Recently I began the process of looking for malware to start
learning how to process things. Currently my skills are terrible, but I've got
to start somewhere.
Found this email in my wife's hotmail as GMail would never
let something like this arrive in my email. It was obvious to me it was malware
as it was a “zip” file with what appears by the icon to be a Microsoft word
document.
As we can clearly see Windows is not as easily fooled and
properly labels it as an application. Simple Windows properties shows that it
is an archive.
Using a universal extractor we obtained the following files
.text
.rdata
.data
Folder (/.rsrc)
Opening up .rdata in hex editors revels the following info
T.VirtualAlloc..©.GetCurrentProcess.¬.GetCurrentThread....CreateFileW.….GlobalAlloc.æ.EnumResourceLanguagesA..7.FindResourceExA.O.FreeResource..ö.GetModuleHandleA..9.GetStartupInfoA.X.GetTempFileNameA..Z.GetTempPathA..Œ.GlobalFree..ö.LoadResource....LockResource....MoveFileA.
.SizeofResource..KERNEL32.dll..¨.DispatchMessageA..Õ.TranslateMessage..J.GetMessageA.é.UpdateWindow..¸.ShowWindow..4.RegisterClassExA..Ò.LoadCursorA.Ö.LoadIconA.•.DefWindowProcA..
.PostQuitMessage.Õ.EndPaint....GetClientRect...BeginPaint..g.CreateWindowExA.o.GetSystemMetrics....AdjustWindowRectEx....CallWindowProcW.-.CharNextA./.CharNextW.h.CreateWindowExW.–.DefWindowProcW..š.DestroyAcceleratorTable...DestroyIcon.ž.DestroyMenu. .DestroyWindow.Ï.EnableMenuItem..ì.EqualRect.î.ExitWindowsEx.ó.FindWindowW...GetClassInfoExW...GetCursorPos....GetDC...GetDesktopWindow..$.GetFocus..%.GetForegroundWindow.1.GetKeyState.U.GetParent.k.GetSubMenu..}.GetWindow.‚.GetWindowLongW..ˆ.GetWindowRect.©.IntersectRect.ª.InvalidateRect..µ.IsChild.Å.IsWindow..Í.KillTimer.Õ.LoadCursorW.Ù.LoadImageW..Þ.LoadMenuA.ã.LoadStringA.ä.LoadStringW.ó.MapWindowPoints.ÿ.MessageBoxW...MsgWaitForMultipleObjects...OffsetRect....PeekMessageA..).PtInRect..3.RegisterClassA..5.RegisterClassExW..L.ReleaseDC.N.RemoveMenu..c.SendMessageW..p.SetCursor.y.SetFocus..z.SetForegroundWindow.ž.SetTimer..¥.SetWindowLongW..§.SetWindowPos..¨.SetWindowRgn..Ä.SystemParametersInfoA.Å.SystemParametersInfoW.Ð.TrackPopupMenuEx..Ú.UnionRect...wsprintfA...wsprintfW...wvsprintfW..USER32.dll..ô.GetStockObject....LineTo..!.MoveToEx..F.Rectangle...CloseMetaFile.0.CreateDCW.E.CreateMetaFileW.N.CreateRectRgnIndirect.Í.DeleteDC..Ï.DeleteMetaFile..µ.GetDeviceCaps...LPtoDP..P.RestoreDC.W.SaveDC..{.SetMapMode....SetViewportOrgEx..“.SetWindowExtEx..”.SetWindowOrgEx..GDI32.dll.Y.RegOpenKeyA.ADVAPI32.dll..".Shell_NotifyIconA.SHELL32.dll...CoCreateInstance..%.CoGetClassObject..=.CoInitialize..R.CoRegisterClassObject.^.CoRevokeClassObject.f.CoTaskMemAlloc..g.CoTaskMemFree.h.CoTaskMemRealloc..k.CoUninitialize..z.CreateDataAdviseHolder..‚.CreateOleAdviseHolder.ù.OleLoadFromStream...OleRegEnumVerbs...OleRegGetMiscStatus...OleRegGetUserType...OleSaveToStream.H.WriteClassStm.ole32.dll.z.memcpy...._XcptFilter.%.__dllonexit.(.__getmainargs.:.__p__commode..?.__p__fmode..Q.__set_app_type..S.__setusermatherr.._._acmdln.m._adjust_fdiv..w._c_exit.z._cexit..‡._controlfp..›._except_handler3..¤._exit.Æ._ftol.ç._initterm.`._onexit.m._purecall.Ì._wcsnicmp..._wtoi.,.exit..A.free..t.malloc..Š.realloc.«.strtol..Ã.wcschr..Ä.wcscmp..Ð.wcsstr..msvcrt.dll
We can see the control triggers for what appears to be a Trojan
remote control software. I had to break up the xml so that the blog will actually display the results.
Inside the folder, we see:
< ? xml version="1.0" encoding="UTF-8"
standalone="yes"? >....
< assembly xmlns="urn:schemas-microsoft-com:asm.v1"
manifestVersion="1.0" >....
< trustInfo
xmlns="urn:schemas-microsoft-com:asm.v3" >.... < security >.... < requestedPrivileges >< requestedExecutionLevel
level="asInvoker"
uiAccess="false"/ >< /requestedPrivileges >.... < /security >.... < /trustInfo >.... < /assembly >
This provides improved remote control over the computer
Compiled with
T.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .w.a.s. .b.u.i.l.t. .w.i.t.h. .I.n.n.o. .S.e.t.u.p..
http://www.jrsoftware.org/isinfo.php
