File details
Filename: dropper.exe
File size: 748279 bytes
MD5: 6ab0800a87ca21087c4a463b6f32ba16
SHA1: aa9aa7eaadc3d4cc4f5e56a34ca29da0e05cd777
PEiD: Themida/WinLicense V1.8.0.2 + -> Oreans Technologies
packers: Themida
Technical details
Registry changes.
- Adds a hidden service called srosa.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000 "DeviceDesc"
Type: REG_SZ
Data: Megadrv3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000 "Service"
Type: REG_SZ
Data: srosa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA\0000\Control "ActiveService"
Type: REG_SZ
Data: srosa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\WINDOWS\system32\drivers\srosa.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa "Start"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_SROSA\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa\Security - Adds 2 hidden run entries.QUOTEHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "drvsyskit"
Type: REG_SZ
Data: C:\WINDOWS\system32\drivers\hldrrr.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "german.exe"
Type: REG_SZ
Data: C:\WINDOWS\system32\wintems.exe - Misc Changes.QUOTEHKEY_CURRENT_USER\Software\FirstRRRun
HKEY_CURRENT_USER\Software\FirstRRRun "First12Ru123n"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\TestProg
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\TestProg\Recent File List
HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\TestProg\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center\Svc "EnableLUA"
Type: REG_DWORD
Data: 16, 00, 00, 00 - Deletes the Safeboot keys so that the computer can't boot into Safe Mode anymore.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot - Changes the startup type for security related applications (firewall and antivirus). Note that some entries will be different on each PC depending on the software installed.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccEvtMgr "Start"
Old data: 02, 00, 00, 00
New data: 04, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ccPwdSvc "Start"
Old data: 03, 00, 00, 00
New data: 04, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ip6Fw "Start"
Old data: 03, 00, 00, 00
New data: 04, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio "Start"
Old data: 03, 00, 00, 00
New data: 04, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NISUM "Start"
Old data: 02, 00, 00, 00
New data: 04, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start"
Old data: 02, 00, 00, 00
New data: 04, 00, 00, 00
- New hidden folder.QUOTE%System%\drivers\down
- Files (Files in red are hidden)QUOTE%System%\ban_list.txt
Size: 5,733 bytes
%System%\mdelk.exe
Size: 71,172 bytes
%System%\wintems.exe
Size: 71,172 bytes
%System%\drivers\hldrrr.exe
Size: 748,279 bytes
%System%\drivers\srosa.sys
Size: 112,432 bytes - Overwrites 1 file - See below under notes.
Rootkit Scan
The rootkit does hide legit files as seen in the scan.QUOTEGMER 1.0.14.14105 - http://www.gmer.net
Rootkit scan 2008-02-07 18:16:27
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwOpenProcess [0xF4C7A31C]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwQuerySystemInformation [0xF4C7FC8A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys ZwSetInformationFile [0xF4C7A41A]
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtOpenProcess
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\srosa.sys NtSetInformationFile
---- Kernel code sections - GMER 1.0.14 ----
PAGE ntoskrnl.exe!ZwCreateKey + 40B 8056EBB4 7 Bytes JMP F4C7FEBE \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!ZwQueryKey + 2F2 8056EEAB 7 Bytes JMP F4C7F836 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!IoCreateFile + EB 8056FB8E 7 Bytes JMP F4C7F4DC \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!NtOpenFile + 60 8056FBF3 7 Bytes JMP F4C7F3BE \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!NtOpenProcess 80572D06 5 Bytes JMP F4C7A320 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 45B 80573510 7 Bytes JMP F4C7FADC \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!ZwCreateSemaphore + 449 80573C88 7 Bytes JMP F4C7A546 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!NtSetInformationFile 80576E9C 5 Bytes JMP F4C7A41E \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!NtQuerySystemInformation 8057D786 5 Bytes JMP F4C7FC8E \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!ZwAcceptConnectPort + 871 8057FB73 7 Bytes JMP F4C7F58C \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 1835 80593AA7 7 Bytes JMP F4C7A760 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey + 1685 80595131 7 Bytes JMP F4C7A960 \??\C:\WINDOWS\system32\drivers\srosa.sys
