B.I.S.S. Forums > load.exe - ati<random>xx.sys

Help - Search - Members - Calendar

Full Version: load.exe - ati<random>xx.sys

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

Dec 29 2008, 07:20 PM

<h4>

Seen in the wild ...

</h4>
It all starts with an obfuscated javascript ...

Once decoded we see several exploits.

CODE
if (mdac() || office() || dl() || pdf() || wme() || wfi() || com() || ya1() || ya2() || fb
() || mdss() || creative() || wks() || ogame() || ca() || buddy() || gomweb() || xmlcore()
|| quick() || real() || ntaudio())

mdac (MS06-014)
BD96C556-65A3-11D0-983A-00C04FC29E36
BD96C556-65A3-11D0-983A-00C04FC29E30
AB9BCEDD-EC7E-47E1-9322-D4A210617116
0006F033-0000-0000-C000-000000000046
0006F03A-0000-0000-C000-000000000046
6e32070a-766d-4ee6-879c-dc1fa91d2fc3
6414512B-B978-451D-A0D8-FCFDF33E833C
7F5B7F63-F06F-4331-8A26-339E03C0AE3D
06723E09-F4C2-43c8-8358-09FCD1DB0766
639F725F-1B2D-4831-A9FD-874847682010
BA018599-1DB3-44f9-83B4-461454C84BF8
D0C07D56-7C69-43F1-B4A0-25F5A11FAB19
E8CCCDDF-CA28-496b-B050-6C07C962476B
WebViewFolder setSlice - WebViewFolderIcon.WebViewFolderIcon.1
CreateControlRange - Microsoft 'msdds.dll' COM Object - EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F (MS05-052)
Yahoo! Messenger 8.x ActiveX
DCE2F8B1-A520-11D4-8FD0-00D0B7730277
9D39223E-AE8E-11D4-8FD3-00D0B7730277
FaceBook/Aurigma Image/PhotoUploader Buffer Overflow - 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0
Microsoft Speech API ActiveX - EEE78591-FE22-11D0-8BEF-0060081841DE
Microsoft Office Snapshot Viewer ActiveX - snpvw.Snapshot Viewer Control.1
Sina Downloader.DLoader.1
WksPictureInterface - 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6
Ourgame IEStartNative - F917534D-535B-416B-8E8F-0C04756C31A8
CA AddColumn - BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3
SuperBuddy LinkSBIcons - Sb.SuperBuddy
GomPlayer OpenURL - GomWebCtrl.GomManager.1
XMLHTTP setRequestHeader - 88d969c5-f192-11d4-a65f-0040963251e5
QuickTime RTSP - QuickTime.QuickTime.4
RealPlayer Console - IERPCtl.IERPCtl.1
NCTAudioFile2 - 77829F14-D911-40FF-A2F0-D11DB8D6D0BC
Creative CacheFolder - 0A5FD7C5-A45C-49FC-ADB5-9952547D5715
collab.CollabEmailInfo - PDF exploit
Windows Media Encoder - A8D3AD02-7508-4004-B2E9-AD33F087F43C

<h4>

Payload

</h4>

Filename: load.exe

File size: 22528 bytes
MD5...: f38dbaf8f62501e3d735d0f7b430f2d7
SHA1..: 9a790d775321f3607bf99eddc1335451b2a01def
SHA256: a6e2080c24dbc146a8d696a3131732250aba52c2ffbd3d8b6d3fcb10e5a0433c
PEiD: -
Result: 4/39 (10.26%)

