|
We received copies of malware that are being discussed in public forums, it appears to be (variants of) known botnets. Here's what Norman and virustotal.com had to say about them [sanitized]:
eraseme:[ General information ]* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * Anti debug/emulation code present. * **Locates window "NULL [class mIRC]" on desktop. * File length: 86016 bytes. * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c. [ Changes to filesystem ] * Creates file C:\WINDOWS\csrsc.exe. * Deletes file c:\sample.exe. [ Changes to registry ] * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". * Creates key "HKLM\System\CurrentControlSet\Services\npx". * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx". * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx". * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control". [ Network services ] * Looks for an Internet connection. * Connects to "[deleted]" on port 1863 (TCP). * Sends data stream (30 bytes) to remote address "[deleted]", port 1863. * Connects to IRC Server. [ Process/window information ] * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"". * Attempts to access service "npx". * Creates a mutex LOLFOB. [ Signature Scanning ] * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection. Virustotal: AntiVir 6.35.1.11 08.31.2006 Worm/Sdbot.86016.43 csrsc:Norman:[ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * Anti debug/emulation code present. * **Locates window "NULL [class mIRC]" on desktop. * File length: 86016 bytes. * MD5 hash: 5d8e6f1fc0d5b8e34947241d77c2311c. [ Changes to filesystem ] * Creates file C:\WINDOWS\csrsc.exe. * Deletes file c:\sample.exe. [ Changes to registry ] * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". * Sets value "MeltMe"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". * Creates key "HKLM\System\CurrentControlSet\Services\npx". * Sets value "ImagePath"=""C:\WINDOWS\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\npx". * Sets value "DisplayName"="Network Gateway Manager" in key "HKLM\System\CurrentControlSet\Services\npx". * Deletes value "MeltMe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". * Sets value "Installed Time"="3/6/2006, 1:20 PM" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". * Sets value "WaitToKillServiceTimeout"="7000" in key "HKLM\System\CurrentControlSet\Control". * Modifies value "UpdatesDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center". * Modifies value "AntiVirusDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center". * Modifies value "FirewallDisableNotify"="^A" in key "HKLM\Software\Microsoft\Security Center". * Modifies value "AntiVirusOverride"="^A" in key "HKLM\Software\Microsoft\Security Center". * Modifies value "FirewallOverride"="^A" in key "HKLM\Software\Microsoft\Security Center". * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update". * Sets value "AUOptions"="^A" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update". * Creates key "HKLM\System\CurrentControlSet\Services\wscsvc". * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\wscsvc". * Creates key "HKLM\System\CurrentControlSet\Services\TlntSvr". * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\TlntSvr". * Creates key "HKLM\System\CurrentControlSet\Services\RemoteRegistry". * Creates key "HKLM\System\CurrentControlSet\Services\Messenger". * Sets value "Start"="^D" in key "HKLM\System\CurrentControlSet\Services\Messenger". * Sets value "restrictanonymous"="^A" in key"HKLM\System\CurrentControlSet\Control\Lsa". * Creates key"HKLM\System\CurrentControlSet\Services\lanmanserver\parameters". * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters". * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanserver\parameters". * Creates key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters". * Sets value "AutoShareWks"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters". * Sets value "AutoShareServer"="" in key "HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters". * Creates key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate". * Sets value "DoNotAllowXPSP2"="^A" in key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate". * Creates key "HKLM\Software\Microsoft\OLE". * Sets value "EnableDCOM"="N" in key "HKLM\Software\Microsoft\OLE". * Sets value "Record"="??^N" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions". [ Network services ] * Looks for an Internet connection. * Connects to "[DELETED]" on port 1863 (TCP). * Sends data stream (30 bytes) to remote address "[DELETED]" port 1863. * Connects to IRC Server. * IRC: Uses nickname [XP||N|677795]. * IRC: Uses username XP88038. * Opens URL: http://[DELETED]/prxjdg.cgi. * Opens URL: http://[DELETED]/x/maxwell/cgi-bin/prxjdg.cgi. * Opens URL: http://[DELETED]/mute/c/prxjdg.cgi. * Opens URL: http://[DELETED/tomocrus/cgi-bin/check/prxjdg.cgi. * Opens URL: http://[DELETED]/cgi-bin/proxy.cgi. * Opens URL: http://pDELETED]/little_w/prxjdg.cgi. * IRC: Sets the usermode for user [XP||N|677795] to . * IRC: Joins channel #NGEN with password [DELETED]. [ Process/window information ] * Creates service "npx (Network Gateway Manager)" as ""C:\WINDOWS\csrsc.exe"". * Attempts to access service "npx". * Creates a mutex LOLFOB. * Attempts to access service "Tlntsvr". * Attempts to access service "RemoteRegistry". * Attempts to access service "Messenger". * Attempts to access service "SharedAccess". * Attempts to access service "wscsvc". [ Signature Scanning ] * C:\WINDOWS\csrsc.exe (86016 bytes) : no signature detection. Virustotal: Authentium 4.93.8 08.30.2006 no virus found i.exe:Virustotal:AntiVir 6.35.1.11 08.31.2006 Worm/Spybot.1093632 Reading up on what the antivirus community has written about these they seem to attack through so many vectors that it's likely they affect poorly patched systems (and NT or any other legacy windows version would make a prime target). -- Swa Frantzen -- Section66.com |
Swa 760 Posts |
| Subscribe |
Aug 31st 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
