[Dshield] need help decoding.

Matt Richard matt.richard at gmail.com
Thu Sep 20 04:02:53 GMT 2007


On 9/18/07, wiretapp <wiretapp at gmail.com> wrote:
> marcobernardoni.com is running on an IP out of Hong Kong and the index
> page listed has a mpack javascript, which attempts several exploits to
> push file.php...Of course its a windows PE binary, however it seems to
> be broken. I dont have time to manually run through it, perhaps
> someone else does.
>

Just to follow up on the mpack payload (file.php) binary.  Looks like
a information stealing proxy, details below.  BTW the C+C site is
still online at this time.

Here is the AV:

AntiVir	TR/Crypt.XPACK.Gen
Avast!	Win32:Xorpix-U [Trj]
F-Secure	Trojan-Proxy.Win32.Xorpix.bs
Ikarus	Trojan-Downloader.Win32.Small.evh
Kaspersky	Trojan-Proxy.Win32.Xorpix.bs
Sophos	Mal/Packer
Symantec	Backdoor.Eterok.C
Symantec (BETA)	Backdoor.Eterok.C
WebWasher	Trojan.Crypt.XPACK.Gen

Basically it installs itself in the "All Users" profile folder as
arm32.dll and then attempts to contact
http://simdream.info/ssw/work.php to check in and upload information.

Adds the following registry data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arm32reg "DllName" = C:\Documents
and Settings\All Users\Documents\Settings\arm32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arm32reg "Startup" = arm32reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arm32reg "Impersonate" = [REG_DWORD,
value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arm32reg "Asynchronous" =
[REG_DWORD, value: 00000001]

AV detection is on the light side.

Matt Richard


More information about the list mailing list