---------------------------------------------------------------------------------------------------- Twitter: @c_APT_ure Blog: http://c-apt-ure.blogspot.com/ Email: toms.security.stuff [at] gmail.com Main Ponmocup research page: - http://www9.dyndns-server.com:8080/pub/botnet-links.html ** NEW ** history of Ponmocup botnet domains (added: 2012-02-20) - history by domains/IP and by date seen accessed ---------------------------------------------------------------------------------------------------- Why is this malware known under so many different names? (Ponmocup, Pirminay, Kryptik, Swisyn, Vundo etc.) Why aren't AV companies connecting the dots? Using one common indicator, the existence or creation of a registry key, namely HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 and/or HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 I've been finding malware analysis reports from different AV's and online malware analysis sites. Another indicator is the existence of a pseudo-random registry key under HKLM\SOFTWARE\[pseudo-random-key] which seems to be consistent amongst systems with a certain trait (maybe same company, domain or similar). Here are some Google search queries to find more analysis reports: site:xml.ssdsandbox.net "SOFTWARE\UOSBEU" (4'220 hits) site:mcafee.com "SOFTWARE\XFFNHFHAM" (3'480 hits) site:threatexpert.com "SOFTWARE\qrjaslop" (227 hits) site:sophos.com "SOFTWARE\zpppmcegc2 (59 hits) site:trendmicro.com "SOFTWARE\GHUZPSK" (24 hits) site:greatis.com "SOFTWARE\qbyyjp" (6 hits) Some AV's don't include the SOFTWARE registry key, but a well known initial C&C request: site:securelist.com "gehut4.cn/update/utu.dat" (354 hits) site:camas.comodo.com imagehut4.cn (28 hits) Over time I found some other great resources of online analysis reports e.g. https://web.gsirt.com/TAZERWEB/tazer-MalwareReport-URL-ByHTTPHOST.php?urlhttphost=imagehut4.cn Below are a number of samples reports from different AV's or online malware analysis sites: ---------------------------------------------------------------------------------------------------- http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=842343#none Virus Profile: Downloader-CEW.ag!C1B67ED00629 Date Discovered: 17/02/2012 Date Added: 17/02/2012 Origin: Unknown Length: 327123 Type: Trojan Subtype: Downloader File Properties Property Values McAfee Detection Downloader-CEW.ag Length 327123 bytes MD5 c1b67ed00629e9c71016d92e8f93aa5e SHA1 ce9c085c7cd5bc2cf95690723f1c73f888be8bf1 Other Common Detection Aliases Company Names Detection Names avast Win32:Malware-gen avira TR/Crypt.XPACK.Gen3 Microsoft TrojanDownloader:Win32/Renos.KC Symantec Trojan.Gen Sophos Troj/Virtum-Gen Trend Micro TROJ_DLOADR.SMWQ vba32 SScope.Trojan.Pirminay.chc The following files were analyzed: 1374189.malware The following files have been added to the system: %WINDIR%\SYSTEM32\l3codeca5.exe The following files have been changed: %WINDIR%\SYSTEM32\drivers\etc\hosts The following files were temporarily written to disk then later removed: %TEMP%\~unins7359.bat The following registry elements have been created: HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\ HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\ HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\ The following registry elements have been changed: HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = 25489158 HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\9 = [binary data] HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\DFO = [binary data] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = 25489158 HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\9 = [binary data] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\UHOH = %WINDIR%\SYSTEM32\l3codeca5.exe HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\DFO = [binary data] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%TEMP%\1374189.malware HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\CATEGORYCOUNT = 16 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\CATEGORYMESSAGEFILE = %WINDIR%\SYSTEM32\ESENT.