Tracking Down Malware Infection #2 | Joachim De Zutter
Infected Computer

Infected machine was located in Belgium.

Infected machine was found in the 81.11.183.0/24 IP range (February 17th, 2010)

PrevX 3.0 identifies the files as High Risk Cloaked Malware

[Image: screenshot1.jpg]
[Image: screenshot2.jpg]
[Image: screenshot3.jpg]
[Image: screenshot4.jpg]

Filenames: dgvx.exe, fhra.exe, kxkt.exe, webs.exe
Filesize: 109568
MD5: 0111f45c129dffb1ffc45a2bd1ad939a
SHA1: 08b08f24991aa2660d3e82ab470066c65c95bb3e
SHA256: 4bf4a8e44e7cf069bd9658c010a7a7b1b7eb686ba92564c4d055365006f85e62

Filenames: soot.exe, yv8g67.exe
Filesize: 217088
MD5: 43ab5da7154078b86c16ab31578e91e6
SHA1: 43f3a01b9a214a2cf00c363ee2ba3436e9713aa9
SHA256: 79a74a75b47656b136fccc7b505ddff0c5b7c8a11ec29dcff8e75210ea99bbd1

Filenames: 142.exe, dasuhyw6[1].exe
Filesize: 44544
MD5: 4db09c6f0d79db2b31e423f2be9e397f
SHA1: 541b18544240917275e247c8859089000dc8ed47
SHA256: 592a8a4f63bf60ce88fb40979c98698b98bd70693e2ff8185b79006a6189b45a

Filenames: 066.exe, 134.exe, 282.exe, 602.exe, cccceewd2[1].exe
Filesize: 44544
MD5: 9dac15bdfb10c8b4d7d9409b76367bf0
SHA1: 8afe5dc6272b4b86e3426971c70fa8c7d1e4f3e0
SHA256: a25ddb86e769747789339eb0dcaed00952b3baecbb017d64352dc37318c6e68e

Filenames: 501.exe, 548.exe, 553.exe, 697.exe, dcewwdq4[1].exe
Filesize: 44544
MD5: 9f0555d15d1c1f8866fb816fc7401096
SHA1: 153a3304d6ef61f19b2113d9a792fdfa1f838d85
SHA256: 44bb0a1e9262002675500adfdcff30b2322b7bc436ddec368458798bbff0f709

Filenames: 735.exe, ewdqqwue3[1].exe
Filesize: 44544
MD5: bdd95339117fb7b6235a31c4a044ebc5
SHA1: 02b81faac5199a8598e79745d24125241ad660de
SHA256: 98c7b74380a469afc1d778005d0e928e1370d45517c0a00d85d65232c8ed3389

Filenames: 757.exe, sjd72hkjh1[1].exe
Filesize: 44544
MD5: bbf081b12afea6e364b9d5ad6f20cfa1
SHA1: 542fae2ad7e054b694d16cff2bbdb0eff76593a3
SHA256: 93ee1ad2c88ed4976192440607c50f51a09f8db1f938f8e5cd199f810cc4428e

Filename: 862.exe
Filesize: 44544
MD5: bdd95339117fb7b6235a31c4a044ebc5
SHA1: 02b81faac5199a8598e79745d24125241ad660de
SHA256: 98c7b74380a469afc1d778005d0e928e1370d45517c0a00d85d65232c8ed3389

Filenames: 007.exe, 094.exe, 415.exe, 650.exe, 986.exe, bgvrerhc5[1].exe, ijswygcb5[1].exe
Filesize: 44544
MD5: f529b0b3d30378bb13f60dd08113846f
SHA1: 4e3af0d44a4a7473f95b4858db8eee19ba60058c
SHA256: 7735bdd23a3e1d5bd34a5b1d8e60c1eaf501c61694ba64f8b689dd1a58cd726f

Files under %HOMEDRIVE%%HOMEPATH%\AppData\Local\Temp :

16/02/2010 21:40 44.544 757.exe
---
16/02/2010 22:00 44.544 142.exe
---
16/02/2010 22:05 44.544 094.exe
---
16/02/2010 22:25 44.544 986.exe
---
16/02/2010 22:51 44.544 007.exe
---
17/02/2010 11:35 44.544 282.exe
17/02/2010 11:35 44.544 548.exe
---
17/02/2010 13:16 44.544 415.exe
17/02/2010 13:16 44.544 862.exe
---
17/02/2010 13:41 44.544 134.exe
17/02/2010 13:41 44.544 697.exe
---
17/02/2010 14:36 44.544 066.exe
17/02/2010 14:36 44.544 553.exe
---
17/02/2010 14:45 44.544 650.exe
17/02/2010 14:45 44.544 735.exe
---
17/02/2010 16:22 44.544 501.exe
17/02/2010 16:22 44.544 602.exe