PAGE ntoskrnl.exe!NtQueryInformationAtom + 5D2 805D7392 7 Bytes JMP F4C7A3CE \??\C:\WINDOWS\system32\drivers\srosa.sys
---- Processes - GMER 1.0.14 ----
Process C:\WINDOWS\system32\wintems.exe (*** hidden *** ) 1312
Process C:\WINDOWS\system32\drivers\hldrrr.exe (*** hidden *** ) 1676
---- Registry - GMER 1.0.14 ----
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@drvsyskit C:\WINDOWS\system32\drivers\hldrrr.exe
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@german.exe C:\WINDOWS\system32\wintems.exe
---- Files - GMER 1.0.14 ----
File C:\Documents and Settings\KLY\Application Data\Symantec\Shared 0 bytes
File C:\Documents and Settings\KLY\Application Data\Symantec\Shared\MyProfile.UserProfile 816 bytes
File C:\Documents and Settings\KLY\Application Data\Symantec\Shared\Options.VcPref 432 bytes
File C:\Documents and Settings\KLY\Application Data\Symantec\Shared\Sessions 0 bytes
File C:\Documents and Settings\KLY\Application Data\Symantec\Shared\Sessions\20070505154426808.liveReg 13520 bytes
File C:\Program Files\Movie Maker\Shared 0 bytes
File C:\Program Files\Movie Maker\Shared\Empty.txt 18 bytes
File C:\Program Files\Movie Maker\Shared\Filters.xml 7591 bytes
File C:\Program Files\Movie Maker\Shared\news.png 138660 bytes
File C:\Program Files\Movie Maker\Shared\paint.png 67213 bytes
File C:\Program Files\Movie Maker\Shared\Profiles 0 bytes
File C:\Program Files\Movie Maker\Shared\Profiles\Blank.txt 21 bytes
File C:\Program Files\Movie Maker\Shared\Sample1.jpg 62732 bytes
File C:\Program Files\Movie Maker\Shared\Sample2.jpg 46822 bytes
File C:\WINDOWS\system32\drivers\hldrrr.exe 748279 bytes
File C:\WINDOWS\system32\drivers\srosa.sys 112432 bytes
File C:\WINDOWS\system32\drivers\down 0 bytes
File C:\WINDOWS\system32\drivers\down\119091.exe 805 bytes
File C:\WINDOWS\system32\drivers\down\119852.exe 1125 bytes
File C:\WINDOWS\system32\drivers\down\136456.exe 6958 bytes
File C:\WINDOWS\system32\drivers\down\139140.exe 546 bytes
File C:\WINDOWS\system32\drivers\down\141713.exe 685 bytes
File C:\WINDOWS\system32\drivers\down\144457.exe 33907 bytes
File C:\WINDOWS\system32\drivers\down\147091.exe 648 bytes
File C:\WINDOWS\system32\drivers\down\157446.exe 13044 bytes
File C:\WINDOWS\system32\drivers\down\188471.exe 212 bytes
File C:\WINDOWS\system32\drivers\down\189041.exe 212 bytes
File C:\WINDOWS\system32\drivers\down\192526.exe 1609 bytes
File C:\WINDOWS\system32\drivers\down\193548.exe 212 bytes
File C:\WINDOWS\system32\drivers\down\197083.exe 21295 bytes
File C:\WINDOWS\system32\drivers\down\206687.exe 1621 bytes
File C:\WINDOWS\system32\drivers\down\237441.exe 873 bytes
File C:\WINDOWS\system32\drivers\down\250670.exe 23206 bytes
File C:\WINDOWS\system32\drivers\down\38901357.exe 71172 bytes
File C:\WINDOWS\system32\drivers\down\79724.exe 628 bytes
File C:\WINDOWS\system32\drivers\down\91331.exe 13063 bytes
File C:\WINDOWS\system32\wintems.exe 71172 bytes
File C:\WINDOWS\ime\shared 0 bytes
File C:\WINDOWS\ime\shared\res 0 bytes
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\system32\drivers\srosa.sys [SYSTEM] srosa
---- EOF - GMER 1.0.14 ----
Notes
In the analysis below, you will see screenshots of the different programs accessing internet. In reality you won't see those alerts because bagle disables and prevents security applications from running. I had to run the installer twice in order to obtain certain screenshots, once by protecting applications from being killed and another time in order to let the rootkit fully load.
The dropper is Themida packed. Depending on the options selected, you won't be able to monitor, debug or run such applications on a Virtual Machine. This is a typical example where legit software is misused.
