Tuesday, April 6, 2010

Malware YolRootX

Hi Folks,
with no time for good posts, I just paste here some analysis performed on YolRootX, a new malware that I analyzed yesterday.




File System Changes:

(Adding a new certificate!)
- C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1078081533-1677128483-1801674531-500\699c4b9cdebca7aaea5193cae8a50098_5fc4e98d-1101-4864-b0bf-e0b3f6d9d878

(Some cookies ... just in case ;) )
- C:\Documents and Settings\Administrator\Cookies\administrator@globo[1].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@www.globo[1].txt

(hidden content into \Temp)
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC517.tmp

(Internet Explorer settings ... )
..\software\microsoft\internet explorer\main

(Ahh Ahmm ! autostart key under reg\user !)
user\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000

(Did I ask for these queries ? ;) )

Query DNS: www.oviedolocal3476.com
Query DNS: www.globo.com
Query DNS: ads.globo.com
Query DNS: ads.img.globo.com
Query DNS: fpdownloadocument.macromedia.com
Query DNS: fpdownloadocument.macromedia.com.gateway.2wire.net
Query DNS: activex.microsoft.com
Query DNS: codecs.microsoft.com
Query DNS: video.globo.com
Query DNS: www.google-analytics.com
Query DNS: imagem2.buscape.com.br
Query DNS: www.google.com
Query DNS: clients1.google.com
Query DNS: id.google.com

(I don't speak spanish at all ...)
Internet connection: Connects to "65.55.13.243" on port 80 (TCP - HTTP).
Internet connection: Connects to "201.7.178.53" on port 80 (TCP - HTTP).
Internet connection: Connects to "74.125.19.113" on port 80 (TCP - HTTP).

(Processes, new service and binary injection ?? )
Created process: (null),explorer.exe http://www.globo.com,(null)
Opened a service named: ShellHWDetection
Injected code into process: explorer.exe
Injected code into process: iexplore.exe

( loading interesting Windows API)

LoadLibrary(netapi32.dll)
LoadLibrary(kernel32.dll)
LoadLibrary(version.dll)
LoadLibrary(explorer.exe)
LoadLibrary(comctl32.dll)
LoadLibrary(shell32.dll)
LoadLibrary(windowsshell.manifest)
LoadLibrary(browselc.dll)
LoadLibrary(wsock32)
LoadLibrary(mswsock.dll)
LoadLibrary(hnetcfg.dll)
LoadLibrary(wshtcpip.dll)
LoadLibrary(actxprxy.dll)
LoadLibrary(msmsgs.exe)
LoadLibrary(jscript.dll)


No comments: