B.I.S.S. Forums > S87ekhV.exe (Pinch)

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

Dec 26 2007, 01:11 AM

<h4>

File details

</h4>
Filename: S87ekhV.exe

File size: 71680 bytes
Build: 25 December 2007 7:04:40 PM
MD5: ffe2800bf20854ff1cc05655956bd1ac
SHA1: 9828325f9af0dd80565475835dbd3e06a3208ed5
PEiD: -

QUOTE
File S87ekhV.exe received on 12.25.2007 23:59:13
AhnLab-V3 2007.12.25.10 2007.12.24 -
AntiVir 7.6.0.46 2007.12.25 -
Authentium 4.93.8 2007.12.25 -
Avast 4.7.1098.0 2007.12.25 -
AVG 7.5.0.516 2007.12.25 Dropper.Agent.9.V
BitDefender 7.2 2007.12.25 -
CAT-QuickHeal 9.00 2007.12.25 -
ClamAV 0.91.2 2007.12.25 -
DrWeb 4.44.0.09170 2007.12.25 -
eSafe 7.0.15.0 2007.12.25 -
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.25 -
FileAdvisor 1 2007.12.26 -
Fortinet 3.14.0.0 2007.12.25 -
F-Prot 4.4.2.54 2007.12.25 -
F-Secure 6.70.13030.0 2007.12.25 -
Ikarus T3.1.1.15 2007.12.25 -
Kaspersky 7.0.0.125 2007.12.25 -
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.25 -
NOD32v2 2747 2007.12.25 -
Norman 5.80.02 2007.12.24 -
Panda 9.0.0.4 2007.12.25 -
Prevx1 V2 2007.12.26 -
Rising 20.24.12.00 2007.12.25 -
Sophos 4.24.0 2007.12.25 -
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.25 -
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.24 -
VirusBuster 4.3.26:9 2007.12.25 -
Webwasher-Gateway 6.6.2 2007.12.25 -

______________________________

Filename: smss.exe

File size: 17408 bytes
MD5: 56829b0977cc2e12290d1b6331bc4ccc
SHA1: 6ea60f70c45218b2dbc10899307d70f0fceb31af
PEiD: -
packers: embedded, UPX
packers: PE_Patch.UPX, UPX

QUOTE
File smss.exe received on 12.26.2007 01:46:28 (CET)
AhnLab-V3 2007.12.25.10 2007.12.24 -
AntiVir 7.6.0.46 2007.12.25 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.12.25 -
Avast 4.7.1098.0 2007.12.25 -
AVG 7.5.0.516 2007.12.25 -
BitDefender 7.2 2007.12.26 -
CAT-QuickHeal 9.00 2007.12.25 -
ClamAV 0.91.2 2007.12.26 -
DrWeb 4.44.0.09170 2007.12.25 -
eSafe 7.0.15.0 2007.12.25 suspicious Trojan/Worm
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.25 -
FileAdvisor 1 2007.12.26 -
Fortinet 3.14.0.0 2007.12.25 -
F-Prot 4.4.2.54 2007.12.25 -
F-Secure 6.70.13030.0 2007.12.26 -
Ikarus T3.1.1.15 2007.12.26 -
Kaspersky 7.0.0.125 2007.12.26 -
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.26 -
NOD32v2 2747 2007.12.25 -
Norman 5.80.02 2007.12.24 -
Panda 9.0.0.4 2007.12.25 -
Prevx1 V2 2007.12.26 -
Rising 20.24.12.00 2007.12.25 -
Sophos 4.24.0 2007.12.25 -
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.26 -
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.24 suspected of Trojan-PSW.Pinch.35 (paranoid heuristics)
VirusBuster 4.3.26:9 2007.12.25 -
Webwasher-Gateway 6.6.2 2007.12.25 Trojan.Crypt.XPACK.Gen

______________________________

Filename: svchost.exe

File size: 44544 bytes
MD5: 4a718da2d84a6eb76cd4a3ed73e95e70
SHA1: 9153415e2c4bd2af4ad90e0c8c9708bc4c15c70f
PEiD: -

