Skip navigation.
Home

Dialer/Trojan/Proxy combo

|

-Running internet explorer: 3 malware exes installed.
-Time spent finding out what they are: 30 minutes.
-Having added malware protection on computer: Priceless!

There were 3 identified executables on the system:

1. "C:\OPT.EXE" (UPLOADED)
(MD5: 4e618ca11b22732f412bafdac9028b19)

2. "C:\Windows\System32\Logon.exe" (UPLOADED)
(MD5: 45a4a0413d7ddb6f351373a8b96f16d2)

3. "C:\BMM.EXE" (UPLOADED)
(MD5: ce85d7161a670b33d50b87335b27b5ca)

Also, a file called "C:\.rnd" were present, but i guess that it was just a data file.

There were 2 entries in registry:
(HKLM..blablabla..Run)

"DHCP Hotfix" = "C:\opt.exe"
"Windows Logon Application"="C:\WINDOWS\System32\logon.exe"

("Logon.exe" were "hidden" with using file attributes.)

Even if you remove these files, FTP.EXE attempts to download the files again. Something is missing, will go look and upload whatever it is.

--------------------

1. "C:\OPT.EXE"
**** At a glance: ****

Looks compressed with exe packer.

**** Fileinfo: ****

File name: "C:\opt.exe"
File size: 22289 bytes
MD5: 4e618ca11b22732f412bafdac9028b19
SHA1: 353c3070a209bfd50e55526f0600050eaefd906f

**** Virustotal report: ****

AntiVir 6.35.1.0 08.15.2006 TR/Proxy.Ranky.FY.1
Authentium 4.93.8 08.14.2006 no virus found
Avast 4.7.844.0 08.15.2006 no virus found
AVG 386 08.15.2006 Proxy.EDW
BitDefender 7.2 08.15.2006 Trojan.Proxy.Ranky.Gen
CAT-QuickHeal 8.00 08.14.2006 TrojanProxy.Ranky.fy
ClamAV devel-20060426 08.15.2006 no virus found
DrWeb 4.33 08.15.2006 Trojan.Proxy.1036
eTrust-InoculateIT 23.72.97 08.15.2006 no virus found
eTrust-Vet 30.3.3021 08.15.2006 no virus found
Ewido 4.0 08.15.2006 Proxy.Ranky.fy
Fortinet 2.77.0.0 08.15.2006 W32/Ranky.FY!tr
F-Prot 3.16f 08.14.2006 no virus found
F-Prot4 4.2.1.29 08.14.2006 Possibly a new unknown PE_Virus!Maximus
Ikarus 0.2.65.0 08.15.2006 no virus found
Kaspersky 4.0.2.24 08.15.2006 Trojan-Proxy.Win32.Ranky.fy
McAfee 4829 08.14.2006 no virus found
Microsoft 1.1560 08.14.2006 no virus found
NOD32v2 1.1707 08.15.2006 Win32/TrojanProxy.Ranky
Norman 5.90.23 08.15.2006 W32/Rank.ABU
Panda 9.0.0.4 08.14.2006 Trj/Ranky.PV
Sophos 4.08.0 08.15.2006 no virus found
Symantec 8.0 08.15.2006 Backdoor.Ranky
TheHacker 5.9.8.192 08.14.2006 W32/Bagle.gen@MM
UNA 1.83 08.14.2006 TrojanProxy.Win32.Ranky.29BE
VBA32 3.11.0 08.14.2006 Trojan-Proxy.Win32.Ranky.fy
VirusBuster 4.3.7:9 08.14.2006 no virus found

--------------------

2. "C:\Windows\System32\Logon.exe"

**** Fileinfo: ****

File name: "C:\Windows\System32\Logon.exe"
File size: 265216 bytes
MD5: 45a4a0413d7ddb6f351373a8b96f16d2
SHA1: 37dcee7a14bb67c3cc6e29fba7eee0d96563b1c2

**** At a glance: ****

Looks packed (Looks like the API calls that UPX compatibles use)
Could be a second binary attached.