QUOTE
File load.exe received on 12.28.2008 01:36:44
a-squared 4.0.0.73 2008.12.27 -
AhnLab-V3 2008.12.25.0 2008.12.27 -
AntiVir 7.9.0.45 2008.12.27 TR/Dropper.Gen
Authentium 5.1.0.4 2008.12.27 -
Avast 4.8.1281.0 2008.12.27 Win32:Rootkit-gen
AVG 8.0.0.199 2008.12.28 -
BitDefender 7.2 2008.12.27 -
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.27 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.27 -
eSafe 7.0.17.0 2008.12.24 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 -
F-Prot 4.4.4.56 2008.12.27 -
F-Secure 8.0.14332.0 2008.12.28 -
Fortinet 3.117.0.0 2008.12.27 -
GData 19 2008.12.27 Win32:Rootkit-gen
Ikarus T3.1.1.45.0 2008.12.27 -
K7AntiVirus 7.10.568 2008.12.27 -
Kaspersky 7.0.0.125 2008.12.28 -
McAfee 5476 2008.12.27 -
McAfee+Artemis 5476 2008.12.27 -
Microsoft 1.4205 2008.12.28 -
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.27 -
PCTools 4.4.2.0 2008.12.27 -
Prevx1 V2 2008.12.28 -
Rising 21.09.52.00 2008.12.27 -
SecureWeb-Gateway 6.7.6 2008.12.27 Trojan.Dropper.Gen
Sophos 4.37.0 2008.12.27 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.28 -
TheHacker 6.3.1.4.200 2008.12.26 -
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.27 -
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.27 -

______________________________

Filename: 1.pdf

File size: 2806 bytes
MD5...: 8d4acf49ec37d05348b688959efb5266
SHA1..: 08556fb049bb241efb1d5e479ea4bdcffdda68f8
SHA256: 0bff4975f2ef1f1fb368d94cc8115fa31b457367d63530926370b6ce00d25632
PEiD: -
Result: 15/39 (38.46%)
TrID..: File type identification - Adobe Portable Document Format (100.0%)

QUOTE
File 1.pdf received on 12.28.2008 18:10:01 (CET)
a-squared 4.0.0.73 2008.12.28 Exploit.Win32.Pdfjsc.G!IK
AhnLab-V3 2008.12.25.0 2008.12.27 -
AntiVir 7.9.0.45 2008.12.28 JS/Dldr.Small.CR.2
Authentium 5.1.0.4 2008.12.28 -
Avast 4.8.1281.0 2008.12.27 JS:Agent-BQ
AVG 8.0.0.199 2008.12.28 -
BitDefender 7.2 2008.12.28 Trojan.JS.Downloader.BGI
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.28 -
Comodo 834 2008.12.28 -
DrWeb 4.44.0.09170 2008.12.28 Exploit.PDF.4
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.28 -
F-Prot 4.4.4.56 2008.12.27 -
F-Secure 8.0.14332.0 2008.12.28 Exploit.JS.Pdfka.w
Fortinet 3.117.0.0 2008.12.28 -
GData 19 2008.12.28 Trojan.JS.Downloader.BGI
Ikarus T3.1.1.45.0 2008.12.28 Exploit.Win32.Pdfjsc.G
K7AntiVirus 7.10.568 2008.12.27 -
Kaspersky 7.0.0.125 2008.12.28 Exploit.JS.Pdfka.w
McAfee 5477 2008.12.28 Exploit-PDF.c
McAfee+Artemis 5477 2008.12.28 Exploit-PDF.c
Microsoft 1.4205 2008.12.28 Exploit:Win32/Pdfjsc.G
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.28 -
PCTools 4.4.2.0 2008.12.28 -
Prevx1 V2 2008.12.28 -
Rising 21.09.62.00 2008.12.28 -
SecureWeb-Gateway 6.7.6 2008.12.28 Script.Dldr.Small.CR.2
Sophos 4.37.0 2008.12.28 Mal/PDFEx-B
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.28 Bloodhound.Exploit.196
TheHacker 6.3.1.4.201 2008.12.28 -
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.27 -
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.28 -

<h4>

Visible signs

</h4>
Logfile of Trend Micro HijackThis v2.0.2
....
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe

<h4>

Technical details

</h4>
Load.exe arrives as winzy0phk.exe on our PC and copies itself as %System%\rs32net.exe. This file is a downloader.

Upon execution rs32net.exe creates a new instance of svchost.exe and several memory pages are created in the address space of svchost.exe. rs32net.exe periodically checks if its startup entries have been deleted or not.

rs32net.exe has a list of IP to contact in order to download an executable. This file will be saved under a random name in the %temp% folder and will be deleted after execution.