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\EVENTMESSAGEFILE = %WINDIR%\SYSTEM32\ESENT.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\TYPESSUPPORTED = 7 The applications attempted the following network connection(s): 95.168.177.**:80 ---------------------------------------------------------------------------------------------------- http://vil.nai.com/vil/content/v_789033.htm Generic.tfr!bi!B9B8857D1D66 Type Trojan Discovery Date 01/31/2012 Length 360448 The following files were analyzed: 0866d69dd4f4df3f4e52dcb0675a18b3000c0f95 The following files have been added to the system: %WINDIR%\SYSTEM32\oddbse324.exe The following files were temporarily written to disk then later removed: %TEMP%\~unins1399.bat The following registry elements have been created: HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\ HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\ HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\ The following registry elements have been changed: HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\ERROR DLG DISPLAYED ON EVERY ERROR = no HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOW_PLACEMENT = [binary data] HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1 HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = [binary data] HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\DFO = [binary data] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = [binary data] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\EIDPQ = %WINDIR%\SYSTEM32\oddbse324.exe HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\DFO = [binary data] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%TEMP%\0866d69dd4f4df3f4e52dcb0675a18b3000c0f95 The applications attempted the following network connection(s): 94.23.19.*:80 94.23.203.***:80 188.165.33.*:80 77.79.11.**:80 188.165.219.**:80 hxxp://ads.alpha00001.com/cgi-bin/advert/***** 87.98.135.***:80 ---------------------------------------------------------------------------------------------------- http://home.mcafee.com/virusinfo/virusprofile.aspx?key=754063 Virus Profile: Generic.dx!bcmp!B6677BC448A9 Date Discovered: 06/01/2012 Date Added: 06/01/2012 Origin: Unknown Length: 302592 Type: Trojan File Properties Property Values McAfee Detection Generic.dx!bcmp Length 302592 bytes MD5 b6677bc448a93e0bf40e5200181c8f4b SHA1 faf4e49944d64f5bba764d13bce63615b572d93c Other Common Detection Aliases Company Names Detection Names EMSI Software Trojan.Win32.Webprefix!IK avast Win32:Rootkit-gen AVG (GriSoft) Agent3.BBVF (Trojan horse) avira Rkit/Agent.302592 BitDefender Trojan.Generic.KDV.499810 Dr.Web Trojan.PWS.Panda.1616 eSafe (Alladin) Trojan/Worm FortiNet W32/Kryptik.YEW Eset Win32/Kryptik.YEW trojan (variant) norman W32/Suspicious_Gen2.UPBCE panda Generic Trojan rising [Suspicious] Sophos Mal/Generic-L V-Buster Trojan.Kryptik!YAY8MUYiqyc (trojan) The following files were analyzed: google_mf626_driver.exe The following files have been added to the system: %WINDIR%\SYSTEM32\MSRTEDITC.exe The following files were temporarily written to disk then later removed: %TEMP%\~unins5231.bat %TEMP%\TarA.tmp %TEMP%\Cab9.tmp The following registry elements have been created: HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\ HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\ HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\ The following registry elements have been changed: HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOW_PLACEMENT = [binary data] HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1 HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = 328397060 HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\DFO = [binary data] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = 328397060 HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\WVYZ = %WINDIR%\SYSTEM32\MSRTEDITC.exe HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\DFO = [binary data] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%TEMP%\google_mf626_driver.exe The applications attempted the following network connection(s): 46.246.119.