CastleCops® Rogue .js Scrpts

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

Rogue .js Scrpts

All -> FavForums -> Unknown Files

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

maliciousbrains

Sergeant

Premium Member

Joined: Feb 23, 2008
Posts: 103

Posted: Tue Mar 18, 2008 3:10 am Post subject: Rogue .js Scrpts

password to zip is: infected details: File Name: dxdiag.exe File size: 312832 bytes MD5: 73f31e474c66f401e06fcbae71848596 SHA1: 2a0418b941948c864995d21d692b839d528d6a86 PEiD: ASPack v2.12 -> Alexey Solodovnikov packers: ASPack Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=C85B08650098DACBC6AF04B5971D0C00DCB6A520 VirusTotal Result: 6/32 (18.75%) Authentium 4.93.8 2008.03.14 Possibly a new variant of W32/NewMalware-LSU-based!Maximus F-Prot 4.4.2.54 2008.03.16 W32/Downloader.F.gen!Eldorado Microsoft 1.3301 2008.03.17 PWS:Win32/Hawthief.A Panda 9.0.0.4 2008.03.17 Suspicious file Prevx1 V2 2008.03.18 Generic.Malware VBA32 3.12.6.3 2008.03.17 suspected of Trojan-Proxy.Agent.33 (paranoid heuristics) Technical Details: COM Activity: COM Create Instance: C:\WINDOWS\system32\shdocvw.dll, ProgID: (Shell.Explorer.2), Interface ID: ({00000112-0000-0000-C000-000000000046}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046}) COM Create Instance: , ProgID: (), Interface ID: ({00000149-0000-0000-C000-000000000046}) COM Get Class Object: %SystemRoot%\system32\shdocvw.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) COM Get Class Object: oleaut32.dll, Interface ID: ({D5F569D0-593B-101A-B569-08002B2DBF7A}) File Systsm Activity: Opened Files C:\WINDOWS\system32\shdocvw.dll \\.\PIPE\lsarpc C:\WINDOWS\system32\stdole2.tlb Chronological order Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING) Mutexes: Creates Mutex: TacOnlyOnefile Registry Activity: Changes HKEY_CLASSES_ROOT\TacOnlyOne "file" = [REG_DWORD, value: 000100D4] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ( Embedded Web Browser from: http://bsalsa.com/)" = Reads HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0 "win32" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\application "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\topic "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\application "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\topic "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec "" HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec "" HKEY_CLASSES_ROOT\Directory\shell\find\ddeexec "" HKEY_CLASSES_ROOT "Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\ProxyStubClsid32" HKEY_CLASSES_ROOT "Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\Forward" HKEY_CLASSES_ROOT\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib "" HKEY_CLASSES_ROOT\Interface\{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TypeLib "Version" HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32 "" HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc "UDTAlignmentPolicy" Enums HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1 System Info Activity: Get System Directory Get Computer Name Get System Time -------------------------------------------------------------------------------- FileName: gbiehbsb.js File size: 758784 bytes MD5: 47071cf1938ebbf9493dbbf3d6b44a4a SHA1: 1482277c7a9cc73abe44fbf8e22b0a58a3cb26fc PEiD: ASPack v2.12 -> Alexey Solodovnikov packers: Aspack packers: ASPack VirusTotal Result: 4/32 (12.50%) BitDefender 7.2 2008.03.18 Generic.Banker.Delf.ED1F9491 Ikarus T3.1.1.20 2008.03.18 Trojan-Spy.Win32.Banker.enw Microsoft 1.3301 2008.03.17 TrojanSpy:Win32/Bancos.gen!A Sophos 4.27.0 2008.03.18 Mal/DelpBanc-A Technical Details: File System Activity: Open File: C:\WINDOWS\system32\kernel32.dll (OPEN_EXISTING) System Info Activity: Get System Directory Virtual Memory Activity: VM Write - Target: (1908) Address: ($010A0000) Size: (12) VM Write - Target: (1908) Address: ($010B0000) Size: (10) VM Write - Target: (1908) Address: ($023E0000) Size: (10) -------------------------------------------------------------------------------- File Name: svcpool.js File size: 122368 bytes MD5: f23d482fa43f1c0d9c16c20d656471ba SHA1: 1cde84a40066cb54d1ed66145ef4989107837f59 PEiD: - Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=2E54962E009A2F83DEF6014FD0E13D00DB7BFBA2 VirusTotal Result: 5/32 (15.62%) AntiVir 7.6.0.73 2008.03.17 TR/Spy.Gen Panda 9.0.0.4 2008.03.17 Suspicious file Prevx1 V2 2008.03.18 Heuristic: Suspicious Self Modifying File Sophos 4.27.0 2008.03.18 Sus/Madcode-A Webwasher-Gateway 6.6.2 2008.03.17 Trojan.Spy.Gen Technical Details: File System Activity: Chronological order Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: C:\WINDOWS\System32\ntdll.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\kernel32.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\ADVAPI32.dll (OPEN_EXISTING) Mutexes: Creates Mutex: Global\mchMixCache$3f4 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77f7f3c3 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e8049b Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e805d8 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e7296f Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e805b8 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e71afe Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e64b7c Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e645e4 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e630f1 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e73628 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77e7350e Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77dd72f0 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77dd5fce Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77dd590b Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77dd567c Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77ddb065 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77dd839f Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77dd5c55 Creates Mutex: Global\Mutex, mAH, Process $000003f4, API $77dd5bb1 Someone please post them to ListServ _________________ .:: Malicious Brains ::. http://www.malwareinfo.org http://blog.malwareinfo.org http://forum.malwareinfo.org There are no patches or service packs for ignorance!

tetak

MIRT Team Lead
Premium Member

Joined: Jan 19, 2007
Posts: 5869

Posted: Thu Mar 20, 2008 5:21 pm Post subject:

I've added the files to the malware listserv. _________________ Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender. Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx

	All -> FavForums -> Unknown Files	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 60ppm 0.228s (0.066s) Making cybercriminals unhappy since 2002*