File details
</h4>Filename: ljpvbhqw.exe
File size: 58368 bytes
MD5: 0b30964a26a980abc918f5c13d2ee6c5
SHA1: 74139bf1e6475c6b0582f2a713ca1600d0a79391
PEiD: -
Filename: fnhojeQUOTEFile ljpvbhqw.exe received on 02.01.2008 23:40:50 (CET)
AhnLab-V3 2008.2.2.10 2008.02.01 -
AntiVir 7.6.0.61 2008.02.01 -
Authentium 4.93.8 2008.02.01 -
Avast 4.7.1098.0 2008.02.01 -
AVG 7.5.0.516 2008.02.01 -
BitDefender 7.2 2008.02.01 -
CAT-QuickHeal 9.00 2008.02.01 (Suspicious) - DNAScan
ClamAV 0.92 2008.02.01 -
DrWeb 4.44.0.09170 2008.02.01 -
eSafe 7.0.15.0 2008.01.28 Suspicious File
eTrust-Vet 31.3.5502 2008.02.01 -
Ewido 4.0 2008.02.01 -
FileAdvisor 1 2008.02.01 -
Fortinet 3.14.0.0 2008.02.01 -
F-Prot 4.4.2.54 2008.02.01 -
F-Secure 6.70.13260.0 2008.02.01 Suspicious:W32/Malware!Gemini
Ikarus T3.1.1.20 2008.02.01 -
Kaspersky 7.0.0.125 2008.02.01 -
McAfee 5221 2008.02.01 -
Microsoft 1.3204 2008.02.01 -
NOD32v2 2844 2008.02.01 -
Norman 5.80.02 2008.02.01 -
Panda 9.0.0.4 2008.02.01 Suspicious file
Prevx1 V2 2008.02.01 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.01 -
Sunbelt 2.2.907.0 2008.02.01 -
Symantec 10 2008.02.01 -
TheHacker 6.2.9.205 2008.02.01 -
VBA32 3.12.2.6 2008.01.31 -
VirusBuster 4.3.26:9 2008.02.01 -
Webwasher-Gateway 6.6.2 2008.02.01 Win32.Malware.gen!84 (suspicious)
File size: 54764 bytes
MD5: 19db6f7a7bc6b0d09ecc84094cdec903
SHA1: cfbc9df9375171dc52e57698fa944d934f2e9d38
PEiD: -
packers: PE_Patch
QUOTEFile fnhoje received on 02.01.2008 23:41:32 (CET)
AhnLab-V3 2008.2.2.10 2008.02.01 -
AntiVir 7.6.0.61 2008.02.01 TR/Rootkit.Gen
Authentium 4.93.8 2008.02.01 -
Avast 4.7.1098.0 2008.02.01 -
AVG 7.5.0.516 2008.02.01 -
BitDefender 7.2 2008.02.01 -
CAT-QuickHeal 9.00 2008.02.01 -
ClamAV 0.92 2008.02.01 -
DrWeb 4.44.0.09170 2008.02.01 -
eSafe 7.0.15.0 2008.01.28 -
eTrust-Vet 31.3.5502 2008.02.01 -
Ewido 4.0 2008.02.01 -
FileAdvisor 1 2008.02.01 -
Fortinet 3.14.0.0 2008.02.01 -
F-Prot 4.4.2.54 2008.02.01 -
F-Secure 6.70.13260.0 2008.02.01 -
Ikarus T3.1.1.20 2008.02.01 -
Kaspersky 7.0.0.125 2008.02.01 -
McAfee 5221 2008.02.01 -
Microsoft 1.3204 2008.02.01 Backdoor:Win32/Rustock.gen!D
NOD32v2 2844 2008.02.01 -
Norman 5.80.02 2008.02.01 -
Panda 9.0.0.4 2008.02.01 -
Prevx1 V2 2008.02.01 -
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.01 Mal/RKRustok-A
Sunbelt 2.2.907.0 2008.02.01 -
Symantec 10 2008.02.01 -
TheHacker 6.2.9.205 2008.02.01 -
VBA32 3.12.2.6 2008.01.31 -
VirusBuster 4.3.26:9 2008.02.01 -
Webwasher-Gateway 6.6.2 2008.02.01 Trojan.Rootkit.Gen
<h4>
Technical details
</h4>Registry changes.