Upon install, dropper.exe poses as a crack for an application and asks you to select the executable. The crack being a fake, this is of no use of course.
Dropper.exe creates a couple of registry entries - those present under Misc Changes - and performs a nifty trick to fully install itself upon reboot. Everyone has some programs running that have a startup entry in the registry under one of the run keys. They show up like this in hijackthis logs:
Dropper.exe will enumerate the running processes and pick out one, a security application by preference, kill the running process and copy itself under the program's name in order to be loaded at next reboot. In my case C:\Program Files\Common Files\Symantec Shared\ccApp.exe was replaced by a copy of dropper.exe. Notice the new date and time stamp, 7 June 2004. This file will not show up in a search for created / modified files in the last 30 days like many fixes perform.QUOTEO4 - HKLM\..\Run: [VMUserServices] C:\Program Files\Virtual Machine Additions\vmusrvc.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
Nothing else will happen until we reboot the computer. Upon restart, our replaced ccapp.exe drops hldrrr.exe and srosa.sys into the %System%\drivers folder, the srosa service is created, the safeboot keys are deleted, etc ... and hldrrr.exe is launched by ccapp.exe. The rootkit is now fully installed.
Once loaded, hldrrr.exe attempts to kill all processes belonging to security applications, firewall and antivirus. Services belonging to them will be set to disabled so that they don't start anymore upon next reboot. (See Registry changes under Technical Details for more info). Corresponding files may get deleted.
Next step is to download additional malware from internet.
hldrrr.exe tries to download files2.php from different servers. These files will be stored into the C:\WINDOWS\system32\drivers\down\ folder under random numbered file names (See rootkit scan). In the screenshot below we see such a search. 217.167.24.32 for example contains a redirect to the server where the executable can be found. They show up as jpg images but are renamed during the download.
Some will be fully operational executables, some will only contain HTML code (mainly 404 errors because the file was not found on the server).
Note: b4_1.jpg is renamed as 38866947.exe - details: see below.
b4_31.jpg will be renamed as 38901357.exe. This file will be launched in a few as it belongs to the initial infection.
The file copies itself to the %System% folder as wintems.exe and mdelk.exe. A hidden startup entry is created for wintems.exe and both files are launched. Being the same file, they probably watch over each other in case one tries to delete one of them.
wintems.exe is listening for inbound connections and also accesses internet.
wintems.exe starts by downloading a ban list. This file is saved as %System%\ban_list.txt an contains a huge number of IP ranges.
Next, wintems does nothing else than requesting /images/news.php from different servers using a particular user agent named szNotifyIdent.
All requests I was able to see in Ethereal did return a 404 error.
During one of my "runs" a 12966970 bytes SWF file was also downloaded.
In mean time hldrrr.exe continues to download additional malware. During certains periods, downloads are paused and hlddrrr.exe performs dns looksups.QUOTEGET /videos/Clicks_en_10mins/Clicks_en_10min.swf HTTP/1.1
User-Agent: szNotifyIdent
Host: ganarpastafacil.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 07 Feb 2008 06:37:33 GMT
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8b DAV/2 PHP/5.1.2
Last-Modified: Sat, 02 Feb 2008 19:18:45 GMT
ETag: "66799ac-c5dc3a-c274ef40"
Accept-Ranges: bytes
Content-Length: 12966970
Connection: close
Content-Type: application/x-shockwave-flash
Content-Language: it
Be prepared to see a huge amount of other malware stuff on the computer. The sample below is a Pinch and upon execution it does post back to the server; but as seen below the ppp.php file was not found. 38866947.exe is detected as Trojan-PSW.Win32.LdPinch.ewq by Kaspersky.
Users will encounter numerous errors when attempting to start firewall, antivirus, security applications, fixes ... The most common error is: "x is not a valid win32 application". bagle does corrupt PE headers of files containing a certain string - avp, combofix, icesword - to name only a few. Other messages may be related to corrupt installs, files missing ...
Main purpose seems to be the download and install of many other infections. Most the victims will end up with a severely compromised system. After a few hours / days one can reasonably presume that the down folder will contain a huge amount of files. While very often a repair is possible, you never will know what has been stolen, compromised, changed ... I personally advice you take the time to reinstall from scratch.
For information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
