Monday, May 24, 2010

some APT malware samples

 This post is to be continued...


and more



Helper.dll and Helper.exe - Presumably password loggers

C:\windows\system32

 Download helper.exe helper.sys as a password protected archive (contact me if you need the password)


File helper.exe received on 2010.05.06 03:07:02 (UTC)
Result: 1/41 (2.44%)
Sunbelt    6265    2010.05.06    BehavesLike.Win32.Malware (v)
File size: 49152 bytes
MD5...: cf795574914ac35c5a13f1fdeed9dcda

File helper.sys received on 2010.05.06 03:24:10 (UTC)
Result: 3/41 (7.32%)
a-squared    4.5.0.50    2010.05.06    Trojan-PWS.Perfloger!IK
AVG    9.0.0.787    2010.05.05    PSW.Perfloger.DJ
Ikarus    T3.1.1.84.0    2010.05.06    Trojan-PWS.Perfloger
File size: 9600 bytes
MD5   : 2d366e990f5a697ef826b30337c49f01
AppMgmt.dll
C\Documents and Settings\Default User
File AppMgmt.dll received on 2010.05.06 03:57:39 (UTC)
Result: 5/40 (12.5%)
BitDefender    7.2    2010.05.06    Trojan.CryptRedol.Gen.3
F-Secure    9.0.15370.0    2010.05.06    Trojan.CryptRedol.Gen.3
GData    21    2010.05.06    Trojan.CryptRedol.Gen.3
Microsoft    1.5703    2010.05.05    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-05.01    2010.05.05    Trojan.CryptRedol.Gen.3
Additional information
File size: 30720 bytes
MD5...: e40670e6a0ad1c41211f38b92bfe436a

Service name Application Management
Description Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.
Default - Manual

Legitimate key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll\%SystemRoot%\System32\appmgmts.dll
Service starts - Manual

Compromised key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll
C:\Documents and Settings\Default User\AppMgmt.dll
Service starts - automatic

C:\
NTKERNELSVC.EXE
File NTKERNELSVC.EXE received on 2010.05.06 05:10:49 (UTC)
Result: 2/41 (4.88%)
McAfee-GW-Edition    2010.1    2010.05.06    Heuristic.LooksLike.Win32.Click.I
TrendMicro    9.120.0.1004    2010.05.05    PAK_Generic.001
Additional information
File size: 3584 bytes
MD5...: 8f7a931316dda9280c6e96a7a7d987df

C:\windows\system32

 msv1_1.dll  winddfsrv.exe

http://www.virustotal.com/analisis/34266ce367e3b4b878095847ef6d933affc67a9456c33c7878a5af12b6e592ce-1273120278 
File msv1_1.dll received on 2010.05.06 04:31:18 (UTC)
Result: 9/41 (21.96%)
Antivirus    Version    Last Update    Result
a-squared    4.5.0.50    2010.05.06    Trojan-Spy!IK
AhnLab-V3    2010.05.05.00    2010.05.05    Trojan/Win32.Agent
AntiVir    8.2.1.236    2010.05.05    TR/Spy.Gen
Antiy-AVL    2.0.3.7    2010.05.05    Trojan/Win32.Agent.gen
Comodo    4776    2010.05.06    TrojWare.Win32.PSW.Agent
Ikarus    T3.1.1.84.0    2010.05.06    Trojan-Spy
Kaspersky    7.0.0.125    2010.05.06    Trojan-PSW.Win32.Agent.qvs
Panda    10.0.2.7    2010.05.05    Suspicious file
TheHacker    6.5.2.0.276    2010.05.06    Trojan/PSW.Agent.qvs
Additional information
File size: 13824 bytes
MD5...: b16511d5e61bb6daf11899d1447fafde

http://www.virustotal.com/analisis/47dda594816d244cc25b3878107550c1edd0c44168b19f647f3208701fd4ef6c-1273100794
File winddfsrv.exe received on 2010.05.05 23:06:34 (UTC)
Result: 11/41 (26.83%)
a-squared    4.5.0.50    2010.05.05    Trojan-Downloader!IK
AhnLab-V3    2010.05.05.00    2010.05.05    Backdoor/Win32.Small
AntiVir    8.2.1.236    2010.05.05    TR/Downloader.Gen
Antiy-AVL    2.0.3.7    2010.05.05    Backdoor/Win32.Small.gen
eSafe    7.0.17.0    2010.05.05    Win32.TRDownloader
Fortinet    4.0.14.0    2010.05.05    W32/PdfExDr.B!tr.bdr
Ikarus    T3.1.1.84.0    2010.05.05    Trojan-Downloader
Kaspersky    7.0.0.125    2010.05.05    Backdoor.Win32.Small.jdg
Panda    10.0.2.7    2010.05.05    Suspicious file
Sophos    4.53.0    2010.05.05    Mal/PdfExDr-B
Sunbelt    6265    2010.05.06    Trojan.Win32.Generic!BT
Additional information
File size: 194048 bytes
MD5   : fa94a53e70acb072fb0bb866d2947066