**** Virustotal report: ****

Antivirus Version Update Result
AntiVir 6.35.1.0 08.15.2006 TR/PSW.Lineage.ZH.2
Authentium 4.93.8 08.14.2006 W32/Lineage.BAD@pws
Avast 4.7.844.0 08.15.2006 Win32:SdBot-gen22
AVG 386 08.15.2006 PSW.Generic2.CHR
BitDefender 7.2 08.15.2006 Trojan.Pws.Lineage.ZH
CAT-QuickHeal 8.00 08.14.2006 TrojanPSW.Lineage.zh
ClamAV devel-20060426 08.15.2006 no virus found
DrWeb 4.33 08.15.2006 Win32.HLLW.Shepher
eTrust-InoculateIT 23.72.97 08.15.2006 Win32/Rbot.6wj!Worm
eTrust-Vet 30.3.3021 08.15.2006 Win32/Linkbot.AN
Ewido 4.0 08.15.2006 Trojan.Lineage.zh
Fortinet 2.77.0.0 08.15.2006 W32/Lineage.ZH!tr.pws
F-Prot 3.16f 08.14.2006 security risk named W32/Lineage.BAD@pws
F-Prot4 4.2.1.29 08.14.2006 W32/Lineage.BAD@pws
Ikarus 0.2.65.0 08.15.2006 no virus found
Kaspersky 4.0.2.24 08.15.2006 Trojan-PSW.Win32.Lineage.zh
McAfee 4829 08.14.2006 W32/Sdbot.worm.gen.n
Microsoft 1.1560 08.14.2006 Backdoor:Win32/Rbot!2EAE
NOD32v2 1.1707 08.15.2006 a variant of Win32/Poebot
Norman 5.90.23 08.15.2006 W32/Lineage.CKE
Panda 9.0.0.4 08.15.2006 Trj/Lineage.ALW
Sophos 4.08.0 08.15.2006 no virus found
Symantec 8.0 08.15.2006 W32.IRCBot
TheHacker 5.9.8.192 08.14.2006 Trojan/PSW.Lineage.zh
UNA 1.83 08.14.2006 Trojan.PSW.Win32.Lineage
VBA32 3.11.0 08.14.2006 Trojan-PSW.Win32.Lineage.zh
VirusBuster 4.3.7:9 08.15.2006 Trojan.PWS.Lineage.ST

3. "C:\BMM.EXE" (UPLOADED)

**** At a glance: ****

Looks packed.

Contains some (uncompressed) strings:
"SoftComp"
"http://news.yahoo.com/"
"PAangel@tombul dialer"

**** Fileinfo: ****

File name: "C:\BMM.EXE"
File size: 32529 bytes
MD5: ce85d7161a670b33d50b87335b27b5ca
SHA1: 1c2b8fcb9b15d3a665e7f32dde5cc96665c6a497

**** Virustotal report: ****

Antivirus Version Update Result
AntiVir 6.35.1.0 08.15.2006 TR/Dialer.QY
Authentium 4.93.8 08.14.2006 no virus found
Avast 4.7.844.0 08.15.2006 no virus found
AVG 386 08.15.2006 Dialer.CDE
BitDefender 7.2 08.15.2006 MemScan:Trojan.Dialer.DT
CAT-QuickHeal 8.00 08.14.2006 Trojan.Dialer.qy
ClamAV devel-20060426 08.15.2006 no virus found
DrWeb 4.33 08.15.2006 Dialer.Riprova
eTrust-InoculateIT 23.72.97 08.15.2006 no virus found
eTrust-Vet 30.3.3021 08.15.2006 no virus found
Ewido 4.0 08.15.2006 Trojan.Dialer.u
Fortinet 2.77.0.0 08.15.2006 W32/Dialer.QY!tr
F-Prot 3.16f 08.14.2006 no virus found
F-Prot4 4.2.1.29 08.14.2006 no virus found
Ikarus 0.2.65.0 08.15.2006 no virus found
Kaspersky 4.0.2.24 08.15.2006 Trojan.Win32.Dialer.qy
McAfee 4829 08.14.2006 QDial-46
Microsoft 1.1560 08.14.2006 no virus found
NOD32v2 1.1707 08.15.2006 Win32/Dialer.U
Norman 5.90.23 08.15.2006 W32/Dialer.AFNA
Panda 9.0.0.4 08.15.2006 no virus found
Sophos 4.08.0 08.15.2006 no virus found
Symantec 8.0 08.15.2006 no virus found
TheHacker 5.9.8.192 08.14.2006 W32/Bagle.gen@MM
UNA 1.83 08.14.2006 Trojan.Win32.Dialer.8E6A
VBA32 3.11.0 08.14.2006 Trojan.Win32.Dialer.u
VirusBuster 4.3.7:9 08.15.2006 no virus found

