Jump to content


Photo

Psykel analysis of new CSW


  • Please log in to reply
3 replies to this topic

#1 Psykel

Psykel

    Member

  • Retired Staff
  • Pip
  • 38 posts

Posted 14 July 2004 - 12:02 AM

This is in connection with http://forums.spywar...showtopic=14238
Some line breaks added to prevent horizontal scroll. cnm


Here ya go...! Hope it helps!

God Bless Virtual Drives!


___________________________________________________________

Installation Report: zz2yu
Generated by InCtrl5, version 1.0.0.0
Install program: C:\Documents and Settings\Harte-Hanks\Desktop\zz2yu.exe
7/13/2004 10:54 PM

------------------------------------------------------------
Registry
********

Keys ignored: 0
---------------
* (none)

Keys added: 4
-------------
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}

Values added: 8
---------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
"HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Unegr-Unaxf\Qrfxgbc\mm2lh.rkr"
Type: REG_BINARY
Data: 00, 00, 00, 00, 06, 00, 00, 00, 20, 89, 83, BD, 54, 69, C4, 01
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce "9umef.exe"
Type: REG_SZ
Data: C:\WINNT\system32\9umef.exe
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849} "(Default)"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32 "(Default)"
Type: REG_SZ
Data: C:\WINNT\system32\b0y.dll
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "9umef.exe"
Type: REG_SZ
Data: C:\WINNT\system32\9umef.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\KnownDLLs "b0y.dll"
Type: REG_SZ
Data: b0y.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs "b0y.dll"
Type: REG_SZ
Data: b0y.dll

Values changed: 2
-----------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 00, 00, 00, 00, 17, 00, 00, 00, 80, 18, 90, 44, 54, 69, C4, 01
New data: 00, 00, 00, 00, 18, 00, 00, 00, 20, 89, 83, BD, 54, 69, C4, 01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type: REG_BINARY
New type: REG_BINARY
Old data: AE, 73, 38, C9, 2A, 25, 06, 15, 9D, DC, 0F, 22, FF, 6B, AA, 93,
4E, E5, FD, 6A, BA, 44, C8, 6D, AD, CC, 2F, AA, E7, 45, 54, 65, 5C, 25, 6F, 88, 8D,
2C, CD, B4, 47, A2, DA, 21, 25, 13, 5C, 9B, F5, D0, 43, 50, 99, 15, 12, 23, 56, 37,
59, 91, 95, 79, E2, 03, FF, 73, 1A, B6, 04, A5, 40, BE, 8B, 43, FF, 31, C6, 2D, 1F, 29

New data: F0, 30, 30, 91, D5, 16, 48, 7D, 99, 1F, CD, 17, 1C, 8E, 77, 01,
82, 29, 34, 17, 20, 58, 6D, 55, 7E, 27, 1A, 09, A7, B5, 57, 75, C7, 3B, B4, 8B, 6D,
2F, E2, 58, 27, 5A, 3B, 9B, 09, CE, 61, 2A, EA, 96, AC, 78, 23, DD, DA, 3A, 2E, 83,
D5, CA, FC, 19, D2, A1, 22, E7, 78, AB, 04, AB, 24, FE, CD, 08, DB, B9, D5, C2, 38,
2B
------------------------------------------------------------
Disk contents
*************

Drives tracked: 1
-----------------
* c:\

Files added: 7
--------------
c:\Documents and Settings\Harte-Hanks\Local Settings\Temp\54r3j1.sys
Date: 7/13/2004 10:58 AM
Size: 338,285 bytes
c:\Documents and Settings\Harte-Hanks\Local Settings\Temp\sres32a.tmp
Date: 7/13/2004 10:58 AM
Size: 338,285 bytes
c:\Documents and Settings\Harte-Hanks\Local Settings\Temp\sres32b.tmp
Date: 7/13/2004 10:58 AM
Size: 338,285 bytes
c:\WINNT\54r3j1.sys
Date: 7/13/2004 10:58 AM
Size: 338,285 bytes
c:\WINNT\system32\54r3j1.sys
Date: 7/13/2004 10:58 AM
Size: 338,285 bytes
c:\WINNT\system32\9umef.exe
Date: 7/13/2004 10:58 AM
Size: 338,285 bytes
c:\WINNT\system32\b0y.dll
Date: 7/13/2004 10:43 PM
Size: 384,580 bytes

