Read about APT malware by visiting M-unition - the Mandiant blog
Combat the APT by Sharing Indicators of Compromise
Malware Behaving Badly: Preview
Blackhat Europe, State Of Malware: Family Ties
Combat the APT by Sharing Indicators of Compromise
Malware Behaving Badly: Preview
Blackhat Europe, State Of Malware: Family Ties
and more
Helper.dll and Helper.exe - Presumably password loggers
C:\windows\system32
File helper.exe received on 2010.05.06 03:07:02 (UTC)
Result: 1/41 (2.44%)
Sunbelt 6265 2010.05.06 BehavesLike.Win32.Malware (v)
File size: 49152 bytes
MD5...: cf795574914ac35c5a13f1fdeed9dcda
File helper.sys received on 2010.05.06 03:24:10 (UTC)
Result: 3/41 (7.32%)
a-squared 4.5.0.50 2010.05.06 Trojan-PWS.Perfloger!IK
AVG 9.0.0.787 2010.05.05 PSW.Perfloger.DJ
Ikarus T3.1.1.84.0 2010.05.06 Trojan-PWS.Perfloger
File size: 9600 bytes
MD5 : 2d366e990f5a697ef826b30337c49f01
AppMgmt.dll
C\Documents and Settings\Default User
File AppMgmt.dll received on 2010.05.06 03:57:39 (UTC)
Result: 5/40 (12.5%)
BitDefender 7.2 2010.05.06 Trojan.CryptRedol.Gen.3
F-Secure 9.0.15370.0 2010.05.06 Trojan.CryptRedol.Gen.3
GData 21 2010.05.06 Trojan.CryptRedol.Gen.3
Microsoft 1.5703 2010.05.05 Backdoor:Win32/Mdmbot.D
nProtect 2010-05-05.01 2010.05.05 Trojan.CryptRedol.Gen.3
Additional information
File size: 30720 bytes
MD5...: e40670e6a0ad1c41211f38b92bfe436a
Result: 5/40 (12.5%)
BitDefender 7.2 2010.05.06 Trojan.CryptRedol.Gen.3
F-Secure 9.0.15370.0 2010.05.06 Trojan.CryptRedol.Gen.3
GData 21 2010.05.06 Trojan.CryptRedol.Gen.3
Microsoft 1.5703 2010.05.05 Backdoor:Win32/Mdmbot.D
nProtect 2010-05-05.01 2010.05.05 Trojan.CryptRedol.Gen.3
Additional information
File size: 30720 bytes
MD5...: e40670e6a0ad1c41211f38b92bfe436a
Service name Application Management
Description Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.
Default - Manual
Legitimate key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll\%SystemRoot%\System32\appmgmts.dll
Service starts - Manual
Compromised key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll
C:\Documents and Settings\Default User\AppMgmt.dll
Service starts - automatic
NTKERNELSVC.EXE
Result: 2/41 (4.88%)
McAfee-GW-Edition 2010.1 2010.05.06 Heuristic.LooksLike.Win32.Click.I
TrendMicro 9.120.0.1004 2010.05.05 PAK_Generic.001
Additional information
File size: 3584 bytes
MD5...: 8f7a931316dda9280c6e96a7a7d987df
C:\windows\system32
msv1_1.dll winddfsrv.exe
File msv1_1.dll received on 2010.05.06 04:31:18 (UTC)
Result: 9/41 (21.96%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.06 Trojan-Spy!IK
AhnLab-V3 2010.05.05.00 2010.05.05 Trojan/Win32.Agent
AntiVir 8.2.1.236 2010.05.05 TR/Spy.Gen
Antiy-AVL 2.0.3.7 2010.05.05 Trojan/Win32.Agent.gen
Comodo 4776 2010.05.06 TrojWare.Win32.PSW.Agent
Ikarus T3.1.1.84.0 2010.05.06 Trojan-Spy
Kaspersky 7.0.0.125 2010.05.06 Trojan-PSW.Win32.Agent.qvs
Panda 10.0.2.7 2010.05.05 Suspicious file
TheHacker 6.5.2.0.276 2010.05.06 Trojan/PSW.Agent.qvs
Additional information
File size: 13824 bytes
MD5...: b16511d5e61bb6daf11899d1447fafde
http://www.virustotal.com/analisis/47dda594816d244cc25b3878107550c1edd0c44168b19f647f3208701fd4ef6c-1273100794
File winddfsrv.exe received on 2010.05.05 23:06:34 (UTC)