***:80 217.19.51.***:80 96.17.15.**:80 188.165.239.**:80 hxxp://ads.alpha00001.com/cgi-bin/advert/***** 173.194.33.**:443 ---------------------------------------------------------------------------------------------------- http://home.mcafee.com/virusinfo/virusprofile.aspx?key=604411#none Virus Profile: Kryp.b!B18F52D5A4B2 Date Discovered: 28/09/2011 Date Added: 28/09/2011 Origin: Unknown Length: 294341 Type: Trojan File Properties Property Values McAfee Detection Kryp.b Length 294341 bytes MD5 b18f52d5a4b206a5569277dc0120fa6b SHA1 25d3077b56d900d81afb7a5cd7a4fb74e70ff2a0 Other Common Detection Aliases Company Names Detection Names EMSI Software Trojan.Pirminay!IK avast Win32:MalOb-EI avira TR/Pirminay.bhf Kaspersky Trojan.Win32.Pirminay.dao BitDefender Backdoor.Generic.542938 clamav Trojan.Agent-183385 Dr.Web Trojan.MulDrop1.59103 FortiNet PossibleThreat Microsoft TrojanDownloader:Win32/Renos.KC Symantec Trojan.Gen Eset Win32/TrojanDownloader.Agent.PXO trojan norman W32/Suspicious_Gen2.HZTOS panda Trj/Agent.OLO Sophos Mal/Ponmocup-A Trend Micro TROJ_GEN.R21CRBQ vba32 SScope.Trojan.Pirminay.chc The following files were analyzed: 25d3077b56d900d81afb7a5cd7a4fb74e70ff2a0 The following files have been added to the system: %WINDIR%\SYSTEM32\faultrep4.exe The following files have been changed: %WINDIR%\SYSTEM32\drivers\etc\hosts The following files were temporarily written to disk then later removed: %TEMP%\~unins9171.bat The following registry elements have been created: HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\ HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\ HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\ The following registry elements have been changed: HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = [binary data] HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\9 = [binary data] HKEY_CURRENT_USER\SOFTWARE\XFFNHFHAM\DFO = [binary data] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\6 = [binary data] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\9 = [binary data] HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\EWUNBM = %WINDIR%\SYSTEM32\faultrep4.exe HKEY_LOCAL_MACHINE\SOFTWARE\XFFNHFHAM\DFO = [binary data] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\CONTROL\SESSION MANAGER\PENDINGFILERENAMEOPERATIONS = \??\%TEMP%\25d3077b56d900d81afb7a5cd7a4fb74e70ff2a0 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\CATEGORYCOUNT = 16 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\CATEGORYMESSAGEFILE = %WINDIR%\SYSTEM32\ESENT.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\EVENTMESSAGEFILE = %WINDIR%\SYSTEM32\ESENT.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\EVENTLOG\APPLICATION\ESENT\TYPESSUPPORTED = 7 The applications attempted the following network connection(s): 87.255.51.***:80 ---------------------------------------------------------------------------------------------------- http://xml.ssdsandbox.net/view/442d546ef43b47b8449bb620ebe44011 Submission Details Date 11/2/2011 12:03:35 PM File Name C:\88086637.exe Registry C:\DOCUME~1\Dave\LOCALS~1\Temp\4sd1.tmp Changes (5) HKEY_CURRENT_USER\Software\UOSBEU\VTBGL = [REG_BINARY, size: 50176 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\UOSBEU\VTBGL = [REG_BINARY, size: 50176 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\mmghpdlnx = %SystemRoot%\system32\c_12566.