x
\SystemRoot\System32\drivers\%x.sys
\BaseNamedObjects\{60F9FCD0-8DD4-6453-E394-771298D2A470}
services.exe
\registry\machine\system\CurrentControlSet\Enum\Root\LEGACY_%ws
\SystemRoot\System32\ntdll.dll
%ws%ws
\Device\Tcp
svchost.exe
\SystemRoot\Temp\%u.tmp
.log
\registry\machine\system
\Device\Tcp

These are interesting strings uh !?

So lets do a small analysis only based on strings we found:

%win can stand for Windows Directory (similar to the Environment variable – %WinDir%)

svchost.exe can be a process where the malware will inject code.

C:\progz\NewWork\driver\objfre\i386\driver.pdb ==> Very interesting string, is different from all the other variants of Rustock.Rootkit and should stand for a new version of the malware !!!

HAL.dll – Windows Hardware Abstraction Layer (HAL), is a file that hides hardware complexities from Win applications.

NDIS.sys – Network Driver Interface Specification (NDIS) is an application programming interface (API) for network interface cards (NICs).

\registry\machine\system\CurrentControlSet\Services\%x is the path of the Services and %x should be the variable that will be overwritten with the malware Service name.

\SystemRoot\System32\drivers\%x.sys is the path where are stored drivers and %x should be the variable that will be overwritten with the name of the malware driver.

services.exe can be used by malware to load and start services or the malware can inject code into it.

We can also see that into the file have embedded 2 PE, so, maybe, one is the kernel driver of the rootkit and the other one is the user-mode botnet.

Unfortunately I can not test/run this sample so I can only show this small analysis, anyway very interesting code!

Another file that was present with this rootkit was named sxmg4.dll and below there is the report of the scan:

Report Generated 18.11.2008 at 0.13.08 (GMT 1)
Time for scan: 33 seconds
Filename: sxmg4.dll
File size: 68 KB
MD5 Hash: 15EB3167B2B87F168B1D997530D41003
SHA1 Hash: 206C3E2D26F051C988D38F3B22215F81AE68C54A
CRC32: 542643393
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Microsoft Visual C++ 6.0 DLL
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 5 on 23

Antivirus Result
a-squared Trojan.Win32.BHO.d!IK
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Trojan horse BackDoor.Ircbot.GEV
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Trojan.Win32.BHO.d
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Win32/Adware.AntiSpyKing application
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Trojan-Downloader.Win32.FraudLoad.vdjm
VirusBuster Nothing found!

Import Tables:

KERNEL32.DLL
+GetTempPathA
+WaitForSingleObject
+GetLocalTime
+DisableThreadLibraryCalls
+InterlockedDecrement
+MoveFileExA
+LeaveCriticalSection
+EnterCriticalSection
+lstrlenW
+GetSystemDirectoryA
+GetWindowsDirectoryA
+GetModuleFileNameA
+GetTickCount
+DeleteCriticalSection
+InitializeCriticalSection
+SystemTimeToFileTime
+GetFileAttributesA
+GetModuleHandleA
+FindResourceA
+SizeofResource
+GetLastError
+WideCharToMultiByte
+Sleep
+lstrlenA
+MultiByteToWideChar
+CloseHandle
+InterlockedIncrement
ADVAPI32.dll
+RegNotifyChangeKeyValue
ATL.DLL
GDI32.dll
+GetDeviceCaps
MSVCP60.dll
+?_Xran@std@@YAXXZ
+??1_Winit@std@@QAE@XZ
+??0_Winit@std@@QAE@XZ
+??1Init@ios_base@std@@QAE@XZ
+??0Init@ios_base@std@@QAE@XZ
+?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
+?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
+?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
+?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PAD0PBD@Z
+?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
+?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
+?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
+??0_Lockit@std@@QAE@XZ
+??1_Lockit@std@@QAE@XZ
+??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
+?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
+??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
+??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
+?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
+?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
+?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
+?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
+?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
+??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
+??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
+?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
MSVCRT.dll
+_mbslwr
+wcslen
+_vsnprintf
+strcat
+memcmp
+memmove
+isspace
+rand
+memcpy
+strtok
+fclose
+fread
+fopen
+fwrite
+strrchr
+strcmp
+ftell
+fseek
+_beginthreadex
+_purecall
+_ftol
+pow
+strtol
+__dllonexit
+_strlwr
+_onexit
+_except_handler3
+?terminate@@YAXXZ
+_initterm
+_adjust_fdiv
+??2@YAPAXI@Z
+__CxxFrameHandler
+srand
+free
+strlen
+strncpy
+calloc
ole32.dll
+CoCreateInstance
OLEAUT32.dll
SHELL32.dll
+ShellExecuteA
USER32.dll
+KillTimer

And below there are some extracted strings:

http://
class=”title”
text=
gping=
class=yschttl
class=l
n[keyword]
c.php?id=
http
\TSoft
Software
\lt.res
\sft.res
open
rundll32.exe
%s,RunMain
\sn.txt
popurl
DOWNLOAD
clickreferer
referer
$number
feed
KEYS
SECT
%d.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32C620D6-CC10-4e6a-9715-BACACD5B0E61} ====> here we can see that will install BHO
Systray component
SOFTWARE\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
WebProxy
{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
EulaAccepted
Software\Sysinternals\Bluescreen Screen Saver
iexplore.exe
Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
explorer.exe
F\bulksoft.ini
btimeout
mbinterval
binterval
mbcaption
bcaption
mburl
burl
mbtext
btext
PROM
lang
PSECT
Software\AntispyKnight
\sysin.scr
_WSCLAS_
InstallLanguage
SYSTEM\CurrentControlSet\Control\Nls\Language
Software\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
Systray
Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe %s,RunMain
Hookd
YIHookWWW

We can see 2 .EXE:

iexplore.exe
explorer.exe

that probably are the .EXEs where the malware will inject the dll or other code.

We can see a reference to a registry key used to add keys to autostart a program:

Software\Microsoft\Windows\CurrentVersion\Run

We can see also a reference to a possible software that will be installed:

Software\AntispyKnight

and if we check also the detection name of:

NOD32 v3 Win32/Adware.AntiSpyKing application
VBA32 Trojan-Downloader.Win32.FraudLoad.vdjm

We can maybe imagine that will be installed a rogue software in our computer that is possibly named as AntispyKnight.

Ok, this analysis end here : )