Result: 11/41 (26.83%)
a-squared 4.5.0.50 2010.05.05 Trojan-Downloader!IK
AhnLab-V3 2010.05.05.00 2010.05.05 Backdoor/Win32.Small
AntiVir 8.2.1.236 2010.05.05 TR/Downloader.Gen
Antiy-AVL 2.0.3.7 2010.05.05 Backdoor/Win32.Small.gen
eSafe 7.0.17.0 2010.05.05 Win32.TRDownloader
Fortinet 4.0.14.0 2010.05.05 W32/PdfExDr.B!tr.bdr
Ikarus T3.1.1.84.0 2010.05.05 Trojan-Downloader
Kaspersky 7.0.0.125 2010.05.05 Backdoor.Win32.Small.jdg
Panda 10.0.2.7 2010.05.05 Suspicious file
Sophos 4.53.0 2010.05.05 Mal/PdfExDr-B
Sunbelt 6265 2010.05.06 Trojan.Win32.Generic!BT
Additional information
File size: 194048 bytes
MD5 : fa94a53e70acb072fb0bb866d2947066
Update.exe
C:\windows\system32
File update.exe received on 2010.05.06 04:55:51 (UTC)
Result: 22/41 (53.66%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.06 Trojan.Win32.Rarnmel!IK
AhnLab-V3 2010.05.05.00 2010.05.05 Malware/Win32.Generic
AntiVir 8.2.1.236 2010.05.05 TR/Dropper.Gen
Authentium 5.2.0.5 2010.05.06 W32/Injector.A.gen!Eldorado
Avast 4.8.1351.0 2010.05.05 Win32:Rarnmel
Avast5 5.0.332.0 2010.05.05 Win32:Rarnmel
AVG 9.0.0.787 2010.05.05 Dropper.Generic2.AEX
BitDefender 7.2 2010.05.06 Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Comodo 4776 2010.05.06 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.2.03300 2010.05.06 Trojan.Writer.7522
eSafe 7.0.17.0 2010.05.05 Win32.TRDropper
F-Prot 4.5.1.85 2010.05.06 W32/Injector.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.05.06 Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Fortinet 4.0.14.0 2010.05.05 PossibleThreat
GData 21 2010.05.06 Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Ikarus T3.1.1.84.0 2010.05.06 Trojan.Win32.Rarnmel
Kaspersky 7.0.0.125 2010.05.06 Type_Win32
McAfee 5.400.0.1158 2010.05.06 New Poly Win32
McAfee-GW-Edition 2010.1 2010.05.06 Heuristic.BehavesLike.Win32.CodeInjection.H
Microsoft 1.5703 2010.05.05 Trojan:Win32/Rarnmel.A
Panda 10.0.2.7 2010.05.05 Suspicious file
Sunbelt 6265 2010.05.06 Trojan.Win32.Generic!BT
Additional information
File size: 127085 bytes
MD5...: d150786c232293664963ca1adb6a8675
SHA1..: 8a36c7a67a548f866bc6ec70a248355e9154f68f
Result: 22/41 (53.66%)
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.05.06 Trojan.Win32.Rarnmel!IK
AhnLab-V3 2010.05.05.00 2010.05.05 Malware/Win32.Generic
AntiVir 8.2.1.236 2010.05.05 TR/Dropper.Gen
Authentium 5.2.0.5 2010.05.06 W32/Injector.A.gen!Eldorado
Avast 4.8.1351.0 2010.05.05 Win32:Rarnmel
Avast5 5.0.332.0 2010.05.05 Win32:Rarnmel
AVG 9.0.0.787 2010.05.05 Dropper.Generic2.AEX
BitDefender 7.2 2010.05.06 Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Comodo 4776 2010.05.06 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.2.03300 2010.05.06 Trojan.Writer.7522
eSafe 7.0.17.0 2010.05.05 Win32.TRDropper
F-Prot 4.5.1.85 2010.05.06 W32/Injector.A.gen!Eldorado
F-Secure 9.0.15370.0 2010.05.06 Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Fortinet 4.0.14.0 2010.05.05 PossibleThreat
GData 21 2010.05.06 Gen:Trojan.Heur.PT.huX@aKeS0Hpb
Ikarus T3.1.1.84.0 2010.05.06 Trojan.Win32.Rarnmel
Kaspersky 7.0.0.125 2010.05.06 Type_Win32
McAfee 5.400.0.1158 2010.05.06 New Poly Win32
