[Dshield] need help decoding.
Matt Richard
matt.richard at gmail.com
Thu Sep 20 04:02:53 GMT 2007
On 9/18/07, wiretapp <wiretapp at gmail.com> wrote:
> marcobernardoni.com is running on an IP out of Hong Kong and the index
> page listed has a mpack javascript, which attempts several exploits to
> push file.php...Of course its a windows PE binary, however it seems to
> be broken. I dont have time to manually run through it, perhaps
> someone else does.
>
Just to follow up on the mpack payload (file.php) binary. Looks like
a information stealing proxy, details below. BTW the C+C site is
still online at this time.
Here is the AV:
AntiVir TR/Crypt.XPACK.Gen
Avast! Win32:Xorpix-U [Trj]
F-Secure Trojan-Proxy.Win32.Xorpix.bs
Ikarus Trojan-Downloader.Win32.Small.evh
Kaspersky Trojan-Proxy.Win32.Xorpix.bs
Sophos Mal/Packer
Symantec Backdoor.Eterok.C
Symantec (BETA) Backdoor.Eterok.C
WebWasher Trojan.Crypt.XPACK.Gen
Basically it installs itself in the "All Users" profile folder as
arm32.dll and then attempts to contact
http://simdream.info/ssw/work.php to check in and upload information.
Adds the following registry data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arm32reg "DllName" = C:\Documents
and Settings\All Users\Documents\Settings\arm32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arm32reg "Startup" = arm32reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arm32reg "Impersonate" = [REG_DWORD,
value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arm32reg "Asynchronous" =
[REG_DWORD, value: 00000001]
AV detection is on the light side.
Matt Richard
More information about the list
mailing list