QUOTE
File svchost.exe received on 12.26.2007 01:46:23 (CET)
AhnLab-V3 2007.12.25.10 2007.12.24 -
AntiVir 7.6.0.46 2007.12.25 -
Authentium 4.93.8 2007.12.25 -
Avast 4.7.1098.0 2007.12.25 -
AVG 7.5.0.516 2007.12.25 -
BitDefender 7.2 2007.12.26 -
CAT-QuickHeal 9.00 2007.12.25 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.12.26 -
DrWeb 4.44.0.09170 2007.12.25 -
eSafe 7.0.15.0 2007.12.25 -
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.25 -
FileAdvisor 1 2007.12.26 -
Fortinet 3.14.0.0 2007.12.25 -
F-Prot 4.4.2.54 2007.12.25 -
F-Secure 6.70.13030.0 2007.12.26 -
Ikarus T3.1.1.15 2007.12.26 -
Kaspersky 7.0.0.125 2007.12.26 -
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.26 -
NOD32v2 2747 2007.12.25 -
Norman 5.80.02 2007.12.24 -
Panda 9.0.0.4 2007.12.25 Suspicious file
Prevx1 V2 2007.12.26 -
Rising 20.24.12.00 2007.12.25 -
Sophos 4.24.0 2007.12.25 -
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.26 -
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.24 -
VirusBuster 4.3.26:9 2007.12.25 -
Webwasher-Gateway 6.6.2 2007.12.25 Win32.Malware.gen (suspicious)

______________________________

Filename: setupapi.dll

File size: 16896 bytes
MD5: 74cade150325f2dd5bdd2b7d3341a5b3
SHA1: 54d871901465f25fbd931b49d75bb136ea71b8d9
PEiD: -

QUOTE
File setupapi.dll received on 12.26.2007 01:46:40 (CET)
AhnLab-V3 2007.12.25.10 2007.12.24 -
AntiVir 7.6.0.46 2007.12.25 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.12.25 -
Avast 4.7.1098.0 2007.12.25 -
AVG 7.5.0.516 2007.12.25 -
BitDefender 7.2 2007.12.26 -
CAT-QuickHeal 9.00 2007.12.25 -
ClamAV 0.91.2 2007.12.26 -
DrWeb 4.44.0.09170 2007.12.25 Trojan.Proxy.2240
eSafe 7.0.15.0 2007.12.25 -
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.25 Downloader.Small.fah
FileAdvisor 1 2007.12.26 -
Fortinet 3.14.0.0 2007.12.25 -
F-Prot 4.4.2.54 2007.12.25 -
F-Secure 6.70.13030.0 2007.12.26 -
Ikarus T3.1.1.15 2007.12.26 -
Kaspersky 7.0.0.125 2007.12.26 -
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.26 -
NOD32v2 2747 2007.12.25 -
Norman 5.80.02 2007.12.24 -
Panda 9.0.0.4 2007.12.25 -
Prevx1 V2 2007.12.26 -
Rising 20.24.12.00 2007.12.25 -
Sophos 4.24.0 2007.12.25 -
Sunbelt 2.2.907.0 2007.12.21 VIPRE.Suspicious
Symantec 10 2007.12.26 -
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.24 suspected of Trojan-PSW.Pinch.35 (paranoid heuristics)
VirusBuster 4.3.26:9 2007.12.25 -
Webwasher-Gateway 6.6.2 2007.12.25 Trojan.Crypt.XPACK.Gen

Kaspersky:

S87ekhV.exe - infected by Trojan-PSW.Win32.Agent.wf
setupapi.dll - infected by Trojan-Spy.Win32.Agent.axj
smss.exe - infected by Trojan-Spy.Win32.Agent.axj
svchost.exe - infected by Trojan-PSW.Win32.Agent.wf

<h4>

Visible signs

</h4>
None.

<h4>

Technical details

</h4>
Files added.

