File details
</h4>Filename: 200.exe
File size: 32768 bytes
MD5: 4bcb9afea313bbff1595d341c5026be6
SHA1: fc423a5939f45a9d072e913a664d3f827dbf16fc
PEiD: -
______________________________QUOTEFile 200.exe received on 12.28.2007 18:21:48
AhnLab-V3 2007.12.28.12 2007.12.28 -
AntiVir 7.6.0.46 2007.12.28 -
Authentium 4.93.8 2007.12.28 -
Avast 4.7.1098.0 2007.12.27 -
AVG 7.5.0.516 2007.12.28 -
BitDefender 7.2 2007.12.28 -
CAT-QuickHeal 9.00 2007.12.28 -
ClamAV 0.91.2 2007.12.28 -
DrWeb 4.44.0.09170 2007.12.28 -
eSafe 7.0.15.0 2007.12.27 -
eTrust-Vet 31.3.5408 2007.12.28 -
Ewido 4.0 2007.12.28 -
FileAdvisor 1 2007.12.28 -
Fortinet 3.14.0.0 2007.12.28 -
F-Prot 4.4.2.54 2007.12.28 -
F-Secure 6.70.13030.0 2007.12.28 -
Ikarus T3.1.1.15 2007.12.28 -
Kaspersky 7.0.0.125 2007.12.28 -
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.28 -
NOD32v2 2754 2007.12.28 -
Norman 5.80.02 2007.12.28 -
Panda 9.0.0.4 2007.12.27 -
Prevx1 V2 2007.12.28 -
Rising 20.24.42.00 2007.12.28 -
Sophos 4.24.0 2007.12.28 -
Sunbelt 2.2.907.0 2007.12.28 -
Symantec 10 2007.12.28 -
TheHacker 6.2.9.173 2007.12.28 -
VBA32 3.12.2.5 2007.12.26 -
VirusBuster 4.3.26:9 2007.12.28 -
Webwasher-Gateway 6.6.2 2007.12.28 -
Filename: winlogon.exe
File size: 32768 bytes
MD5: fbfbd1328abebf6bf2c3e59c0db6c2ff
SHA1: a303bad63ced422c99469414d82e216924db569f
PEiD: -
______________________________QUOTEFile winlogon.exe received on 12.28.2007 18:24:44
AhnLab-V3 2007.12.28.12 2007.12.28 -
AntiVir 7.6.0.46 2007.12.28 -
Authentium 4.93.8 2007.12.28 -
Avast 4.7.1098.0 2007.12.27 -
AVG 7.5.0.516 2007.12.28 -
BitDefender 7.2 2007.12.28 -
CAT-QuickHeal 9.00 2007.12.28 -
ClamAV 0.91.2 2007.12.28 -
DrWeb 4.44.0.09170 2007.12.28 -
eSafe 7.0.15.0 2007.12.27 -
eTrust-Vet 31.3.5408 2007.12.28 -
Ewido 4.0 2007.12.28 -
FileAdvisor 1 2007.12.28 -
Fortinet 3.14.0.0 2007.12.28 -
F-Prot 4.4.2.54 2007.12.28 -
F-Secure 6.70.13030.0 2007.12.28 -
Ikarus T3.1.1.15 2007.12.28 -
Kaspersky 7.0.0.125 2007.12.28 -
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.28 -
NOD32v2 2754 2007.12.28 -
Norman 5.80.02 2007.12.28 -
Panda 9.0.0.4 2007.12.27 -
Prevx1 V2 2007.12.28 -
Rising 20.24.42.00 2007.12.28 -
Sophos 4.24.0 2007.12.28 -
Sunbelt 2.2.907.0 2007.12.28 -
Symantec 10 2007.12.28 -
TheHacker 6.2.9.173 2007.12.28 -
VBA32 3.12.2.5 2007.12.26 -
VirusBuster 4.3.26:9 2007.12.28 -
Webwasher-Gateway 6.6.2 2007.12.28 -
Filename: deflib.sys
File size: 7923 bytes
MD5: 9894edce78bfa80a35860ec23092830b
SHA1: 222984ae4d3e125d49570ad49e31dffbc94e7fde
PEiD: -
Kaspersky: Trojan.Win32.Agent.asu
File is 100% detected at Virustotal.