Final piece

Ok, found last unique binary:

"C:\Windows\System32\Algs.exe" (Already present)
(MD5:dd5a39c1281a7a7cb0a1978aa5412fd8)

It was quite easy to find it. Marking malware with attribute H makes them stand out like elefant droppings in a candystore.

**** At a glance: ****

Contains some API calls for file searching (like FindNextFileA), Environment variables (GetEnvironmentStrings), Desktop messaging (MessageBoxA), File IO (CreateFileA and ReadFile)

Looks uncompressed, that does not exclude the possibility of any extra payload though.

**** Fileinfo: ****

Filename: "Algs.exe"
File size: 90624 bytes
MD5: dd5a39c1281a7a7cb0a1978aa5412fd8
SHA1: f1ba46b4fd0169efaec15d64562fdcfa1d0b2aa0

**** Virustotal report: ****

Antivirus Version Update Result
AntiVir 6.35.1.0 08.15.2006 BDS/PoeBot.B.9
Authentium 4.93.8 08.14.2006 W32/Spybot.HYD
Avast 4.7.844.0 08.15.2006 Win32:Small-WP
AVG 386 08.15.2006 IRC/BackDoor.SdBot.KCI
BitDefender 7.2 08.15.2006 Backdoor.Poebot.B
CAT-QuickHeal 8.00 08.14.2006 Backdoor.PoeBot.b
ClamAV devel-20060426 08.15.2006 Trojan.Poebot-14
DrWeb 4.33 08.15.2006 Win32.HLLW.Shepher
eTrust-InoculateIT 23.72.97 08.15.2006 Win32/Linkbot.28672!Worm
eTrust-Vet 30.3.3021 08.15.2006 Win32/Linkbot.AC
Ewido 4.0 08.15.2006 Backdoor.PoeBot.b
Fortinet 2.77.0.0 08.15.2006 W32/Poebot.B!worm
F-Prot 3.16f 08.14.2006 security risk named W32/Spybot.HYD
F-Prot4 4.2.1.29 08.14.2006 W32/Spybot.HYD
Ikarus 0.2.65.0 08.15.2006 Trojan-Dropper.Win32.Agent.YE
Kaspersky 4.0.2.24 08.15.2006 Backdoor.Win32.PoeBot.b
McAfee 4829 08.14.2006 W32/Poebot.dam
Microsoft 1.1560 08.14.2006 Backdoor:Win32/Poebot.C
NOD32v2 1.1707 08.15.2006 Win32/Poebot.NAL
Norman 5.90.23 08.15.2006 W32/Poebot.J
Panda 9.0.0.4 08.15.2006 Bck/PoeBot.B
Sophos 4.08.0 08.15.2006 W32/Poebot-K
Symantec 8.0 08.15.2006 W32.Linkbot.M
TheHacker 5.9.8.192 08.14.2006 Backdoor/PoeBot.b
UNA 1.83 08.14.2006 Backdoor.Poebot.E80D
VBA32 3.11.0 08.14.2006 Backdoor.Win32.PoeBot.b
VirusBuster 4.3.7:9 08.15.2006 Worm.PoeBot.N

good work

I also like your humor :)

V.