Skip navigation.
Home

Unknown Executable

| |

This executable was found by one of our constituents. I am not sure what it does. It is not detected by anti-virus, (except Panda, maybe). It has curious icons in it, and appears to be written with Delphi. Googling for some randomly chosen binary strings inside the icon revealed several compromised php and cvs sites serving up executables with this image.

Besides this, the machine was a run-of-the-mill IRC bot.

Quick analysis

Well, after taking a quick look at this exe, I would conclude that it is looking for components that it doesn't have (or at least I don't have).

According to debugview there are only two debug statements:
00000000 0.00000000 [964] here
00000001 0.00221872 [964] here1

Filemon records some semi interesting, but unenlightinening ops:
1758 11:04:35 AM logon.exe:1340 QUERY INFORMATION C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS FileNameInformation
1759 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop SUCCESS Options: Open Directory Access: Traverse
1760 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 355328 Length: 9216
1761 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 364544 Length: 512
1762 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 350208 Length: 5120
1763 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.exe.Local NOT FOUND Options: Open Access: All
1767 11:04:35 AM logon.exe:1340 OPEN C:\WINNT\system32\ole32.dll SUCCESS Options: Open Access: All
1768 11:04:35 AM logon.exe:1340 QUERY INFORMATION C:\WINNT\system32\ole32.dll SUCCESS Attributes: A
1769 11:04:35 AM logon.exe:1340 CLOSE C:\WINNT\system32\ole32.dll SUCCESS
1770 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 320512 Length: 29696
1771 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 17408 Length: 32768
1772 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 1024 Length: 16384
1773 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 111616 Length: 32768
1774 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 66560 Length: 32768
1775 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 50176 Length: 16384
1776 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.ENU NOT FOUND Options: Open Access: All
1777 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.ENU NOT FOUND Options: Open Access: All
1778 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.ENU.DLL NOT FOUND Options: Open Access: All
1779 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.EN NOT FOUND Options: Open Access: All
1780 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.EN NOT FOUND Options: Open Access: All
1781 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.EN.DLL NOT FOUND Options: Open Access: All
1782 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 390656 Length: 16384
1783 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 407040 Length: 5632
1784 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 99328 Length: 12288
1785 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 156672 Length: 32768
1786 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 144384 Length: 12288
1787 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 287744 Length: 32768
1788 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 254976 Length: 32768
1789 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 222208 Length: 32768
1790 11:04:35 AM logon.exe:1340 READ C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Offset: 189440 Length: 32768
1791 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Options: Open Access: All
1792 11:04:35 AM logon.exe:1340 QUERY INFORMATION C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Attributes: A
1793 11:04:35 AM logon.exe:1340 CLOSE C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS
1794 11:04:35 AM logon.exe:1340 OPEN C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Options: Open Access: All
1795 11:04:35 AM logon.exe:1340 QUERY INFORMATION C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS Attributes: A
1796 11:04:35 AM logon.exe:1340 CLOSE C:\Documents and Settings\Administrator\Desktop\logon.exe SUCCESS
3674 11:04:50 AM logon.exe:1340 READ C: SUCCESS Offset: 226304 Length: 4096
3675 11:04:50 AM logon.exe:1340 READ C: SUCCESS Offset: 407552 Length: 16384
3678 11:04:50 AM logon.exe:1340 CLOSE C:\Documents and Settings\Administrator\Desktop SUCCESS

(notice that it seems to be looking for logon.dll/logon.en.dll

It makes no network connections in its current state either on WinXP or Win2k

It doesn't write any registry keys, and it doesn't look like it spawns any remote threads.

Finally, a scan with rootkit revealer doesn't reveal anything else interesting.

According to the number of imports/type of imports it certainly does look suspicious, but I don't think a conclusion one way or another could be made about this exe at this time.

Could the person that submitted this also contribute the possible dll's? (logon.dll/logon.en.dll)

Analysis

This executable is a Windows service written in Delphi. It really doesn't do anything right now, so I have a feeling that it's someone's test app or dummy service framework. Based on the class, TLogins, and its DisplayName property, "Microsoft Windows Login Service", I suspect it is intended to eventually be trojan login service to sniff passwords, etc. It has a single function, ServiceStart, that looks like this:

00455FCC 53 push ebx
00455FCD 8BD8 mov ebx, eax
00455FCF 6A00 push $00

* Possible String Reference to: 'c:\winnt\system32\config\Profiles\l
| ogon.exe'
|
00455FD1 68F85F4500 push $00455FF8

* Reference to: kernel32.WinExec()
|
00455FD6 E8C902FBFF call 004062A4
00455FDB 33D2 xor edx, edx

* Reference to control TLogons.Timer1 : TTimer
|
00455FDD 8B83F0000000 mov eax, [ebx+$00F0]

* Reference to: ExtCtrls.TTimer.SetEnabled(TTimer;Boolean);
|
00455FE3 E8F03EFDFF call 00429ED8
00455FE8 6A00 push $00

* Possible String Reference to: 'net stop logons'
|
00455FEA 6824604500 push $00456024

* Reference to: kernel32.WinExec()
|
00455FEF E8B002FBFF call 004062A4
00455FF4 5B pop ebx
00455FF5 C3 ret

It tries to start another executable, possibly itself, as 'c:\winnt\system32\config\Profiles\logon.exe'. With the Windows directory being called WINNT, I'm guessing this is targeting Win2k. After that it stops a timer and stops the logins service (itself?) with the "net stop" command.

I'd be interested to see if the executable referenced in this function appears on the infected machines and whether or not it's the same as this one.

All in all, this program is probably harmless at this point in time. But I strongly suspect that the author was far from done with it.