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 9 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 9 bytes] Winsock C:\88086637.exe Outgoing connection to remote server: 31.214.169.45 TCP port 8000 C:\DOCUME~1\Dave\LOCALS~1\Temp\4sd1.tmp DNS Lookup Host Name IP Address 82.192.79.174 82.192.79.174 Download URLs http://82.192.79.174/searchProductResult.jsp Outgoing connection to remote server: 82.192.79.174 TCP port 80 ---------------------------------------------------------------------------------------------------- http://xml.ssdsandbox.net/view/70766ed692dee7f09ec0bbd3055ed1f1 Submission Details Date 10/31/2011 2:51:22 AM File Name C:\87984877.exe Virusscan C:\87984877.exe NOD32: a variant of Win32/Kryptik.UOE F-Prot: W32/SmallTrojan.AA2.gen!Eldorado Symantec: Suspicious.Cloud.5 Avast: Win32:Tindow [Trj] Kaspersky: Trojan.Win32.Menti.ioce BitDefender: Gen:Trojan.Heur.FU.aiW@aO2Nk0k SUPERAntiSpyware: Trojan.Agent/Gen-MultiDrop DrWeb: Trojan.DownLoad2.22099 AntiVir: TR/Crypt.XPACK.Gen GData: Gen:Trojan.Heur.FU.aiW@aO2Nk0k Commtouch: W32/SmallTrojan.AA2.gen!Eldorado AVG: Generic25.AUTX Panda: Suspicious File C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp Filesystem Chronological order (31) Create/Open File: \Device\Tcp Create/Open File: \Device\Ip Create/Open File: \Device\Ip Open File: \\.\Ip Find File: %SystemRoot%\system32 Find File: C:\System Volume Information Open File: C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp:Zone.Identifier Find File: C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp Find File: %SystemRoot%\system32\drivers\*.* Create/Open File: \Device\Tcp6 Create/Open File: \Device\Ip6 Create/Open File: \Device\Ip6 Open File: \\.\Ip6 Create/Open File: \Device\NetBT_Tcpip_{FB0F1ED3-098A-4B84-AFFD-7C0419EE0934} Find File: C:\*.* Create/Open File: \Device\RasAcd Open File: \\.\Ip6 Open File: \\.\PIPE\lsarpc Find File: %SystemRoot%\system32\*.* Get File Attributes: %SystemRoot%\system32\wbcacheo.exe Flags: (SECURITY_ANONYMOUS) Create File: %SystemRoot%\system32\wbcacheo.exe Set File Attributes: %SystemRoot%\system32\wbcacheo.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS) Open File: %SystemRoot%\AppPatch\sysmain.sdb Open File: %SystemRoot%\AppPatch\systest.sdb Open File: \Device\NamedPipe\ShimViewer Open File: %SystemRoot%\system32\ Find File: %SystemRoot%\system32\wbcacheo.exe Create File: C:\DOCUME~1\Dave\LOCALS~1\Temp\~unins62.bat Set File Attributes: C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS) Move File: C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp to Find File: %SystemRoot%\system32\cmd.exe Registry Changes (5) HKEY_CURRENT_USER\Software\UOSBEU\VTBGL = [REG_BINARY, size: 49664 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\UOSBEU\VTBGL = [REG_BINARY, size: 49664 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Xqpeteed = %SystemRoot%\system32\wbcacheo.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 8 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 8 bytes] Winsock C:\87984877.exe Outgoing connection to remote server: 31.214.169.45 TCP port 8000 C:\DOCUME~1\Dave\LOCALS~1\Temp\asd1.tmp DNS Lookup Host Name IP Address 82.192.79.174 82.192.79.174 Download URLs http://82.192.79.174/searchProductResult.jsp Outgoing connection to remote server: 82.192.79.174 TCP port 80 ---------------------------------------------------------------------------------------------------- http://xml.ssdsandbox.net/view/0f5482dc490eb6d565f35a8dcfc9e406 Submission Details Date 10/13/2011 12:27:15 PM File Name C:\87389383.exe Virusscan %SystemRoot%\system32\ipconfig.exe /flushdns eSafe: Win32.Banker %SystemRoot%\system32\cmd.exe /c C:\DOCUME~1\Dave\LOCALS~1\Temp\~unins3171.bat C:\87389383.exe eSafe: Win32.Corrupt.Ag McAfee-GW-Edition: Heuristic.BehavesLike.Win32.Suspicious.H Registry C:\87389383.exe Changes (25) [removed] HKEY_CURRENT_USER\Software\UOSBEU\VTBGL = [REG_BINARY, size: 69632 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\UOSBEU\VTBGL = [REG_BINARY, size: 69632 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Eadnvf = %SystemRoot%\system32\w32tmy.