Files changed: 9
----------------
c:\Documents and Settings\Harte-Hanks\NTUSER.DAT
Old date: 7/13/2004 10:40 PM
New date: 7/13/2004 10:43 PM
Old size: 282,624 bytes
New size: 282,624 bytes
c:\Documents and Settings\Harte-Hanks\ntuser.dat.LOG
Old date: 7/13/2004 10:40 PM
New date: 7/13/2004 10:43 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINNT\system32\config\SECURITY
Old date: 7/13/2004 10:43 PM
New date: 7/13/2004 10:43 PM
Old size: 24,576 bytes
New size: 24,576 bytes
c:\WINNT\system32\config\SECURITY.LOG
Old date: 7/13/2004 10:43 PM
New date: 7/13/2004 10:43 PM
Old size: 12,288 bytes
New size: 1,024 bytes
c:\WINNT\system32\config\software
Old date: 7/13/2004 10:40 PM
New date: 7/13/2004 10:43 PM
Old size: 7,278,592 bytes
New size: 7,282,688 bytes
c:\WINNT\system32\config\software.LOG
Old date: 7/13/2004 10:40 PM
New date: 7/13/2004 10:43 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINNT\system32\config\system
Old date: 7/13/2004 10:40 PM
New date: 7/13/2004 10:43 PM
Old size: 2,113,536 bytes
New size: 2,113,536 bytes
c:\WINNT\system32\config\SYSTEM.ALT
Old date: 7/13/2004 10:40 PM
New date: 7/13/2004 10:43 PM
Old size: 2,113,536 bytes
New size: 2,113,536 bytes
c:\WINNT\system32\wbem\Logs\wbemcore.log
Old date: 5/20/2004 12:49 PM
New date: 7/13/2004 10:46 PM
Old size: 21,063 bytes
New size: 21,119 bytes
------------------------------------------------------------
INI file
********

Ini files tracked: 4
--------------------
* C:\boot.ini
* c:\winnt\control.ini
* c:\winnt\system.ini
* c:\winnt\win.ini
------------------------------------------------------------
Text file
*********

Text files tracked: 2
---------------------
* c:\winnt\system32\autoexec.nt
* c:\winnt\system32\config.nt
------------------------------------------------------------
InCtrl5, Copyright 2000 by Ziff Davis Media, Inc.
Written by Neil J. Rubenking
First published in PC Magazine, December 5, 2000.
________________________________________________________________

And the HijackLog to go with it after I inctrl5ed it....

Logfile of HijackThis v1.98.0
Scan saved at 11:10:44 PM, on 7/13/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Harte-Hanks\Desktop\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - {81D66134-ADC3-4C6D-B0A9-03D4EE35B849} - C:\WINNT\system32\b0y.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunOnce: [9umef.exe] C:\WINNT\system32\9umef.exe
O4 - HKCU\..\RunOnce: [9umef.exe] C:\WINNT\system32\9umef.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


Was unable to find the b0y.dll or 9umef.exe on the Drive, but I didn't check through dos yet.... if I find them I will submit them....


Cheers!

Hope you get your problem fixed man! (cause I got it now :) it's just my VD though, I can easily wipe it, but have keeped it that way till something surfaces)

#2 Psykel

Psykel

    Member

  • Retired Staff
  • Pip
  • 38 posts

Posted 15 July 2004 - 12:50 AM

Got the analysis of the b0y.dll, the other exe is just a copy of the first with another random name.... will post it shortly...
plus I think I got it down. will test fix tomarrow... **UPDATE** Errgghh... no go yet, doing further analysis, discussing the possablity of this being another HackerDefender WDM Driv0r

Edited by Psykel, 15 July 2004 - 10:34 AM.


#3 Psykel

Psykel

    Member

  • Retired Staff
  • Pip
  • 38 posts

Posted 15 July 2004 - 12:51 PM

mmkay, here is the analysis of the b0y.dll, From what I have noted so far, I reset my Virtual drive and reran the installer, the dll name stayed but exe randomized, I think that the actions of the exe it references my be slightly diffrent... doing an analysis of it... also trying to decode whats going on in the sys file, but not having much luck, if anyone has any suggestions on that or anything else fill free to give em... or if you would like copies of all files and reports so far just email me....