- Adds a hidden service called fnhojeQUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fnhoje
Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).QUOTE%System%\fnhoje
Size: 54 764 bytes
Earlier variants often had static names (cf. xpdx – xpdt - lzx32 - pe386 ), lately we have been seen different service and file names, which makes it harder to spot the rootkit. They are not totally random, meaning this installer will always create a service and file called fnhoje. Other known names are:
- dxdss.sys
- fak32.sys
- ztx86.sys
- sysldr
- khtml.sys
- fvelwow.sys
- nested.sys
- ellowtab
Rootkit Scan
</h4><h4>QUOTEGMER 1.0.14.13998 - http://www.gmer.net
Rootkit scan 2008-02-01 20:46:41
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINDOWS\system32\fnhoje ZwCreateKey [0xF5D37A66]
SSDT \??\C:\WINDOWS\system32\fnhoje ZwOpenKey [0xF5D37B1A]
SSDT \??\C:\WINDOWS\system32\fnhoje ZwTerminateProcess [0xF5D397E0]
---- Kernel code sections - GMER 1.0.14 ----
.text fnhoje F5D3710B 782 Bytes CALL F5D37110 \??\C:\WINDOWS\system32\fnhoje
.text fnhoje F5D3741A 365 Bytes [ 02, 49, 75, D5, 5F, 03, 7F, ... ]
.text fnhoje F5D37588 75 Bytes [ 00, 00, 04, 00, 00, 00, FF, ... ]
.text fnhoje F5D375D4 85 Bytes [ 20, 70, 72, 6F, 67, 72, 61, ... ]
.text fnhoje F5D3762A 42 Bytes [ 83, E2, 03, 45, 78, C1, 43, ... ]
.text ...
.text C:\WINDOWS\system32\fnhoje section is writeable [0xF5D37000, 0x720B, 0xE8000020]
? C:\WINDOWS\system32\fnhoje The system cannot find the file specified.
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F5D38AC6] fnhoje
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F5D39994] fnhoje
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F5D39994] fnhoje
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F5D39994] fnhoje
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_INTERNAL_DEVICE_CONTROL [F5D39994] fnhoje
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\system32\fnhoje (*** hidden *** ) [SYSTEM] fnhoje
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnhoje@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnhoje@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnhoje@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnhoje@ImagePath \??\C:\WINDOWS\system32\fnhoje
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnhoje\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\fnhoje\Security@Security 0x01 0x00 0x14 0x80 ...
---- EOF - GMER 1.0.14 ----
Notes
</h4>Family: Rustock rootkit.
- Contains a spambot, backdoor trojan, and a rootkit. The backdoor component allows the remote hacker to download/install additional components and instruct the bot to launch massive SPAM attacks from the compromised system.
- Able to send out email message(s) with the built-in SMTP client engine.
- Downloads other files from Internet.
New memory pages are created in the address space of services.exe. A request for internet access is initiated. The rootkit starts by performing DNS requests on several mail servers. Below is only a very small part of it as the list is really huge.
Next, it tries to resolve several domains.
- 208.72.168.97
- centerkras-tv.biz
- centerkras-tv.tv
- iloveeverybody.kz
- iloveeverybody.tj
- 208.72.169.54
- centerkras-tv.name
- centerkras-tv.info
Different connections are initiated by services.exe. When connecting to 208.72.169.54, compressed data is uploaded to the server after a successful login.
This might be gathered data from the compromised PC or requested data by the hacker ... (the solved mail server DNS requests ?)
One thing we do see is that services.exe does create 4 files in the c:\windows\temp folder exactly 3 minutes after the initial install. Those files don't have a PE header, it's just scrambled data. In their actual state they are harmless. Do they contain data or are they xored PE ... right now I don't have the slightest idea.
As mentioned, the rootkit is able to install additional malware on the computer. In our sample, 2 files were downloaded at a very early stage. They might be different with other droppers of the rootkit.QUOTEc:\WINDOWS\Temp\3D6627311AA2FDBD.tmp
Size: 262 144 bytes
c:\WINDOWS\Temp\7CF28762C38CA0D4.tmp
Size: 182 609 bytes
c:\WINDOWS\Temp\8AF12AB59DCE7145.tmp
Size: 262 144 bytes
c:\WINDOWS\Temp\AE8AB41F91F72503.tmp
Size: 70 007 bytes
qwerty.jpg is downloaded and saved as %windir%temp\6F6A3492.exe. The services.exe process executes the file and we do find ourselves with a new BHO (Browser Helper Object) installed.
Notice the 3 unknown modules under the services.exe process.
The second file downloaded to the PC is called demos.exe and was saved as 2CC6D2DF.exe. The trojan uses the Winlogon notification key as a startup location.