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 6 bytes] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\6 = [REG_BINARY, size: 6 bytes] Winsock C:\87389383.exe Download URLs http://95.211.130.162/html/license_43EC92[removed].html Outgoing connection to remote server: 95.211.130.162 TCP port 80 %SystemRoot%\system32\w32tmy.exe DNS Lookup Host Name IP Address imagehut4.cn ---------------------------------------------------------------------------------------------------- http://camas.comodo.com/cgi-bin/submit?file=10b9f967fa5ec816432e44ff2a03eedb1cec0b3f9b89385e7d49c1b40bd8a873&iframe= File Info Name Value Size 2214400 MD5 b012d088637b26c6b9ff8fadeff700f2 SHA1 93d69f7b8195204d8c3b778fe8a40b714ae5c262 SHA256 10b9f967fa5ec816432e44ff2a03eedb1cec0b3f9b89385e7d49c1b40bd8a873 DNS Queries DNS Query Text skymediaportal.com IN A + 012webpages.com IN A + contactfriendly.com IN A + imagehut4.cn IN A + HTTP Queries skymediaportal.com GET /logo.png?v67=41&tq=gL5HtzyMv5rJsxG1J4Xo2rCyDvEpwr7UxUrEgPiWW1cg HTTP/1.0 012webpages.com GET /christian13.jpg?v18=71&tq=gKZEt[removed] HTTP/1.0 contactfriendly.com GET /html/license_43EC9[removed].html HTTP/1.1 contactfriendly.com GET /html/license_43EC9[removed].html HTTP/1.1 imagehut4.cn GET /update/utu.dat HTTP/1.1 Verdict Auto Analysis Verdict Suspicious+ Description Suspicious Actions Detected Copies self to other locations Creates autorun records Creates files in program files directory Creates files in windows system directory Hides files from user Injects code into other processes ---------------------------------------------------------------------------------------------------- http://greatis.com/blog/how-to-remove-malware/wzcsvcp-exe.htm wzcsvcp.exe – trojan Pirminay June 6, 2011 by NightWatcher Filed under: Malware The file wzcsvcp.exe is identified as the Trojan Program that is used for stealing bank information and users passwords. Malware Analysis of “wzcsvcp.exe” Executed: C:\sand-box\Xkz.exe Removed: wzcsvcp.exe. Full path: C:\WINDOWS\system32\wzcsvcp.exe How to quickly detect malware presence? Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\mhdfyyuopr Value: “C:\WINDOWS\system32\wzcsvcp.exe” Files: C:\WINDOWS\system32\wzcsvcp.exe —————————————————————————————————————————- Classification: Antivirus Version Last Update Result F-Secure 9.0.16440.0 2011.05.28 Trojan.Generic.KDV.234550 Kaspersky 9.0.0.837 2011.05.28 Trojan.Win32.Pirminay.hrz Microsoft 1.6903 2011.05.28 - NOD32 6159 2011.05.28 a variant of Win32/Injector.FXK —————————————————————————————————————————- MD5 f7ece4f2b64096e1bea95d1452a2de0e SHA1 91123d2be21720f964071e85e493bd58229a00bb SHA256 3f115637e694615b3ba83d363f4a89a33c58ad8b68803e2419f203fe9a7a8b56 ———————————- Keys added:4 ———————————- HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKLM\Software\qbyyjp HKCU\Software\qbyyjp ———————————- Values added:5 ———————————- HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6: 96 ED 95 C5 26 4A 60 28 22 83 HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\mhdfyyuopr: “C:\WINDOWS\system32\wzcsvcp.exe” HKLM\Software\qbyyjp\VAYJQFODW: 7B DA FD /.../ B1 68 DD HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\6: 96 ED 95 C5 26 4A 60 28 22 83 HKCU\Software\qbyyjp\VAYJQFODW: 7B DA FD /.../ B1 68 DD ———————————- Files added:1 ———————————- C:\WINDOWS\system32\wzcsvcp.exe ---------------------------------------------------------------------------------------------------- http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Mdrop-DXG/detailed-analysis.aspx Troj/Mdrop-DXG Category: Viruses and Spyware Type: Trojan Protection available since: 25 Jan 2012 17:07:43 (GMT) Last Updated: 25 Jan 2012 17:07:43 (GMT) File Information Size 361K