<h4>
File details
</h4>Filename: ahshibhq.exe
File size: 113152 bytes
MD5: C2F957D887BF911FB446B0C3AFE6BB7E
PEiD: -
<h4>
Technical details
</h4>Registry changes.
- Adds a random named service.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU\0000 "DeviceDesc"
Type: REG_SZ
Data: hsfracsu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU\0000 "Service"
Type: REG_SZ
Data: hsfracsu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HSFRACSU\0000\Control "ActiveService"
Type: REG_SZ
Data: hsfracsu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "0"
Type: REG_DWORD
Data: 63, F0, 56, 80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "10"
Type: REG_DWORD
Data: 26, 6B, 5A, 80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "4"
Type: REG_DWORD
Data: D9, 75, 56, 80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "5"
Type: REG_DWORD
Data: DD, 29, 58, 80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "7"
Type: REG_DWORD
Data: 27, 55, 57, 80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "8"
Type: REG_DWORD
Data: D5, 84, 56, 80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "9"
Type: REG_DWORD
Data: 62, F2, 57, 80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "F4"
Type: REG_BINARY
Data: 77, 00, 69, 00, 6E, 00, 64, 00, 6F, 00, 77, 00, 73, 00, 5C, 00, 73, 00, 79, 00, 73, 00, 74, 00, 65, 00, 6D, 00, 33, 00, 32, 00, 5C, 00, 6C, 00, 67, 00, 62, 00, 71, 00, 74, 00, 2E, 00, 64, 00, 6C, 00, 6C, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "File"
Type: REG_EXPAND_SZ
Data: \hsfracsu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "Group"
Type: REG_SZ
Data: Boot Bus Extender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "ImagePath"
Type: REG_EXPAND_SZ
Data: system32\drivers\pmmyvhzk.dat
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "Name"
Type: REG_SZ
Data: \hsfracsu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "R7"
Type: REG_BINARY
Data: 5C, 00, 72, 00, 65, 00, 67, 00, 69, 00, 73, 00, 74, 00, 72, 00, 79, 00, 5C, 00, 6D, 00, 61, 00, 63, 00, 68, 00, 69, 00, 6E, 00, 65, 00, 5C, 00, 73, 00, 6F, 00, 66, 00, 74, 00, 77, 00, 61, 00, 72, 00, 65, 00, 5C, 00, 6D, 00, 69, 00, 63, 00, 72, 00, 6F, 00, 73, 00, 6F, 00, 66, 00, 74, 00, 5C, 00, 77, 00, 69, 00, 6E, 00, 64, 00, 6F, 00, 77, 00, 73, 00, 20, 00, 6E, 00, 74, 00, 5C, 00, 63, 00, 75, 00, 72, 00, 72, 00, 65, 00, 6E, 00, 74, 00, 76, 00, 65, 00, 72, 00, 73, 00, 69, 00, 6F, 00, 6E, 00, 5C, 00, 77, 00, 69, 00, 6E, 00, 6C, 00, 6F, 00, 67, 00, 6F, 00, 6E, 00, 5C, 00, 6E, 00, 6F, 00, 74, 00, 69, 00, 66, 00, 79, 00, 5C, 00, 6C, 00, 67, 00, 62, 00, 71, 00, 74, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "Start"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_HSFRACSU\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hsfracsu\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00 - Adds several startup entries.QUOTEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "bmpsrip"
Type: REG_SZ
Data: rundll32.exe "C:\WINDOWS\system32\tknatsbmdon.nls" WLEntryPoint
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "gfelgbmd"
Type: REG_SZ
Data: rundll32.exe "C:\DOCUME~1\KLY\LOCALS~1\Temp\ilkjil.nls" WLEntryPoint
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "taskman"
Type: REG_SZ
Data: rundll32.exe "C:\WINDOWS\system32\lcfqtcrqdsb.drv" WLEntryPoint - Installs a Winlogon notification package.QUOTEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgbqt "Asynchronous"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgbqt "DLLName"
Type: REG_SZ
Data: lgbqt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgbqt "Impersonate"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgbqt "Logon"
Type: REG_SZ
Data: WLEventLogon - Creates 2 new entries in the Winsock Catalog.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 "PackedCatalogItem"
Type: REG_BINARY
Data: (data too large: 888 bytes)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 "PackedCatalogItem"
Type: REG_BINARY
Data: (data too large: 888 bytes) - Creates a new CLSID entry containing null embedded strings so that the data remains invisible in the registry. (See rootkit scan).QUOTEHKEY_CLASSES_ROOT\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}
HKEY_CLASSES_ROOT\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage - Modifies the following registry entries.QUOTEHKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
Old type: REG_SZ
New type: REG_SZ
Old data: "%1" %*
New data: rundll32.exe "C:\DOCUME~1\KLY\LOCALS~1\Temp\jilcrmlcrmt.drv" WLEntry %1 %*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor "AutoRun"
Old type: REG_SZ
New type: REG_SZ
Old data:
New data: rundll32.exe "C:\DOCUME~1\KLY\LOCALS~1\Temp\napsbid.drv" WLEntryPoint
Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).QUOTE%temp%\apcxaawq.dat
Date: 5/7/2008 4:23 PM
Size: 4,864 bytes
%temp%\grcirdxu.ini
Date: 5/7/2008 4:23 PM
Size: 4 bytes
%temp%\ilkjil.nls
Date: 8/4/2004 2:00 PM
Size: 113,664 bytes
%temp%\jilcrmlcrmt.drv
Date: 8/4/2004 2:00 PM
Size: 113,664 bytes
%temp%\napsbid.drv
Date: 8/4/2004 2:00 PM
Size: 113,664 bytes
