Saturday, April 11, 2009

2.BAT Cloaked Malware

File Behavior

• The Process is packed and/or encrypted using a software packing process
• Executes a Process
• Writes to another Process's Virtual Memory (Process Hijacking)
• This process creates other processes on disk
• This Process Deletes Other Processes From Disk
• Creates a new Background Service on the machine
• Injects code into other processes
• Copies files
• Registers a Dynamic Link Library File

2.BAT also:

• Created as a process on disk
• Deleted as a process from disk
• Executed as a Process
• Has code inserted into its Virtual Memory space by other programs
• Added as a Registry auto start to load Program on Boot up

also using the following file names:

• 1.BAT
• 44546234.SVD
• 3.BAT
• 52632502.SVD
• 32616742.SVD

File Activity

One or more files with the name 2.BAT creates, deletes, copies or moves the following files and folders:

• Creates c:\windows\system32\drivers\klif.sys
• Deletes c:\windows\system32\drivers\klif.sys
• Deletes c:\windows\system32\olhrwef.exe
• Deletes c:\windows\system32\nmdfgds0.dll
• Creates c:\windows\system32\nmdfgds0.dll
• Deletes c:\
• Copies filec:\windows\system32\olhrwef.exe to c:\
• Deletes c:\
• Creates c:\
• Deletes d:\
• Copies filec:\windows\system32\olhrwef.exe to d:\
• Deletes d:\
• Creates d:\
• Deletes c:\docume~1\user\locals~1\temp\help1.rar
• Creates c:\docume~1\user\locals~1\temp\help1.rar
• Creates c:\docume~1\user\locals~1\temp\help.exe
• Deletes c:\docume~1\user\locals~1\temp\help.exe
• Copies filec:\docume~1\user\locals~1\temp\help.exe to c:\windows\system32\olhrwef.exe
• Deletes c:\windows\system32\nmdfgds1.dll
• Creates c:\windows\system32\nmdfgds1.dll

Registry Activity

One or more files with the name 2.BAT creates or modifies the following registry keys and values:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.exe

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden value:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden value:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun [REG_DWORD, value: 00000091]

Website Activity

One or more files with the name 2.BAT interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

• TCP: Port:17
• Port 80 IP:
• TCP: Port:17