<h4>
Visible signs
</h4>Logfile of Trend Micro HijackThis v2.0.2
....
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\[UserName]\LOCALS~1\Temp\winlogon.exe
<h4>
Technical details
</h4>Registry changes.
- Adds a service called SysLibraryQUOTEHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSLIBRARY
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSLIBRARY\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY\0000 "DeviceDesc"
Type: REG_SZ
Data: SysLibrary
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY\0000 "Service"
Type: REG_SZ
Data: SysLibrary
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSLIBRARY\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSLIBRARY\0000\Control "ActiveService"
Type: REG_SZ
Data: SysLibrary
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary "ImagePath"
Type: REG_SZ
Data: \??\C:\WINDOWS\system32\DefLib.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_SYSLIBRARY\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysLibrary\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00 - Adds an IP to contact and an unique number to identify the victim.QUOTEHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop "host"
Type: REG_SZ
Data: 66.232.118.207
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop "id"
Type: REG_SZ
Data: 282407444171
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security "host"
Type: REG_SZ
Data: 66.232.118.207 - Lowers security settings in the Internet Zone.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).QUOTE%Temp%\winlogon.exe
%system%\deflib.sys
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
<h4>
Notes
</h4>The rootkit will steal locally stored email addresses. Info will be send to a remote server for spam purposes. It's also able to send out an email message with the build-in SMTP client engine. The backdoor component allows the remote hacker to download/install additional components on the compromised PC.
After a while, Explorer.exe requests internet access to the IP saved in the registry under host id. See HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop "host"
In the request for s_alive.php, we also see the unique id from the registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop "id" transmitted along with additional information.
<h4>
Rootkit Scan
</h4>As seen in the rootkit scan, some legit files starting with w and d are also hidden by the rootkit. Those in red are related to the rootkit.QUOTEGMER 1.0.14.13998 - http://www.gmer.net
Rootkit scan 2007-12-28 19:24:09
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINDOWS\system32\DefLib.sys ZwCreateThread [0xF9F74860]
SSDT \??\C:\WINDOWS\system32\DefLib.sys ZwOpenProcess [0xF9F74790]
SSDT \??\C:\WINDOWS\system32\DefLib.sys ZwQueryDirectoryFile [0xF9F74550]
SSDT \??\C:\WINDOWS\system32\DefLib.sys ZwQuerySystemInformation [0xF9F74380]
---- User code sections - GMER 1.0.14 ----
? C:\DOCUME~1\KLY\LOCALS~1\Temp\winlogon.exe[1308] PE header mismatch; number of sections mismatch;
.idata Sections: C:\DOCUME~1\KLY\LOCALS~1\Temp\winlogon.exe[1308] C:\DOCUME~1\KLY\LOCALS~1\Temp\winlogon.exe unknown last section [0x0050E000, 0x1000, 0xC0000040]
---- Processes - GMER 1.0.14 ----
Library C:\WINDOWS\system32\winlogon.exe (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [504] 0x01000000
Process C:\DOCUME~1\KLY\LOCALS~1\Temp\winlogon.exe (*** hidden *** ) 1308
Library C:\DOCUME~1\KLY\LOCALS~1\Temp\winlogon.exe (*** hidden *** ) @ C:\DOCUME~1\KLY\LOCALS~1\Temp\winlogon.exe [1308] 0x00400000