%System%\edsfmtkrqdsfqh.dll
Date: 8/4/2004 2:00 PM
Size: 54,784 bytes
%System%\lcfqtcrqdsb.drv
Date: 8/4/2004 2:00 PM
Size: 113,664 bytes
%System%\lgbqt.dll
Date: 8/4/2004 2:00 PM
Size: 113,664 bytes
%System%\rqhcnidg.dll
Date: 8/4/2004 2:00 PM
Size: 16,896 bytes
%System%\tknatsbmdon.nls
Date: 8/4/2004 2:00 PM
Size: 113,664 bytes
%System%\drivers\pmmyvhzk.dat
Date: 5/7/2008 4:23 PM
Size: 19,584 bytes
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
<h4>
Rootkit Scan
</h4><h4>QUOTEGMER 1.0.14.14181 - http://www.gmer.net
Rootkit scan 2008-05-07 16:49:23
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.14 ----
PAGE ntoskrnl.exe!RtlCopySid + 38 80567B83 7 Bytes JMP F88D12C6 \SystemRoot\system32\drivers\pmmyvhzk.dat
? C:\DOCUME~1\KLY\LOCALS~1\Temp\apcxaawq.dat Access is denied.
? C:\SystemRoot\system32\drivers\pmmyvhzk.dat Access is denied. !
---- Services - GMER 1.0.14 ----
Service system32\drivers\pmmyvhzk.dat (*** hidden *** ) [BOOT] hsfracsu
---- Registry - GMER 1.0.14 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\0
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\0@file_name ilkjil
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\0@file_expand nls
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\0@file_path C:\DOCUME~1\KLY\LOCALS~1\Temp\
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\0@reg_name gfelgbmd
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\0@reg_id 234533
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\0@start_function WLEntryPoint
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\1
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\1@file_name tknatsbmdon
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\1@file_expand nls
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\1@file_path C:\WINDOWS\system32\
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\1@reg_name bmpsrip
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\1@reg_id 235124
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\1@start_function WLEntryPoint
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\2
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\2@file_name napsbid
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\2@file_expand drv
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\2@file_path C:\DOCUME~1\KLY\LOCALS~1\Temp\
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\2@reg_name fmpoj
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\2@reg_id 987234
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\2@start_function WLEntryPoint
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\3
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\3@file_name lcfqtcrqdsb
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\3@file_expand drv
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\3@file_path C:\WINDOWS\system32\
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\3@reg_name cbitgnap
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\3@reg_id 7237565
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\3@start_function WLEntryPoint
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\4
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\4@file_name jilcrmlcrmt
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\4@file_expand drv
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\4@file_path C:\DOCUME~1\KLY\LOCALS~1\Temp\
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\4@reg_name cnipgjed
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\4@reg_id 7523455
Reg HKLM\SOFTWARE\Classes\CLSID\{2FC6EA5D-6A08-EBDA-F57D-B531AB8CA1B8}\Storage\4@start_function WLEntry
---- EOF - GMER 1.0.14 ----
Visible signs
</h4>Logfile of Trend Micro HijackThis v2.0.2
...
O4 - HKLM\..\Run: [gfelgbmd] rundll32.exe "C:\DOCUME~1\KLY\LOCALS~1\Temp\ilkjil.nls" WLEntryPoint
O4 - HKLM\..\Policies\Explorer\Run: [bmpsrip] rundll32.exe "C:\WINDOWS\system32\tknatsbmdon.nls" WLEntryPoint
O10 - Unknown file in Winsock LSP: c:\windows\system32\rqhcnidg.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rqhcnidg.dll
O20 - Winlogon Notify: lgbqt - C:\WINDOWS\SYSTEM32\lgbqt.dll
<h4>
Notes
</h4>Upon execution, ahshibhq.exe tries to install a driver.
During install, ahshibhq.exe checks for available updates.
The following URL's were requested (bottom to top):
An instance of svchost.exe is started by ahshibhq.exe and rqhcnidg.dll is loaded into several processes.CODEhttp://208.72.169.93/check.php?hid=619435398&cp=13&ver=4.164
http://208.72.169.93/check.php?hid=619435398&cp=10&ver=4.164
http://208.72.169.93/check.php?hid=619435398&cp=9&ver=4.164
http://208.72.169.93/check.php?hid=619435398&cp=4&ver=4.164
http://208.72.169.93/check.php?hid=619435398&cp=3&ver=4.164
http://208.72.169.93/check.php?hid=619435398&cp=2.1&ver=4.164
http://208.72.169.93/check.php?hid=619435398&cp=2&ver=4.164
http://208.72.169.93/check.php?hid=619435398&cp=1&ver=4.164
Internet access is enabled using the netsh.exe command, svchost.exe does listen for incoming connections, contacts 208.72.169.93 and finally starts spamming.