SHA-1 112c20a84b5173183d06ff35398930a68c130083 MD5 678b6606994aaa01aaed9c769b9f6530 CRC-32 23ee73af File type application/x-ms-dos-executable First seen 2012-01-25 Registry Keys Created HKLM\SOFTWARE\zpppmcegc GY HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings 6 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 6 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run envvfewu C:\WINDOWS\system32\ati3duagh.exe Processes Created c:\windows\system32\ati3duagh.exe c:\windows\system32\cmd.exe HTTP Requests http://7.93.186.240/adj/Category.aspx http://ads.alpha00001.com/cgi-bin/advert/getads IP Connections 7.93.186.240:80 DNS Requests ads.alpha00001.com somethingclosely.com ---------------------------------------------------------------------------------------------------- http://about-threats.trendmicro.com/Malware.aspx?language=us&name=TSPY_PIRMINAY.A TSPY_PIRMINAY.A Malware type: Spyware Overview This spyware is capable of collecting information from the infected system and checking if the currently logged user has administrator rights. Technical Details File size: 302,446 bytes File type: EXE Memory resident: Yes Initial samples received date: 18 Apr 2011 Payload: Modifies HOSTS file Autostart Technique This spyware adds the following registry entries to enable its automatic execution at every system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run {random registry name} = "%System%\{random file name}.exe" Other System Modifications This spyware adds the following registry keys as part of its installation routine: HKEY_CURRENT_USER\Software\GHUZPSK HOSTS File Modification This spyware modifies the affected system's HOSTS files to prevent a user from accessing the following websites: 127.0.0.1 thepiratebay.org 127.0.0.1 www.thepiratebay.org 127.0.0.1 mininova.org 127.0.0.1 www.mininova.org 127.0.0.1 forum.mininova.org 127.0.0.1 blog.mininova.org 127.0.0.1 suprbay.org 127.0.0.1 www.suprbay.org Stolen Information This spyware sends the gathered information via HTTP POST to the following URL: http://{BLOCKED}c.net/html/license_43EC92[removed].html ---------------------------------------------------------------------------------------------------- http://www.threatexpert.com/report.aspx?md5=335f2fdaaa82c5e079aa40a6c233b7b5 Submission details: Submission received: 2 February 2012, 01:37:35 Processing time: 8 min 3 sec Submitted sample: File MD5: 0x335F2FDAAA82C5E079AA40A6C233B7B5 File SHA-1: 0x33B69923DDFCB66BCF9807FC906D8B0C73FC696B Filesize: 303,104 bytes Summary of the findings: What's been found Severity Level Downloads/requests other files from Internet. Creates a startup registry entry. File System Modifications The following file was created in the system: # Filename(s) File Size File Hash 1 %System%\watchdog7.exe 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 Registry Modifications The following Registry Keys were created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop HKEY_CURRENT_USER\Software\qrjaslop The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 5A 39 4B 80 31 3D 3C 91 C4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] Lznvcpcci = "%System%\watchdog7.exe" so that watchdog7.exe runs every time Windows starts [HKEY_LOCAL_MACHINE\SOFTWARE\qrjaslop] URF = 2C 60 D0 7C E6 F2 8F F2 7A 53 21 CB 91 1A A7 6A AC D5 15 38 46 F1 63 5B 10 37 F5 46 DA 36 06 94 2F 8F 7C C1 10 1E AF 18 10 BA 30 55 91 E9 96 31 43 C4 6A 5F 81 39 3E 8C AE D3 DE C4 1E 38 A1 70 C0 BD 0C 06 4F 94 11 3E 12 8D E3 3A 06 3F 78 38 47 4B 87 E [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 6 = 5A 39 4B 80 31 3D 3C 91 C4 [HKEY_CURRENT_USER\Software\qrjaslop] URF = 2C 60 D0 7C E6 F2 8F F2 7A 53 21 CB 91 1A A7 6A AC D5 15 38 46 F1 63 5B 10 37 F5 46 DA 36 06 94 2F 8F 7C C1 10 1E AF 18 10 BA 30 55 91 E9 96 31 43 C4 6A 5F 81 39 3E 8C AE D3 DE C4 1E 38 A1 70 C0 BD 0C 06 4F 94 11 3E 12 8D E3 3A 