Back to .hta
November 9, 2006 on 9:00 pm | In Malware analysis | No CommentsOriginally posted Jan 16 2005, 04:56 PM
Received from my friend again. 🙂
A file that starts from the All Users Startup folder.
Microsoft Windows.hta
When run it fetches a file called msupdate.cmd
This one in return selfdestructs when run and creates two files in the
Local Settings\Temp folder
One called win**.tmp.js and one called win**.tmp (** are random digits)
The latter one tries to contact three sites
IPs: 209.66.122.49 195.225.176.12 216.195.32.198
Then it hijacks several IE URL’s to the lookfor.cc domain
Total Uninstall log made 16-1-2005 16:33:43
Files & Folders
===============
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) EXPLORER.EXE-082F38A9.pf = 16:27 16-01-05 12818 bytes
(+)(FILE) MSHTA.EXE-331DF029.pf = 16:27 16-01-05 41564 bytes
(+)(FILE) MSUPDATE.CMD-33F3EB1A.pf = 16:27 16-01-05 20168 bytes
(+)(FILE) TASKMGR.EXE-20256C55.pf = 16:29 16-01-05 16898 bytes
(+)(FILE) WIN3F.TMP-05DFD68D.pf = 16:27 16-01-05 31558 bytes
(+)(FILE) WSCRIPT.EXE-32960AB9.pf = 16:29 16-01-05 23302 bytes
Registry
===============
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://lookfor.cc/sp.php?pin=10001’
(+)(REG VALUE) Use Search Asst = ‘no’
(*)(REG VALUE) Default_Page_URL
‘http://www.google.com’ ==> ‘http://lookfor.cc?pin=10001’
(*)(REG VALUE) Default_Search_URL
‘http://home.microsoft.com/search/search.asp’ ==> ‘http://lookfor.cc/sp.php?pin=10001’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://lookfor.cc/sp.php?pin=10001’
(*)(REG VALUE) Start Page
‘http://home01.wxs.nl/~kleyn080/’ ==> ‘http://lookfor.cc?pin=10001’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://lookfor.cc/sp.php?pin=10001’
(+)(REG VALUE) Use Search Asst = ‘no’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://lookfor.cc/sp.php?pin=10001’
(*)(REG VALUE) Start Page
‘http://home01.wxs.nl/~kleyn080/’ ==> ‘http://lookfor.cc?pin=10001’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\ShellNoRoam\Bags\108\Shell
(*)(REG VALUE) MinPos800x600(1).x
-32000 ==> -1
(*)(REG VALUE) MinPos800x600(1).y
-32000 ==> -1
(*)(REG VALUE) WinPos800x600(1).left
189 ==> 29
(*)(REG VALUE) WinPos800x600(1).right
789 ==> 629
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\ShellNoRoam\Bags\109\Shell
(*)(REG VALUE) MinPos800x600(1).x
-32000 ==> -1
(*)(REG VALUE) MinPos800x600(1).y
-32000 ==> -1
(*)(REG VALUE) ScrollPos800x600(1).y
151 ==> 213
(*)(REG VALUE) WinPos800x600(1).left
189 ==> 29
(*)(REG VALUE) WinPos800x600(1).right
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://lookfor.cc/sp.php?pin=10001’
(+)(REG VALUE) Use Search Asst = ‘no’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://lookfor.cc/sp.php?pin=10001’
(*)(REG VALUE) Start Page
‘http://home01.wxs.nl/~kleyn080/’ ==> ‘http://lookfor.cc?pin=10001’
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\108\Shell
(*)(REG VALUE) MinPos800x600(1).x
-32000 ==> -1
(*)(REG VALUE) MinPos800x600(1).y
-32000 ==> -1
(*)(REG VALUE) WinPos800x600(1).left
189 ==> 29
(*)(REG VALUE) WinPos800x600(1).right
789 ==> 629
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\109\Shell
(*)(REG VALUE) MinPos800x600(1).x
-32000 ==> -1
(*)(REG VALUE) MinPos800x600(1).y
-32000 ==> -1
(*)(REG VALUE) ScrollPos800x600(1).y
151 ==> 213
(*)(REG VALUE) WinPos800x600(1).left
189 ==> 29
(*)(REG VALUE) WinPos800x600(1).right
789 ==> 629
No Comments yet »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^