Files under %HOMEDRIVE%%HOMEPATH%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\*\ :

16/02/2010 21:40 44.544 sjd72hkjh1[1].exe
---
16/02/2010 22:00 44.544 dasuhyw6[1].exe
---
16/02/2010 22:05 44.544 ijswygcb5[1].exe
---
17/02/2010 11:35 35.329 MsgrConfig[2].xml
17/02/2010 11:35 5.725 mymsn[6].js
17/02/2010 11:35 33.927 citibank_cards20euro_hottub_180x150_nl_001[1].swf
17/02/2010 11:35 617 ADSAdClient31[5].htm
17/02/2010 11:35 1.343 MobileMessengerTab_24x24[5].png
17/02/2010 11:35 191 mymsn[6].htm
17/02/2010 11:35 7.586 87164B2F861E7C52164E358D829F40[1].jpg
17/02/2010 11:35 43.228 92E84C796A132F9F8718FC45C7F042[1].jpg
17/02/2010 11:35 44.544 dcewwdq4[1].exe
17/02/2010 11:35 44.544 cccceewd2[1].exe
17/02/2010 11:36 24.132 citibank_cards20euro_kus_234x60_nl_001[2].swf
---
17/02/2010 13:16 44.544 bgvrerhc5[1].exe
17/02/2010 13:16 44.544 ewdqqwue3[1].exe
---
17/02/2010 14:37 191 mymsn[5].htm
17/02/2010 14:37 686 messengerscripttracking[1].htm
17/02/2010 14:37 617 ADSAdClient31[6].htm
17/02/2010 14:37 3.975 ix[1].e
17/02/2010 14:37 24.132 citibank_cards20euro_kus_234x60_nl_001[1].swf

C:\RECYCLER\S-1-5-21-6957657985-8434642819-664311076-0164>DIR /A:H

16/02/2010 21:40 217.088 yv8g67.exe

attrib -R -H -S yv8g67.exe
to delete the file in safe mode

njuee0215fd.exe
File size: 217088 bytes
MD5 : 43ab5da7154078b86c16ab31578e91e6
SHA1 : 43f3a01b9a214a2cf00c363ee2ba3436e9713aa9
SHA256: 79a74a75b47656b136fccc7b505ddff0c5b7c8a11ec29dcff8e75210ea99bbd1
sigcheck: publisher....: Q7ExHiINRyysTz
product......: LYwrI4Mrjfs8NR62At
original name: LW8Cm.exe
internal name: LW8Cm
file version.: 11.04.0018

http://www.virustotal.com/analisis/79a74a75b47656b136fccc7b505ddff0c5b7c8a11ec29dcff8e75210ea99bbd1-1266363339

W32 VB Trojan Dropper (MSVBVM60.DLL) downloaded / dropped 757.EXE (MD5: bbf081b12afea6e364b9d5ad6f20cfa1) ( sjd72hkjh1.exe ) and others, through IE.

http://www.virustotal.com/analisis/93ee1ad2c88ed4976192440607c50f51a09f8db1f938f8e5cd199f810cc4428e-1266361857

http://www.virustotal.com/analisis/7735bdd23a3e1d5bd34a5b1d8e60c1eaf501c61694ba64f8b689dd1a58cd726f-1266361283

...

Internet Explorer browsing history reveals download locations: webservers at 74.62.154.94 and 76.76.99.186

http://www.utrace.de/?query=76.76.99.186
Provider: InterWeb Media
Organisation: Active Response Group
Region: Montreal (CA)
(February 17th, 2010)
GOGAX.COM


http://www.utrace.de/?query=74.62.154.94
Provider: Road Runner Business
Organisation: Intermountain
(February 17th, 2010)
IMOUNTAIN.COM


The executables with MD5 checksum 0111f45c129dffb1ffc45a2bd1ad939a establish an HTTP connection on port 80 with 112.121.163.170 to perform a GET request

http://www.utrace.de/?query=112.121.163.170
Provider: Simcentric Solutions, Internet Service Provider, China