06 3F 78 38 47 4B 87 E Other details There were registered attempts to establish connection with the remote hosts. The connection details are: Remote Host Port Number 188.165.231.87 80 188.165.236.39 80 77.79.11.29 80 87.98.135.156 80 87.98.138.127 80 91.121.87.206 80 94.23.19.9 80 The data identified by the following URLs was then requested from the remote web server: http://ads.regiedepub.com/cgi-bin/advert/getads?x_dp_id=1076 http://ads.regiedepub.com/cgi-bin/advert/settags.cgi?x_format=js&i_cid=385565721&x_dp_id=28&x_pub_id=7568&x_tag_id=adomos_emailing_v2&xloop=1&c4aid=410069244F184F219AB2C29EDC8918CA http://ads.eorezo.com/cgi-bin/advert/settags.cgi?x_format=js&i_cid=385565721&x_dp_id=28&x_pub_id=7568&x_tag_id=adomos_emailing_v2 http://77.79.11.29/rd/article/search_product.htm http://su600.com/publicite/com/zone.php?zone=25824&rnd=1328168379 http://su600.com/a/adjs2.php?zoneid=25824 http://su600.com/r.php?dest=http%3A%2F%2Fads.regiedepub.com%2Fcgi-bin%2Fadvert%2Fgetads%3Fx_dp_id%3D1076 http://su600.com/publicite/com/zone.php?zone=25824&rnd=1328168338 http://l.advertstream.com/a/adclick.php?n_clic=258248970385945775&cpme=EIFLNfEz_y4nx8soEXv66PQ&bannerid=1&zoneid=25824&log=no&dest=http%3A%2F%2Fsu600.com%2Fr.php%3Fdest%3Dhttp%253A%252F%252Fads.regiedepub.com%252Fcgi-bin%252Fadvert%252Fgetads%253Fx_dp_id%253D1076 http://l.advertstream.com/a/adclick.php?n_clic=258241292971490&cpme=N7ulwXg4ZD-WkcxqTebFFwk&bannerid=1&zoneid=25824&log=no&dest=http%3A%2F%2Fsu600.com%2Fr.php%3Fdest%3Dhttp%253A%252F%252Fads.regiedepub.com%252Fcgi-bin%252Fadvert%252Fgetads%253Fx_dp_id%253D1076 http://scache.regiedepub.com/html/partners/adomos/site-under_protection-familiale-et-gain-fiscal.htm http://scache.regiedepub.com/html/partners/adomos/protection-familiale-et-gain-fiscal/emailing_v2_006.css [removed] http://scache.regiedepub.com/html/partners/adomos/protection-familiale-et-gain-fiscal/images/buttons.png http://ads.alpha00001.com/cgi-bin/advert/getads?did=1077 http://ads.alpha00001.com/cgi-bin/advert/getads?x_dp_id=43&frame=false&pdid=1077&ppid=8112 ---------------------------------------------------------------------------------------------------- http://www.eset.eu/virus/win32-ponmocup-aa-trojan-jorik-pirminay-akh-milicenso-a?lng=en Threat Encyclopaedia Win32/Ponmocup.AA Aliases: Trojan.Win32.Jorik.Pirminay.akh (Kaspersky), Trojan.Milicenso (Symantec), TrojanDownloader:Win32/Ponmocup.A (Microsoft) Type of infiltration: Trojan Size: 262144 B Short description Win32/Ponmocup.AA is a trojan which tries to download other malware from the Internet. Installation When executed, the trojan creates one of the following files: %system%\%random1%.exe %programfiles%\%existingfolder%\%random1%.exe %temp%\%random1%.exe %system%\%random1%.dll %programfiles%\%existingfolder%\%random1%.dll %temp%\%random1%.dll The file is then executed. The trojan may set the following Registry entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] "%random2%" = "%malwarepath%" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "%random2%" = "%malwarepath%" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] "%random2%" = "%malwarepath%" A string with variable content is used instead of %random1-3%. This causes the trojan to be executed on every system start. The trojan schedules a task that causes the following file to be executed repeatedly: "%system%\rundll32.exe "%malwarepath%", %random3%" After the installation is complete, the trojan deletes the original executable file. Information stealing The trojan collects various information related to the operating system. The trojan attempts to send gathered information to a remote machine. Other information The trojan keeps various information in the following Registry keys: [HKEY_LOCAL_MACHINE\Software\%random4%] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Multimedia] [HKEY_LOCAL_MACHINE\System\CurrentControlSet] [HKEY_CURRENT_USER\System\CurrentControlSet] A