McAfee-GW-Edition 2010.1 2010.05.06 Heuristic.BehavesLike.Win32.CodeInjection.H
Microsoft 1.5703 2010.05.05 Trojan:Win32/Rarnmel.A
Panda 10.0.2.7 2010.05.05 Suspicious file
Sunbelt 6265 2010.05.06 Trojan.Win32.Generic!BT
Additional information
File size: 127085 bytes
MD5...: d150786c232293664963ca1adb6a8675
SHA1..: 8a36c7a67a548f866bc6ec70a248355e9154f68f
C:\windows\system32
Msups.dll
File Msups.dll received on 2010.05.06 05:04:52 (UTC)
Result: 13/41 (31.71%)
a-squared 4.5.0.50 2010.05.06 Trojan.Crypt!IK
AntiVir 8.2.1.236 2010.05.05 TR/Crypt.XPACK.Gen
Authentium 5.2.0.5 2010.05.06 W32/SuspPack.BQ.gen!Eldorado
Avast 4.8.1351.0 2010.05.05 Win32:Malware-gen
Avast5 5.0.332.0 2010.05.05 Win32:Malware-gen
F-Prot 4.5.1.85 2010.05.06 W32/SuspPack.BQ.gen!Eldorado
GData 21 2010.05.06 Win32:Malware-gen
Ikarus T3.1.1.84.0 2010.05.06 Trojan.Crypt
McAfee-GW-Edition 2010.1 2010.05.06 Artemis!97C6D92ED413
Panda 10.0.2.7 2010.05.05 Suspicious file
Rising 22.46.03.01 2010.05.06 Packer.Win32.Agent.av
Sophos 4.53.0 2010.05.06 Mal/Behav-363
Sunbelt 6265 2010.05.06 Trojan.Win32.Generic!BT
Additional information
File size: 122880 bytes
MD5...: 97c6d92ed413be2d96246065ecd3ebf8
Result: 13/41 (31.71%)
a-squared 4.5.0.50 2010.05.06 Trojan.Crypt!IK
AntiVir 8.2.1.236 2010.05.05 TR/Crypt.XPACK.Gen
Authentium 5.2.0.5 2010.05.06 W32/SuspPack.BQ.gen!Eldorado
Avast 4.8.1351.0 2010.05.05 Win32:Malware-gen
Avast5 5.0.332.0 2010.05.05 Win32:Malware-gen
F-Prot 4.5.1.85 2010.05.06 W32/SuspPack.BQ.gen!Eldorado
GData 21 2010.05.06 Win32:Malware-gen
Ikarus T3.1.1.84.0 2010.05.06 Trojan.Crypt
McAfee-GW-Edition 2010.1 2010.05.06 Artemis!97C6D92ED413
Panda 10.0.2.7 2010.05.05 Suspicious file
Rising 22.46.03.01 2010.05.06 Packer.Win32.Agent.av
Sophos 4.53.0 2010.05.06 Mal/Behav-363
Sunbelt 6265 2010.05.06 Trojan.Win32.Generic!BT
Additional information
File size: 122880 bytes
MD5...: 97c6d92ed413be2d96246065ecd3ebf8
winDDEsrv.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winDDEsrv
Imagepath C:\WINDOWS\system32\winDDEsrv.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winDDEsrv
Imagepath C:\WINDOWS\system32\winDDEsrv.exe
http://www.virustotal.com/analisis/47dda594816d244cc25b3878107550c1edd0c44168b19f647f3208701fd4ef6c-1273204619
File winDDEsrv.exe received on 2010.05.07 03:56:59 (UTC)
Result: 14/41 (34.15%)
a-squared 4.5.0.50 2010.05.07 Trojan-Downloader!IK
AhnLab-V3 2010.05.07.00 2010.05.06 Backdoor/Win32.Small
AntiVir 8.2.1.236 2010.05.06 TR/Downloader.Gen
Antiy-AVL 2.0.3.7 2010.05.06 Backdoor/Win32.Small.gen
eSafe 7.0.17.0 2010.05.06 Win32.TRDownloader
Fortinet 4.0.14.0 2010.05.05 W32/PdfExDr.B!tr.bdr
Ikarus T3.1.1.84.0 2010.05.07 Trojan-Downloader
Kaspersky 7.0.0.125 2010.05.07 Backdoor.Win32.Small.jdg
McAfee-GW-Edition 2010.1 2010.05.06 Heuristic.BehavesLike.Win32.PasswordStealer.A
Panda 10.0.2.7 2010.05.06 Suspicious file
Sophos 4.53.0 2010.05.07 Mal/PdfExDr-B
Sunbelt 6273 2010.05.07 Trojan.Win32.Generic!BT
TrendMicro 9.120.0.1004 2010.05.07 BKDR_SMALL.LCL
TrendMicro-HouseCall 9.120.0.1004 2010.05.07 BKDR_SMALL.LCL
Additional information
File size: 194048 bytes
MD5...: fa94a53e70acb072fb0bb866d2947066
Thanks for dumping these. Do you have any updates to this list?
ReplyDelete