Metallica's blog

PurityScan.MediaTickets

November 11, 2006 on 9:33 pm | In Malware analysis | No Comments

Originally posted Feb 11 2006, 01:42 PM 

 

Found here on GeeksToGo
C:\WINDOWS\system32\??crosoft.NET\ati2evxx.exe

Showed up in the log as:
O4 – HKCU\..\Run: [Asciprip] C:\WINDOWS\system32\??crosoft.NET\ati2evxx.exe

and returned as:
O4 – HKCU\..\Run: [Aepr] “C:\Programfiler\eooe\rwoc.exe” -vt ndrv

Running ati2evxx.exe it tries to contact one of these IP’s
63.251.135.15
66.150.193.103

It fetched a file called !update.exe and put it in the
C:\Documents and Settings\[user]\Local Settings\Temp
In turn this file also contacted those two IP’s and made a similar entry to the one we saw above:
O4 – HKCU\..\Run: [Trdc] “C:\Program Files\betw\tdso.exe” -vt ndrv
Where tdso.exe is a copy of !update.exe
It gives that file the attributes hidden, system

Other files and changes monitored are in the

Total Uninstall log

Files
===============
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\0LEJSHUZ
(+)(FILE) !update-3395[1].0000 = 12:19 11-02-06 70144 bytes
(+)(FILE) campaigns11_3[1].bin = 12:18 11-02-06 35029 bytes
(+)(FILE) campaigns23_3[1].bin = 12:19 11-02-06 32782 bytes
(+)(FILE) campaigns7_3[1].bin = 12:19 11-02-06 30690 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\4H2ZWXQ7
(+)(FILE) campaigns10_3[1].bin = 12:19 11-02-06 33585 bytes
(+)(FILE) campaigns18_3[1].bin = 12:19 11-02-06 30781 bytes
(+)(FILE) campaigns25_3[1].bin = 12:18 11-02-06 36597 bytes
(+)(FILE) campaigns9_3[1].bin = 12:19 11-02-06 43011 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\KPUB81AN
(+)(FILE) campaigns13_3[1].bin = 12:19 11-02-06 32200 bytes
(+)(FILE) campaigns20_3[1].bin = 12:19 11-02-06 37629 bytes
(+)(FILE) campaigns3_3[1].bin = 12:19 11-02-06 38099 bytes
(+)(FILE) notify[1].htm = 12:19 11-02-06 19 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\S1Y785E3
(+)(FILE) campaigns12_3[1].bin = 12:19 11-02-06 39033 bytes
(+)(FILE) campaigns16_3[1].bin = 12:18 11-02-06 36191 bytes
(+)(FILE) campaigns4_3[1].bin = 12:19 11-02-06 34490 bytes
(+)(FILE) campaigns5_3[1].bin = 12:19 11-02-06 35972 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\SLI3W16B
(+)(FILE) campaigns_5[1].bin = 12:19 11-02-06 31138 bytes
(+)(FILE) campaigns17_3[1].bin = 12:19 11-02-06 33944 bytes
(+)(FILE) campaigns6[1].encrypted = 12:18 11-02-06 1338 bytes
(+)(FILE) campaigns8_3[1].bin = 12:19 11-02-06 37548 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\SV9F2IFH
(+)(FILE) campaigns14_3[1].bin = 12:19 11-02-06 32586 bytes
(+)(FILE) campaigns24_3[1].bin = 12:19 11-02-06 32287 bytes
(+)(FILE) campaigns6_3[1].bin = 12:19 11-02-06 37883 bytes
(+)(FILE) ver2[1].php4 = 12:18 11-02-06 3233 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\TK0JXPG1
(+)(FILE) campaigns22_3[1].bin = 12:19 11-02-06 27639 bytes
(+)(FILE) campaigns27_3[1].bin = 12:18 11-02-06 33056 bytes
(+)(FILE) campaigns28_3[1].bin = 12:19 11-02-06 54188 bytes
(+)(FILE) notify[1].htm = 12:19 11-02-06 19 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\WXY7W9YV
(+)(FILE) campaigns_f[1].bin = 12:19 11-02-06 8622 bytes
(+)(FILE) campaigns15_3[1].bin = 12:19 11-02-06 32631 bytes
(+)(FILE) campaigns26_6[1].bin = 12:19 11-02-06 30776 bytes
(+)(FILE) client_settings_3[1].bin = 12:18 11-02-06 224 bytes
(+)(FILE) notify[1].htm = 12:19 11-02-06 19 bytes
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) !UPDATE.EXE-1E29EDD3.pf = 12:19 11-02-06 24770 bytes
(+)(FILE) ATI2EVXX.EXE-20933439.pf = 12:18 11-02-06 32890 bytes
(+)(FILE) TDSO.EXE-3A5781A3.pf = 12:19 11-02-06 47812 bytes

Registry
===============
(+)(REG KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Dlrh
(+)(REG VALUE) Cral = …#.x..
(+)(REG VALUE) Ecul = ..E`…q…+…3.o.9..|X……i.X.k…..F.E}.[2…….S.
(+)(REG VALUE) Elsu = $.E`W..q…N
(+)(REG VALUE) Etet = %.E`.M .
(+)(REG VALUE) Rrpb = …#.x..
(+)(REG VALUE) Ttoa = 1
(+)(REG KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Swhs
(+)(REG VALUE) Cabp = Er7.j..G…E.. …T.s.~…>
(+)(REG VALUE) Oate = L..#…q.{m.
(+)(REG VALUE) Romn = (..#..1.
(+)(REG KEY) HKEY_CURRENT_USER\Software\Dlrh
(+)(REG VALUE) Cral = …#.x..
(+)(REG VALUE) Ecul = ..E`…q…+…3.o.9..|X……i.X.k…..F.E}.[2…….S.
(+)(REG VALUE) Elsu = $.E`W..q…N
(+)(REG VALUE) Etet = %.E`.M .
(+)(REG VALUE) Rrpb = …#.x..
(+)(REG VALUE) Ttoa = 1
(+)(REG KEY) HKEY_CURRENT_USER\Software\Swhs
(+)(REG VALUE) Cabp = Er7.j..G…E.. …T.s.~…>
(+)(REG VALUE) Oate = L..#…q.{m.
(+)(REG VALUE) Romn = (..#..1.
(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
(+)(REG VALUE) Trdc = ‘”C:\Program Files\betw\tdso.exe” -vt ndrv’