---- Files - GMER 1.0.14 ----
File C:\Documents and Settings\KLY\Local Settings\Temp\winlogon.exe 32768 bytes
File C:\WINDOWS\system32\defrag.exe 25088 bytes
File C:\WINDOWS\system32\DefLib.sys 7923 bytes
File C:\WINDOWS\system32\dllcache\winlogon.exe 502272 bytes
File C:\WINDOWS\system32\winsta.dll 53760 bytes
File C:\WINDOWS\system32\winstrm.dll 18944 bytes
File C:\WINDOWS\system32\wintrust.dll 176640 bytes
File C:\WINDOWS\system32\winver.exe 5632 bytes
File C:\WINDOWS\system32\wkssvc.dll 132096 bytes
File C:\WINDOWS\system32\wldap32.dll 172032 bytes
File C:\WINDOWS\system32\desk.cpl 135168 bytes
File C:\WINDOWS\system32\deskadp.dll 16384 bytes
File C:\WINDOWS\system32\deskmon.dll 16896 bytes
File C:\WINDOWS\system32\deskperf.dll 18432 bytes
File C:\WINDOWS\system32\winlogon.exe 502272 bytes
File C:\WINDOWS\system32\winmine.exe 119808 bytes
File C:\WINDOWS\system32\winmm.dll 176128 bytes
File C:\WINDOWS\system32\winmsd.exe 11776 bytes
File C:\WINDOWS\system32\winnls.dll 5120 bytes
File C:\WINDOWS\system32\winntbbu.dll 764928 bytes
File C:\WINDOWS\system32\winoldap.mod 2080 bytes
File C:\WINDOWS\system32\winrnr.dll 16896 bytes
File C:\WINDOWS\system32\wins 0 bytes
File C:\WINDOWS\system32\winscard.dll 99328 bytes
File C:\WINDOWS\system32\winshfhc.dll 17408 bytes
File C:\WINDOWS\system32\winsock.dll 2864 bytes
File C:\WINDOWS\system32\winspool.drv 146432 bytes
File C:\WINDOWS\system32\winspool.exe 2112 bytes
File C:\WINDOWS\system32\winsrv.dll 290816 bytes
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\system32\DefLib.sys SysLibrary
---- EOF - GMER 1.0.14 ----
C:\WINDOWS\system32\winlogon.exe is also intentionally hidden from the user.
Stealth-mode Rootkit. Just compare the 2 images below and see for yourself what ProcessExplorer does list before (clean PC) and after.
Clean PC
Rootkit installed
<h4>
Offending IP
</h4>88.255.94.250
QUOTE
IP Location: Turkey Abdallah Internet Hizmetleri
inetnum: 88.255.94.0 - 88.255.94.255
netname: AbdAllah_Internet
descr: AbdAllah Internet Hizmetleri
descr: Etnografya Muze mevkii Kirazlik Mh. No:32 Rize
country: tr
admin-c: MAG87-RIPE
tech-c: MAG87-RIPE
status: assigned pa
mnt-by: as9121-mnt
source: RIPE # Filtered
person: Mahmod AbdAllah el Gashmi
address: AbdAllah Internet Hizmetleri
e-mail:
phone: +90 543 3767728
remarks: ------------------------------------------------------
remarks: Routing and peering issues:
remarks: SPAM and Network security issues:
remarks: Customer support:
remarks: General information:
remarks: ------------------------------------------------------
nic-hdl: MAG87-RIPE
mnt-by: sistem-net-mnt
source: RIPE # Filtered
route: 88.255.0.0/16
descr: TurkTelekom
origin: AS9121
mnt-by: AS9121-MNT
source: RIPE # Filtered
inetnum: 88.255.94.0 - 88.255.94.255
netname: AbdAllah_Internet
descr: AbdAllah Internet Hizmetleri
descr: Etnografya Muze mevkii Kirazlik Mh. No:32 Rize
country: tr
admin-c: MAG87-RIPE
tech-c: MAG87-RIPE
status: assigned pa
mnt-by: as9121-mnt
source: RIPE # Filtered
person: Mahmod AbdAllah el Gashmi
address: AbdAllah Internet Hizmetleri
e-mail:
phone: +90 543 3767728
remarks: ------------------------------------------------------
remarks: Routing and peering issues:
remarks: SPAM and Network security issues:
remarks: Customer support:
remarks: General information:
remarks: ------------------------------------------------------
nic-hdl: MAG87-RIPE
mnt-by: sistem-net-mnt
source: RIPE # Filtered
route: 88.255.0.0/16
descr: TurkTelekom
origin: AS9121
mnt-by: AS9121-MNT
source: RIPE # Filtered