HijackThis entry:
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B8622FF} - C:\Program Files\Helper\1201903823.dll
Note: The BHO file is partially random - BHO 1201******.dll, **********.dll (* = random digit)
This is probably only a glimpse of what is happening to our computer. When you are hit by one of these, be prepared to change all passwords and login information. Remember, it's a rootkit with remote access, you never know what has been done or stolen.
HijackThis entry:
O20 - Winlogon Notify: crypt - crypts.dll
Note: An overview on crypts.dll can be found here.
For information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
<h4>
Offending IP
</h4>xabmiphabh.cn - 85.255.121.195
QUOTE
Website Title: None given.
IP Location - Ukraine - Ukrtelegroup Ltd
Domain Status: Registered And Active Website
Domain Name: xabmiphabh.cn
ROID: 20071107s10001s07883573-cn
Domain Status: ok
Registrant Organization: 0
Registrant Name: BellandCindy
Administrative Email:
Sponsoring Registrar:
Name Server:ns1.xabmiphabh.cn
Name Server:ns2.xabmiphabh.cn
Registration Date: 2007-11-07 05:11
Expiration Date: 2008-11-07 05:11
% Information related to '85.255.112.0 - 85.255.127.255'
inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: UKRTELE-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
changed: staff@ukrtelegroup.com.ua 20071101
changed: hostmaster@ripe.net 20071102
source: RIPE
organisation: ORG-UL25-RIPE
org-name: UkrTeleGroup Ltd.
org-type: LIR
address: UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine
phone: +380487311011
fax-no: +380487502499
e-mail: staff@ukrtelegroup.com.ua
mnt-ref: UKRTELE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 20071005
changed: bitbucket@ripe.net 20071024
changed: bitbucket@ripe.net 20071031
changed: bitbucket@ripe.net 20071031
changed: bitbucket@ripe.net 20071114
changed: bitbucket@ripe.net 20071213
changed: bitbucket@ripe.net 20071213
changed: bitbucket@ripe.net 20071218
changed: bitbucket@ripe.net 20071221
changed: bitbucket@ripe.net 20080104
source: RIPE
person: Andrew Sotov
address: Mechnikova 58/5 65029 Odessa
e-mail: staff@ukrtelegroup.com.ua
abuse-mailbox: abuse@ukrtelegroup.com.ua
phone: +380631508855
nic-hdl: UA481-RIPE
changed: staff@ukrtelegroup.com.ua 20071016
source: RIPE
Other Websites.IP Location - Ukraine - Ukrtelegroup Ltd
Domain Status: Registered And Active Website
Domain Name: xabmiphabh.cn
ROID: 20071107s10001s07883573-cn
Domain Status: ok
Registrant Organization: 0
Registrant Name: BellandCindy
Administrative Email:
Sponsoring Registrar:
Name Server:ns1.xabmiphabh.cn
Name Server:ns2.xabmiphabh.cn
Registration Date: 2007-11-07 05:11
Expiration Date: 2008-11-07 05:11
% Information related to '85.255.112.0 - 85.255.127.255'
inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: UKRTELE-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
changed: staff@ukrtelegroup.com.ua 20071101
changed: hostmaster@ripe.net 20071102
source: RIPE
organisation: ORG-UL25-RIPE
org-name: UkrTeleGroup Ltd.
org-type: LIR
address: UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine
phone: +380487311011
fax-no: +380487502499
e-mail: staff@ukrtelegroup.com.ua
mnt-ref: UKRTELE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 20071005
changed: bitbucket@ripe.net 20071024
changed: bitbucket@ripe.net 20071031
changed: bitbucket@ripe.net 20071031
changed: bitbucket@ripe.net 20071114
changed: bitbucket@ripe.net 20071213
changed: bitbucket@ripe.net 20071213
changed: bitbucket@ripe.net 20071218
changed: bitbucket@ripe.net 20071221
changed: bitbucket@ripe.net 20080104
source: RIPE
person: Andrew Sotov
address: Mechnikova 58/5 65029 Odessa
e-mail: staff@ukrtelegroup.com.ua
abuse-mailbox: abuse@ukrtelegroup.com.ua
phone: +380631508855
nic-hdl: UA481-RIPE
changed: staff@ukrtelegroup.com.ua 20071016
source: RIPE
1. Aarmrgdxrv.com
2. Abmmrvthjr.com
3. Acdedblshd.com
4. Adtctqypoa.com