Installation Report: Microsoft© Register Server
Generated by InCtrl5, version 1.0.0.0
Install program: C:\WINNT\system32\regsvr32.exe c:\winnt\system32\b0y.dll
7/14/2004 3:02 AM

------------------------------------------------------------
Registry
********

Keys ignored: 0
---------------
* (none)

Keys added: 3
-------------
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}

Values added: 4
---------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\JVAAG\flfgrz32\ertfie32.rkr"
Type: REG_BINARY
Data: 00, 00, 00, 00, 06, 00, 00, 00, 80, A7, 47, 4E, 77, 69, C4, 01
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849} "(Default)"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32 "(Default)"
Type: REG_SZ
Data: c:\WINNT\system32\b0y.dll
HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment

Values changed: 2
-----------------
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 00, 00, 00, 00, 38, 00, 00, 00, B0, DD, 91, BC, 76, 69, C4, 01
New data: 00, 00, 00, 00, 39, 00, 00, 00, A0, 13, 43, 4E, 77, 69, C4, 01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type: REG_BINARY
New type: REG_BINARY
Old data: D9, B3, 57, 7E, 48, DB, 84, 9D, 2A, DA, A3, 08, 00, D9, FC, 00, 5F, 32, 33, A6, 5F, 3C, 7A, A9, B0, 36, 8A, 68, 9B, CC, 40, 1D, 8C, AF, DF, C5, 37, 35, 23, CA, 78, 21, 72, 7A, F2, 54, 0E, 79, 80, A9, 8F, B8, 20, 70, 93, 1C, 21, E8, A3, 92, 55, A7, 3E, A6, E5, 69, EB, 56, 10, 47, B0, C9, B7, 88, 1C, 73, C3, 9F, 67, FD
New data: 90, 8B, AB, 91, F1, 08, 21, C9, C4, BB, 8A, 00, 9A, F1, 6D, 1A, 50, E1, 34, 1F, 75, 91, 5C, 22, 5B, 91, 4D, 2C, 9F, 9C, 36, FA, 42, D9, 3C, D6, A5, E0, ED, 3C, 96, 33, 38, EB, 65, DF, 6F, E8, 5B, FF, 0E, 62, 1C, 62, 12, AC, B9, 78, E9, 9C, D6, 18, 6E, EB, F2, 54, EA, 77, C6, 40, 16, F3, 48, CF, F9, D1, 08, 35, 5F, 94
------------------------------------------------------------
Disk contents
*************

Drives tracked: 1
-----------------
* c:\

Files changed: 5
----------------
c:\Documents and Settings\Harte-Hanks\NTUSER.DAT
Old date: 7/14/2004 2:48 AM
New date: 7/14/2004 2:51 AM
Old size: 323,584 bytes
New size: 323,584 bytes
c:\Documents and Settings\Harte-Hanks\ntuser.dat.LOG
Old date: 7/14/2004 2:48 AM
New date: 7/14/2004 2:51 AM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINNT\system32\config\software
Old date: 7/14/2004 2:47 AM
New date: 7/14/2004 2:51 AM
Old size: 7,282,688 bytes
New size: 7,282,688 bytes
c:\WINNT\system32\config\software.LOG
Old date: 7/14/2004 2:47 AM
New date: 7/14/2004 2:51 AM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINNT\system32\wbem\Logs\wbemcore.log
Old date: 7/14/2004 2:37 AM
New date: 7/14/2004 2:56 AM
Old size: 21,231 bytes
New size: 21,287 bytes
------------------------------------------------------------
INI file
********

Ini files tracked: 4
--------------------
* C:\boot.ini
* c:\winnt\control.ini
* c:\winnt\system.ini
* c:\winnt\win.ini
------------------------------------------------------------
Text file
*********

Text files tracked: 2
---------------------
* c:\winnt\system32\autoexec.nt
* c:\winnt\system32\config.nt
------------------------------------------------------------
InCtrl5, Copyright 2000 by Ziff Davis Media, Inc.
Written by Neil J. Rubenking
First published in PC Magazine, December 5, 2000.

#4 Psykel

Psykel

    Member

  • Retired Staff
  • Pip
  • 38 posts

Posted 15 July 2004 - 10:30 PM

Running a quick analyisys but I think I got a fix.... post soon


Supposedly TrendMicro fixes this as of today... I have just been told but I haven't tested it yet...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button