QUOTE
%Temp%\smss.exe
Date: 12/26/2007 12:41 AM
Size: 17,408 bytes
%Temp%\svchost.exe
Date: 12/26/2007 12:41 AM
Size: 44,544 bytes
%ProgramFiles%\Internet Explorer\setupapi.dll
Date: 12/26/2007 12:41 AM
Size: 16,896 bytes

Note: %Temp% is a variable that refers to C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

<h4>

Notes

</h4>
%Temp%\svchost.exe belongs to the Pinch(*) family and reports back to the server upon execution.

A typical sever response with this type of trojans is a ret_ok.

%ProgramFiles%\Internet Explorer\setupapi.dll loads into the Internet Explorer process. Do not confound with c:\windows\system32\setupapi.dll which is a legitimate file / process.

We do observe a "smart way" of loading this malware here.

Although you don’t see any loading points for %ProgramFiles%\Internet Explorer\setupapi.dll in the registry, this dll will be loaded into iexplore.exe each time you launch the program; even after a reboot.

Why ?

Every executable loads different dll’s. c:\windows\system32\setupapi.dll is one of those loaded by Internet Explorer. Here comes the interesting part … when you execute a file, the program looks first in the current folder after the dll’s it needs to load. If the dll is not present in the current program folder, the exe looks after the dll in the folders defined by the variable %path% - Usually: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
Since setupapi.dll is found by iexplore.exe in the current folder, it uses that copy and not the file present in the system32 folder.

(*) They are able to:

Steal information such personal financial data (credit card numbers, online banking login details), user profiles, software registration keys, passwords.
Compromise security settings/rules of security products by emulating mouse clicks on the dialog windows. For example, when a security product pops up a dialog box asking for user permission to block suspicious activity, a threat may click Allow button to enable its malicious payload.
Steal passwords from multiple popular email, ICQ and FTP client applications, such as Mirabilis ICQ, Miranda, Trillian, Microsoft Outlook, CuteFTP, Thunderbird, FileZilla, FlashFXP, The Bat!, etc.

To read: Pinch, The Trojan Creator

<h4>

Offending IP

</h4>
web-money.cn - 203.117.111.102

QUOTE

Server Type: Microsoft-IIS/6.0
IP Location - Singapore - Starhubinternet
Response Code: 200
Blacklist Status: Clear
Domain Status: Registered And Active Website

ROID: 20070807s10001s47048645-cn
Domain Status: ok
Registrant Organization: roof
Registrant Name: Konovalova Alenka
Name Server:ns1.miclosoft.org
Name Server:ns2.miclosoft.org
Registration Date: 2007-08-07 14:23
Expiration Date: 2008-08-07 14:23

Websites for 203.117.111.102

1sense.info
1speed.info
2speed.info
Adminhost.info
D0r.info
Ddosmanager.org
Fastwiretransfer.info
Ftpiframer.org
Googletraff.info
Hacktrade.info
Hopana.info
Itsex.org
Logartos.org
Miclosoft.org
My-loads.info
New-screensavers.com
Notsex.info
Renca.biz
Ultra-shop.biz
Westernescrow.info
Xopfig.info

Hackers Gate: www.myexpressmail.com - 82.146.46.244

QUOTE

ICANN Registrar: ESTDOMAINS, INC.
Created: 2007-01-23
Expires: 2008-01-23
Registrar Status: ok
Name Server: NS1.FIRSTVDS.RU (has 3,546 domains)
Name Server: NS2.FIRSTVDS.RU
Whois Server: whois.estdomains.com

Server Data
IP Address: 82.146.46.244
IP Location - Russian Federation - Ispsystem At Msm
Response Code: 200
Blacklist Status: Clear
Domain Status: Registered And No Website

Registration Service Provided By: YEKT LTD.

Domain Name: MYEXPRESSMAIL.COM

Registrant:
pkay
Aleks
Tolstova 77
Berlin
Spandau,135845
DE
Tel. +038.0662398029

Creation Date: 23-Jan-2007
Expiration Date: 23-Jan-2008

Domain servers in listed order:
ns2.firstvds.ru
ns1.firstvds.ru

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.