string with variable content is used instead of %random4%. The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of (4) URLs. The HTTP protocol is used. It may perform the following actions: download files from a remote computer and/or the Internet run executable files create a scheduled task that repeatedly executes the malicious file disable System Restore send gathered information The trojan hooks the following Windows APIs: NtQueryInformationProcess (ntdll.dll) ---------------------------------------------------------------------------------------------------- http://threatcenter.crdf.fr/?More&ID=48598&D=CRDF.Malware-Generic.92057514299 Display information about the threat Threat name: CRDF.Trojan.Downloader-Generic.92057514299 File size: 244 kB (249 344 Bytes) MD5 Signature: 6e4f168b202bcae89ab6c5d60638b2a0 SHA1 Signature: 35c28d7a106d4dbcccf5932b5d7828a766dd39f5 SHA256 Signature: cc2006b3dfe7e14152d8acba89d4ad899b57807960168e3c72609b8b12594abc Threat Status: Threat confirmed Date added: Friday 23 September 2011 at 01:01:33 Report detection of virus (VirusTotal) nProtect Nothing FOUND CAT-QuickHeal Nothing FOUND McAfee Generic Downloader.x!gcg K7AntiVirus Trojan TheHacker Nothing FOUND VirusBuster Nothing FOUND NOD32 Win32/TrojanDownloader.Agent.PXO F-Prot Nothing FOUND Symantec Trojan.Milicenso Norman W32/Obfuscated.L ByteHero Trojan.Win32.Heur.Gen TrendMicro-HouseCall TROJ_GEN.F70C3IM Avast Win32:Pirminay-DE [Trj] eSafe Nothing FOUND ClamAV Nothing FOUND Kaspersky Trojan.Win32.Jorik.Pirminay.ol BitDefender Trojan.Generic.KD.361527 SUPERAntiSpyware Nothing FOUND Emsisoft Trojan-Downloader.Win32.Ponmocup!IK Comodo UnclassifiedMalware F-Secure Trojan.Generic.KD.361527 DrWeb Trojan.DownLoader4.60908 VIPRE Trojan.Win32.Generic!BT AntiVir TR/Jorik.Pirminay.ol TrendMicro Nothing FOUND McAfee-GW-Edition Generic Downloader.x!gcg Sophos Nothing FOUND eTrust-Vet Nothing FOUND Jiangmin Trojan/Generic.knvv Antiy-AVL Nothing FOUND Microsoft TrojanDownloader:Win32/Ponmocup.A ViRobot Nothing FOUND Prevx Nothing FOUND GData Trojan.Generic.KD.361527 Commtouch Nothing FOUND AhnLab-V3 Trojan/Win32.Jorik PCTools Trojan.Milicenso Rising Nothing FOUND Ikarus Trojan-Downloader.Win32.Ponmocup Fortinet Nothing FOUND AVG Generic24.CNWY Panda Trj/CI.A Avast5 Win32:Pirminay-DE [Trj] CRDF Anti Malware CRDF.Trojan.Downloader-Generic.92057514299 Sandbox report (Comodo SandBox) * File Info NAME VALUE Size 249344 MD5 6e4f168b202bcae89ab6c5d60638b2a0 SHA1 35c28d7a106d4dbcccf5932b5d7828a766dd39f5 SHA256 cc2006b3dfe7e14152d8acba89d4ad899b57807960168e3c72609b8b12594abc * Values Created NAME TYPE SIZE VALUE CUSoftwareMicrosoftWindowsCurrentVersionInternet Settings6 REG_BINARY 5 ? LMSoftwareMicrosoftWindowsCurrentVersionInternet Settings6 REG_BINARY 5 ? LMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRunMWGBC REG_SZ 64 "C:WINDOWSsystem32kbdpl1X.exe" LMSystemCurrentControlSetControlSession ManagerPendingFileRenameOperations REG_MULTI_SZ 50 "??C:TESTsample.exe" * Files Changed C:WINDOWSsystem32driversetchosts 734/1003 2007.07.27 12:00:00.000/2009.01.09 10:54:27.203 2007.07.27 12:00:00.000/2007.07.27 12:00:00.000 2008.08.08 09:14:46.187/2008.08.08 09:14:46.187 0x20/0x20 * DNS Queries DNS QUERY TEXT middlechrist.com IN A + imagehut4.cn IN A + * HTTP Queries HTTP QUERY TEXT middlechrist.com GET /html/license_43EC92[removed]CA82.html HTTP/1.1 middlechrist.com GET /html/license_43EC92[removed]8785F8.html HTTP/1.1 imagehut4.cn GET /update/utu.dat HTTP/1.1 * Verdict AUTO ANALYSIS VERDICT Suspicious++ * Description SUSPICIOUS ACTIONS DETECTED Copies self to other locations Creates files in windows system directory Deletes self Hides files from user Modifies the windows host file ----------------------------------------------------------------------------------------------------