Update.exe
C:\windows\system32

File update.exe received on 2010.05.06 04:55:51 (UTC)
Result: 22/41 (53.66%)
Antivirus    Version    Last Update    Result
a-squared    4.5.0.50    2010.05.06    Trojan.Win32.Rarnmel!IK
AhnLab-V3    2010.05.05.00    2010.05.05    Malware/Win32.Generic
AntiVir    8.2.1.236    2010.05.05    TR/Dropper.Gen
Authentium    5.2.0.5    2010.05.06    W32/Injector.A.gen!Eldorado
Avast    4.8.1351.0    2010.05.05    Win32:Rarnmel
Avast5    5.0.332.0    2010.05.05    Win32:Rarnmel
AVG    9.0.0.787    2010.05.05    Dropper.Generic2.AEX
BitDefender    7.2    2010.05.06    Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Comodo    4776    2010.05.06    TrojWare.Win32.Trojan.Agent.Gen
DrWeb    5.0.2.03300    2010.05.06    Trojan.Writer.7522
eSafe    7.0.17.0    2010.05.05    Win32.TRDropper
F-Prot    4.5.1.85    2010.05.06    W32/Injector.A.gen!Eldorado
F-Secure    9.0.15370.0    2010.05.06    Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Fortinet    4.0.14.0    2010.05.05    PossibleThreat
GData    21    2010.05.06    Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Ikarus    T3.1.1.84.0    2010.05.06    Trojan.Win32.Rarnmel
Kaspersky    7.0.0.125    2010.05.06    Type_Win32
McAfee    5.400.0.1158    2010.05.06    New Poly Win32
McAfee-GW-Edition    2010.1    2010.05.06    Heuristic.BehavesLike.Win32.CodeInjection.H
Microsoft    1.5703    2010.05.05    Trojan:Win32/Rarnmel.A
Panda    10.0.2.7    2010.05.05    Suspicious file
Sunbelt    6265    2010.05.06    Trojan.Win32.Generic!BT
Additional information
File size: 127085 bytes
MD5...: d150786c232293664963ca1adb6a8675
SHA1..: 8a36c7a67a548f866bc6ec70a248355e9154f68f



C:\windows\system32
Msups.dll 
File Msups.dll received on 2010.05.06 05:04:52 (UTC)
Result: 13/41 (31.71%)
a-squared    4.5.0.50    2010.05.06    Trojan.Crypt!IK
AntiVir    8.2.1.236    2010.05.05    TR/Crypt.XPACK.Gen
Authentium    5.2.0.5    2010.05.06    W32/SuspPack.BQ.gen!Eldorado
Avast    4.8.1351.0    2010.05.05    Win32:Malware-gen
Avast5    5.0.332.0    2010.05.05    Win32:Malware-gen
F-Prot    4.5.1.85    2010.05.06    W32/SuspPack.BQ.gen!Eldorado
GData    21    2010.05.06    Win32:Malware-gen
Ikarus    T3.1.1.84.0    2010.05.06    Trojan.Crypt
McAfee-GW-Edition    2010.1    2010.05.06    Artemis!97C6D92ED413
Panda    10.0.2.7    2010.05.05    Suspicious file
Rising    22.46.03.01    2010.05.06    Packer.Win32.Agent.av
Sophos    4.53.0    2010.05.06    Mal/Behav-363
Sunbelt    6265    2010.05.06    Trojan.Win32.Generic!BT
Additional information
File size: 122880 bytes
MD5...: 97c6d92ed413be2d96246065ecd3ebf8

winDDEsrv.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winDDEsrv
Imagepath C:\WINDOWS\system32\winDDEsrv.exe



http://www.virustotal.com/analisis/47dda594816d244cc25b3878107550c1edd0c44168b19f647f3208701fd4ef6c-1273204619
File winDDEsrv.exe received on 2010.05.07 03:56:59 (UTC)
Result: 14/41 (34.15%)
a-squared    4.5.0.50    2010.05.07    Trojan-Downloader!IK
AhnLab-V3    2010.05.07.00    2010.05.06    Backdoor/Win32.Small
AntiVir    8.2.1.236    2010.05.06    TR/Downloader.Gen
Antiy-AVL    2.0.3.7    2010.05.06    Backdoor/Win32.Small.gen
eSafe    7.0.17.0    2010.05.06    Win32.TRDownloader
Fortinet    4.0.14.0    2010.05.05    W32/PdfExDr.B!tr.bdr
Ikarus    T3.1.1.84.0    2010.05.07    Trojan-Downloader
Kaspersky    7.0.0.125    2010.05.07    Backdoor.Win32.Small.jdg
McAfee-GW-Edition    2010.1    2010.05.06    Heuristic.BehavesLike.Win32.PasswordStealer.A
Panda    10.0.2.7    2010.05.06    Suspicious file
Sophos    4.53.0    2010.05.07    Mal/PdfExDr-B
Sunbelt    6273    2010.05.07    Trojan.Win32.Generic!BT
TrendMicro    9.120.0.1004    2010.05.07    BKDR_SMALL.LCL
TrendMicro-HouseCall    9.120.0.1004    2010.05.07    BKDR_SMALL.LCL
Additional information
File size: 194048 bytes
MD5...: fa94a53e70acb072fb0bb866d2947066

1 comment:

  1. Thanks for dumping these. Do you have any updates to this list?

    ReplyDelete