<h4>

bn1a.tmp

</h4>
Filename: bn1a.tmp

File size: 41472 bytes
MD5...: 85ed09cf8402d7bf55f12f56d479c0fd
SHA1..: 09738af2d6df745875045edf4469cee1c84e964d
SHA256: 5bf9b9ee14710b263ab310d55372e3f741c87de5cc45e989d8e3299540192465
PEiD: -
Result: 2/39 (5.13%)

QUOTE
File BN2.tmp received on 12.28.2008 07:32:34 (CET)
a-squared 4.0.0.73 2008.12.28 -
AhnLab-V3 2008.12.25.0 2008.12.27 -
AntiVir 7.9.0.45 2008.12.27 TR/Dropper.Gen
Authentium 5.1.0.4 2008.12.28 -
Avast 4.8.1281.0 2008.12.27 -
AVG 8.0.0.199 2008.12.28 -
BitDefender 7.2 2008.12.28 -
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.28 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.28 -
eSafe 7.0.17.0 2008.12.24 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 -
F-Prot 4.4.4.56 2008.12.27 -
F-Secure 8.0.14332.0 2008.12.28 -
Fortinet 3.117.0.0 2008.12.27 -
GData 19 2008.12.28 -
Ikarus T3.1.1.45.0 2008.12.28 -
K7AntiVirus 7.10.568 2008.12.27 -
Kaspersky 7.0.0.125 2008.12.28 -
McAfee 5476 2008.12.27 -
McAfee+Artemis 5476 2008.12.27 -
Microsoft 1.4205 2008.12.28 -
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.27 -
PCTools 4.4.2.0 2008.12.27 -
Prevx1 V2 2008.12.28 -
Rising 21.09.60.00 2008.12.28 -
SecureWeb-Gateway 6.7.6 2008.12.28 Trojan.Dropper.Gen
Sophos 4.37.0 2008.12.28 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.28 -
TheHacker 6.3.1.4.200 2008.12.26 -
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.27 -
ViRobot 2008.12.26.1536 2008.12.26 -
VirusBuster 4.5.11.0 2008.12.27 -

______________________________

Filename: ati8pnxx.sys

File size: 32768 bytes
MD5...: a9ae44da85bb7246ad5c864c48820f48
SHA1..: ce61dcd71dad6a0f5977ef10257e484bde4b172b
SHA256: 138feff9bfd99cecd2c59a198bde5874e088d5533b3358a85ebefc7b229289a2
PEiD: -
Result: 27/39 (69.23%)

QUOTE
File ati8pnxx.sys received on 12.28.2008 07:44:41 (CET)
a-squared 4.0.0.73 2008.12.28 Rootkit.Win32.Protector!IK
AhnLab-V3 2008.12.25.0 2008.12.27 Win-Trojan/Kobcka.32256
AntiVir 7.9.0.45 2008.12.27 RKIT/Protector.BC
Authentium 5.1.0.4 2008.12.28 -
Avast 4.8.1281.0 2008.12.27 Win32:Protector-B
AVG 8.0.0.199 2008.12.28 Rootkit-Agent.AV
BitDefender 7.2 2008.12.28 Rootkit.Kobcka.A
CAT-QuickHeal 10.00 2008.12.27 Rootkit.Protector.bd
ClamAV 0.94.1 2008.12.28 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.28 BackDoor.Bulknet.240
eSafe 7.0.17.0 2008.12.24 -
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 -
F-Prot 4.4.4.56 2008.12.27 -
F-Secure 8.0.14332.0 2008.12.28 Rootkit.Win32.Protector.cd
Fortinet 3.117.0.0 2008.12.27 -
GData 19 2008.12.28 Rootkit.Kobcka.A
Ikarus T3.1.1.45.0 2008.12.28 Rootkit.Win32.Protector
K7AntiVirus 7.10.568 2008.12.27 Rootkit.Win32.Protector.bd
Kaspersky 7.0.0.125 2008.12.28 Rootkit.Win32.Protector.cd
McAfee 5476 2008.12.27 Cutwail.gen.a
McAfee+Artemis 5476 2008.12.27 Cutwail.gen.a
Microsoft 1.4205 2008.12.28 VirTool:WinNT/Cutwail.K
NOD32 3719 2008.12.27 a variant of Win32/Wigon
Norman 5.80.02 2008.12.26 W32/Rootkit.SLY
Panda 9.0.0.4 2008.12.27 -
PCTools 4.4.2.0 2008.12.27 -
Prevx1 V2 2008.12.28 Rootkit
Rising 21.09.60.00 2008.12.28 RootKit.Win32.Undef.ww
SecureWeb-Gateway 6.7.6 2008.12.28 Rootkit.Protector.BC
Sophos 4.37.0 2008.12.28 Troj/Pushu-Gen
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.28 Trojan.Pandex
TheHacker 6.3.1.4.200 2008.12.26 -
TrendMicro 8.700.0.1004 2008.12.26 TROJ_PANDEX.ROY
VBA32 3.12.8.10 2008.12.27 Rootkit.Win32.Protector.bd
ViRobot 2008.12.26.1536 2008.12.26 Trojan.Win32.RT-Agent.32256.B
VirusBuster 4.5.11.0 2008.12.27 Rootkit.Siberia.Gen

