MAD: Informations » Dropper: sysdump.dll

Auteur	Sujet
¥ω₪h	#0 Thu 08 May 2008 (1:53)
Expert	Taille: 10 240 octets EntryPoint: 0000212F Section: .code EPOffset: 0000132F Linker Info: 1.67 SubSystem: Win32 GUI MD5: f7e90b4e7c740308ecddc318ca97cd32 SHA1: 289b6917d04a39e042853c1ee5f61b9388aa1842 07 May 2008 23:47:01 (GMT) A-Squared : Found nothing AntiVir : Found nothing ArcaVir : Found nothing Avast : Found nothing AVG Antivirus : Found nothing BitDefender : Found nothing ClamAV : Found nothing CPsecure : Found nothing Dr.Web : Found nothing F-Prot Antivirus : Found nothing F-Secure Anti-Virus : Found nothing Fortinet : Found nothing Ikarus : Found nothing Kaspersky Anti-Virus : Found nothing NOD32 : Found nothing Norman Virus Control : Found nothing Panda Antivirus : Found nothing Sophos Antivirus : Found nothing VirusBuster : Found nothing VBA32 : Found nothing Le dropper écrit le fichier "%homedrive%\sysdump.dll" Taille: 4 608 octets EntryPoint: 000022BE Section: .code EPOffset: 00000ABE Linker Info: 1.67 SubSystem: Win32 GUI MD5: a5a0b9d2b35cfa163ddc37ea2b93d51f SHA1: 7265f00408875b0c7e197cb8b3bf3284b73e7641 Puis exécute "cmd.exe" les fichiers "%homedrive%\temp1.bat" et/ou "%homedrive%\temp2.bat" qui génère ensuite "%homedrive%\temp1.reg" et/ou "%homedrive%\temp2.reg" exécuté par "regedit.exe". La librairie est enregistrée dans la base de registre, CLasS IDentifier (CLSID) & Browser Helper Object (BHO) suivant: {C613CE22-151C-4331-94FF-F113A153F66D} Exécute "%programfiles%\Internet Explorer\IEXPLORE.EXE": 00000400h: 46 39 39 39 39 39 32 00 32 30 39 2E 31 36 30 2E ; F999992.209.160. 00000410h: 32 31 2E 37 36 00 32 30 39 2E 31 36 30 2E 36 34 ; 21.76.209.160.64 00000420h: 2E 31 30 36 00 00 5C 31 32 33 2E 64 6C 6C 00 C8 ; .106..\123.dll.È 00000430h: 58 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; X............... sysdump.dll - 08 May 2008 00:15:35 (GMT) A-Squared : Found nothing AntiVir : Found nothing ArcaVir : Found nothing Avast : Found nothing AVG Antivirus : Found nothing BitDefender : Found nothing ClamAV : Found nothing CPsecure : Found nothing Dr.Web : Found nothing F-Prot Antivirus : Found nothing F-Secure Anti-Virus : Found nothing Fortinet : Found nothing Ikarus : Found nothing Kaspersky Anti-Virus : Found nothing NOD32 : Found nothing Norman Virus Control : Found nothing Panda Antivirus : Found nothing Sophos Antivirus : Found nothing VirusBuster : Found nothing VBA32 : Found nothing _______________ « Let's try to subvert our brains, today. » SecuBox Labs, FRANCE

Taille: 10 240 octets
EntryPoint: 0000212F
Section: .code
EPOffset: 0000132F
Linker Info: 1.67
SubSystem: Win32 GUI
MD5: f7e90b4e7c740308ecddc318ca97cd32
SHA1: 289b6917d04a39e042853c1ee5f61b9388aa1842

07 May 2008 23:47:01 (GMT)
A-Squared : Found nothing
AntiVir : Found nothing
ArcaVir : Found nothing
Avast : Found nothing
AVG Antivirus : Found nothing
BitDefender : Found nothing
ClamAV : Found nothing
CPsecure : Found nothing
Dr.Web : Found nothing
F-Prot Antivirus : Found nothing
F-Secure Anti-Virus : Found nothing
Fortinet : Found nothing
Ikarus : Found nothing
Kaspersky Anti-Virus : Found nothing
NOD32 : Found nothing
Norman Virus Control : Found nothing
Panda Antivirus : Found nothing
Sophos Antivirus : Found nothing
VirusBuster : Found nothing
VBA32 : Found nothing

Le dropper écrit le fichier "%homedrive%\sysdump.dll"
Taille: 4 608 octets
EntryPoint: 000022BE
Section: .code
EPOffset: 00000ABE
Linker Info: 1.67
SubSystem: Win32 GUI
MD5: a5a0b9d2b35cfa163ddc37ea2b93d51f
SHA1: 7265f00408875b0c7e197cb8b3bf3284b73e7641

Puis exécute "cmd.exe" les fichiers "%homedrive%\temp1.bat" et/ou "%homedrive%\temp2.bat" qui génère ensuite "%homedrive%\temp1.reg" et/ou "%homedrive%\temp2.reg" exécuté par "regedit.exe". La librairie est enregistrée dans la base de registre, CLasS IDentifier (CLSID) & Browser Helper Object (BHO) suivant: {C613CE22-151C-4331-94FF-F113A153F66D}

Exécute "%programfiles%\Internet Explorer\IEXPLORE.EXE":
00000400h: 46 39 39 39 39 39 32 00 32 30 39 2E 31 36 30 2E ; F999992.209.160.
00000410h: 32 31 2E 37 36 00 32 30 39 2E 31 36 30 2E 36 34 ; 21.76.209.160.64
00000420h: 2E 31 30 36 00 00 5C 31 32 33 2E 64 6C 6C 00 C8 ; .106..\123.dll.È
00000430h: 58 1F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; X...............

sysdump.dll - 08 May 2008 00:15:35 (GMT)
A-Squared : Found nothing
AntiVir : Found nothing
ArcaVir : Found nothing
Avast : Found nothing
AVG Antivirus : Found nothing
BitDefender : Found nothing
ClamAV : Found nothing
CPsecure : Found nothing
Dr.Web : Found nothing
F-Prot Antivirus : Found nothing
F-Secure Anti-Virus : Found nothing
Fortinet : Found nothing
Ikarus : Found nothing
Kaspersky Anti-Virus : Found nothing
NOD32 : Found nothing
Norman Virus Control : Found nothing
Panda Antivirus : Found nothing
Sophos Antivirus : Found nothing
VirusBuster : Found nothing
VBA32 : Found nothing

_______________
« Let's try to subvert our brains, today. »
SecuBox Labs, FRANCE