Thread: Are these spyware???
View Single Post
  #3  
Old 12-08-2003, 21:12
Polaris's Avatar
Polaris Polaris is offline
Friend
  
Join Date: Feb 2002
Location: Invincible Cyclones Of FrostWinds
Posts: 97
Rept. Given: 3
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
Polaris Reputation: 0
Re: Are these spyware???
Quote:
Originally posted by yaa
Hello,

two days ago my IE6 browser with the latest patches managed to download without me being informed a few binaries to my machine and this although I have a toolbar that blocks popups and spyblaster installed on my pc. Since I'm not exactly a newbie to these things I managed to soon identify the different copies of the binaries (an exe and a dll) and all associated registry keys.

Both of the binaries where packed with upx and were copied in multiple copies inside the root of my system partition, inside the Microsoft folder of the Application Data dir under Documents and Settings and inside the system32 directory.
Both of them where packed with UPX probably to reduce their size. I have also seen that one of them has a resource that ollydbg identifies having russian locale.

They created 3 empty files inside a few of the folders where they were copied and also on my desktop (why????). I've been able to understand that the purpose of the exe is to load the dll using rundll32 which should be able to communicate via sockets. Apart this I have not been able to understand what is their purpose. If anyone is interested in taking a look I zipped an unpacked copy of them here:

h**p://utenti.lycos.it/lucevirtuale/spyware_exe_and_dll_unpacked.zip


yaa
Ohhh..

It seems that yaa had a good eye A superficial analisys reveals that those files are not part of spyware, but part of a more dangerous tool for remote management (malware). A quick look at bintext results for the child.dll is quite explicative of this:

...
0000371E 1000371E 0 Sleep
...
000038A2 100038A2 0 InternetReadFile
000038B4 100038B4 0 InternetOpenUrlA
000038C6 100038C6 0 InternetOpenA
000038D6 100038D6 0 InternetCloseHandle
00003962 10003962 0 child.dll
00004010 10004010 0 127.0.0.1
00004114 10004114 0 127.0.0.1
00004214 10004214 0 localhost
00004334 10004334 0 megabeestation.biz
00004348 10004348 0 beemafiozo.info
00004358 10004358 0 cryptoyakudzo.ru
0000436C 1000436C 0 mycatiriska.biz
0000437C 1000437C 0 cryptomafia.biz
0000438C 1000438C 0 cryptomafia.com
0000439C 1000439C 0 bugsstation.biz
000043AC 100043AC 0 bla8623ink783mag97571.com
000043C8 100043C8 0 Client Kicked, max=[%d]
...
000043F4 100043F4 0 access
000043FC 100043FC 0 cannot accept... continue
00004418 10004418 0 [%d] - [%s:%d]
00004428 10004428 0 Waiting...
0000443C 1000443C 0 map.txt
00004454 10004454 0 domains
00004464 10004464 0 geturl ok
00004470 10004470 0 using dynamic domains
00004488 10004488 0 127.0.0.1
00004494 10004494 0 using static domains
000044AC 100044AC 0 %s:%ld:%s:%s:%d
000044C0 100044C0 0 count_mutex
000044CC 100044CC 0 Cannot init winsock
000044E0 100044E0 0 netlog.exe
000044EC 100044EC 0 id: %s
000044F4 100044F4 0 %s-%ld
00004508 10004508 0 Bytes received: %d
0000451C 1000451C 0 Cannot create file: %s
00004538 10004538 0 Get from server %s
00004558 10004558 0 Checking version...
00004570 10004570 0 exit now
0000457C 1000457C 0 ver_num: %s
0000458C 1000458C 0 file: %s
00004598 10004598 0 url: %s
000045A8 100045A8 0 version: %s
000045BC 100045BC 0 --> %s
000045C4 100045C4 0 WARNING: %s
000045D0 100045D0 0 !!! ACHTUNG: %s
000045E0 100045E0 0 Winsock startup error
000045F8 100045F8 0 Closing socket [%d] with status [%d]
00004620 10004620 0 [%s:%d] - Socket [%d] - [%d]
00004640 10004640 0 Connect Error to [%s:%d] - [%d]
00004664 10004664 0 Cannot create Socket [%d]
00004680 10004680 0 Make socket
00004690 10004690 0 %d.%d.%d.%d
0000469C 1000469C 0 %d.%d.%d.%d:%d
000046B0 100046B0 0 Cannot open %s
000046C0 100046C0 0 version 4
000046CC 100046CC 0 cmd connect
000046DC 100046DC 0 USERNAME
000046E8 100046E8 0 version 5

Skimming through these can provide a good overview of this program's capabilities (but these are only hypothesis ):

/* Probably the tool sometimes sets to sleep to avoid detection
by netmonitoring tools */
0000371E 1000371E 0 Sleep

/* Probably the tools allow remote control */
00004508 10004508 0 Bytes received: %d
00004428 10004428 0 Waiting...


/* These are the servers target for connection... I don't
think Microsoft will use these... */
00004334 10004334 0 megabeestation.biz
00004348 10004348 0 beemafiozo.info
00004358 10004358 0 cryptoyakudzo.ru
0000436C 1000436C 0 mycatiriska.biz
0000437C 1000437C 0 cryptomafia.biz
0000438C 1000438C 0 cryptomafia.com
0000439C 1000439C 0 bugsstation.biz
000043AC 100043AC 0 bla8623ink783mag97571.com

/* More... */

I will start a full analisys asap, it will be a lot of fun!

Byyyezzzz

Polaris
Reply With Quote