Registry changes.

Adds a service with a random name - ati & 1 number & 2 letters & xx.
QUOTE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8KVXX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX\0000 "DeviceDesc"
Type: REG_SZ
Data: ati8pnxx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX\0000 "Service"
Type: REG_SZ
Data: ati8pnxx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ATI8PNXX\0000\Control "ActiveService"
Type: REG_SZ
Data: ati8pnxx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx "ErrorControl"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx "Group"
Type: REG_SZ
Data: SCSI Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx "ImagePath"
Type: REG_SZ
Data: System32\Drivers\ati8pnxx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx "Start"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_ATI8PNXX\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ati8pnxx\Security "Security"
Type: REG_BINARY
Loads in Safe mode.
QUOTE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8pnxx.sys "(Default)"
Type: REG_SZ
Data: Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ati8pnxx.sys "(Default)"
Type: REG_SZ
Data: Driver

<h4>

Rootkit Scan before reboot

</h4>

QUOTE
GMER 1.0.14.14181 - http://www.gmer.net
Rootkit scan 2008-12-29 17:50:23
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 443 804E3114 1 Byte [ 75 ]
.text ntoskrnl.exe!_abnormal_termination + 445 804E3116 6 Bytes [ 96, F7, F2, F9, 96, F7 ]
? C:\WINDOWS\System32\drivers\ati8pnxx.sys Access is denied.

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 82E559C0
Device \FileSystem\Mup \Dfs 82E559C0
Device \FileSystem\NetBIOS \Device\Netbios 82E559C0
Device \FileSystem\MRxVPC \Device\MicrosoftVMFolderSharing 82E559C0
Device \FileSystem\RAW \Device\RawTape 82E559C0
Device \FileSystem\MRxDAV \Device\WebDavRedirector 82E559C0
Device \FileSystem\Rdbss \Device\FsWrap 82E559C0
Device \FileSystem\Srv \Device\LanmanServer 82E559C0
Device \FileSystem\Mup \Device\Mup 82E559C0
Device \FileSystem\RAW \Device\RawDisk 82E559C0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82E559C0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82E559C0
Device \FileSystem\Npfs \Device\NamedPipe 82E559C0
Device \FileSystem\Msfs \Device\Mailslot 82E559C0
Device \FileSystem\RAW \Device\RawCdRom 82E559C0
Device \Driver\ati5kvxx \Device\Prot3 82E54FA0
Device \FileSystem\Mup \Device\WinDfs\Root 82E559C0
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82E559C0
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82E559C0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82E559C0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82E559C0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82E559C0
Device \FileSystem\Cdfs \Cdfs 82E559C0

---- Threads - GMER 1.0.14 ----

Thread 4:144 82E55BF0

---- EOF - GMER 1.0.14 ----

<h4>

Notes

</h4>
The following Major I/O Request Packet (IRP) function was hooked in the kernel-mode driver: IRP_MJ_CREATE

An updated version is downloaded from Internet if available and installed. This is performed by services.exe. We also notice several unknown modules loaded. While previous versions could be intercepted by the firewall, this time the rootkit will completely bypass the firewall and packet sniffers.

For information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.