B.I.S.S. Forums > AXLNBDJR.exe - (flash / removable drive infector)

Full Version: AXLNBDJR.exe - (flash / removable drive infector)

B.I.S.S. Forums > Malware News , Research & Removal > Malware Playground

Kimberly

May 5 2008, 11:16 AM

File details

Filename: AXLNBDJR.exe

File size: 65536 bytes
MD5...: 03ee13e3a7fb5d22a08895a97f653352
SHA1..: b7438b73f9009ddfe30d547d4b473229888b5975
PEiD: Microsoft Visual Basic 5.0 / 6.0

QUOTE
File AXLNBDJR.exe received on 05.04.2008 22:10:00
AhnLab-V3 2008.5.3.0 2008.05.02 -
AntiVir 7.8.0.11 2008.05.02 -
Authentium 4.93.8 2008.05.02 -
Avast 4.8.1169.0 2008.05.04 -
AVG 7.5.0.516 2008.05.03 Worm/Generic.FBI
BitDefender 7.2 2008.05.04 -
CAT-QuickHeal 9.50 2008.05.03 -
ClamAV 0.92.1 2008.05.04 -
DrWeb 4.44.0.09170 2008.05.04 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5755 2008.05.03 -
Ewido 4.0 2008.05.04 -
F-Prot 4.4.2.54 2008.05.04 -
F-Secure 6.70.13260.0 2008.05.04 Worm.Win32.AutoRun.dpp
FileAdvisor 1 2008.05.04 -
Fortinet 3.14.0.0 2008.05.04 -
Ikarus T3.1.1.26.0 2008.05.04 -
Kaspersky 7.0.0.125 2008.05.04 Worm.Win32.AutoRun.dpp
McAfee 5287 2008.05.02 W32/Generic!floppy
Microsoft 1.3408 2008.04.22 -
NOD32v2 3072 2008.05.03 -
Norman 5.80.02 2008.05.02 -
Panda 9.0.0.4 2008.05.04 W32/Esalma.A.worm
Prevx1 V2 2008.05.04 -
Rising 20.42.62.00 2008.05.04 -
Sophos 4.29.0 2008.05.04 Mal/VB-F
Sunbelt 3.0.1097.0 2008.05.03 -
Symantec 10 2008.05.04 -
TheHacker 6.2.92.300 2008.05.03 -
VBA32 3.12.6.5 2008.05.03 -
VirusBuster 4.3.26:9 2008.05.03 -
Webwasher-Gateway 6.6.2 2008.05.04 -

Visible signs

Logfile of Trend Micro HijackThis v2.0.2
...
O4 - HKLM\..\Run: [Audiotracker.exe] c:\WINDOWS\cftmon.exe

Technical details

Registry changes.

Creates a loading point in order to start on each boot.
QUOTE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Audiotracker.exe"
Type: REG_SZ
Data: c:\WINDOWS\cftmon.exe

Files added.

QUOTE
c:\autorun.inf
Date: 5/4/2008 12:41 AM
Size: 46 bytes
c:\KKCKHCMG.exe (*)
Date: 5/4/2008 12:34 AM
Size: 65,536 bytes
%Temp%\~DFC71F.tmp (*)
Date: 1/11/2008 4:49 PM
Size: 32 125 bytes
%windir%\cftmon.exe
Date: 5/4/2008 12:34 AM
Size: 65,536 bytes
%windir%\diskxp.ini
Date: 5/4/2008 12:34 AM
Size: 65,536 bytes
%windir%\svchost.exe
Date: 5/4/2008 12:34 AM
Size: 65,536 bytes

Note:%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me/Windows XP), C:\Winnt\ (Windows NT/2000).

(*) Random File Names.

Files modified.

QUOTE
c:\ntldr
Old date: 8/4/2004 2:00 PM
New date: 5/4/2008 12:41 AM
Old size: 250,032 bytes
New size: 250,033 bytes

Notes

Makes copies of itself on Flash / Removable Drives in order to propagate itself.
Adds a Registry Key (RUN) to auto start on system boot up.
Creates a random named file in the %temp% folder.
Searches & marks c:\ntldr for deletion. Creates a new ntldr file.
The file contains a list of cracks. Two are randomly picked out of the list and the program tries to create them. Even if the folders C:\archivos de programa\emule\incoming\ or C:\program files\emule\incoming\ exists, this operation seems to fail. (Violation in kernell32.dll).
Examples are :
- [kxdz2]Nero 7.0.1.3.Keygen.all.versions.[Deviance].exe
- [kxdz2e]Norton Antivirus 2007 keygen.[Deviance].exe
Copies itself as C:\WINDOWS\svchost.exe, C:\WINDOWS\cftmon.exe and C:\WINDOWS\diskxp.ini
Starts C:\WINDOWS\svchost.exe and checks if C:\WINDOWS\svchost.cfg is present.
Creates c:\autorun.inf & copies itself under a random name in c:\.
C:\WINDOWS\svchost.exe recreates the startup entry every 8 seconds and checks if the other files are still present.
CODE
Sun 04 - 00:41:49 [EXECUTION] "c:\windows\system32\reg.exe" was allowed to run
[EXECUTION] Started by "c:\windows\svchost.exe" [1724]
[EXECUTION] Commandline - [ reg add hklm\software\microsoft\windows\currentversion\run /v audiotracker.exe /t reg_sz /d c:\windows\cftmon.exe /f ]

"Samael has come"

Upon reboot (before the bootscreen) the victim is presented with a message asking for a password.
"AH AH AH You DIDN.T SAY THE MAGIC WORD" - A reference to Dennis Nedry in Jurassic Park.

Note for non english users, the keyboard disposition is QWERTY.

If after 3 attemps, you haven't found the "Magic Word", you are presented with a new message .... "Samuel has come. This the End". At this stage, Windows doesn't boot of course.

Do not attempt to fix this yourself, seek help on the forums. Under no circumstances slave the HDD to restore c:\ntldr, the primary drive will become infected also due to the presence of autorun.inf on the slaved HDD.

A quick way would be to boot into the Recovery Console, using your CD.

Insert the Windows XP bootable CD into the computer.
When prompted to press any key to boot from the CD, press any key.
Once in the Windows XP setup menu press the "R" key to repair Windows.
Type the number that corresponds to the Windows installation that you want to repair and then press ENTER
You will then be prompted for your administrator password, enter that password.
Copy the ntldr from your CDROM to the root directory of the primary hard disk. In the example we are copying the file from the CD-ROM drive letter "E". This letter may be different on your computer.
copy e:\i386\ntldr c:\
and hit ENTER.
Type each of the following lines followed by ENTER
del c:\autorun.inf /q
del c:\windows\cftmon.exe /q
Remove the CD from the computer and reboot.
Eventuelly delete the remaining files and seek help in the forums in order to disinfect other drives.

Thanks fly out to Malekal_morte for uploading the file.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.