A happy couple
November 4, 2006 on 8:33 pm | In Malware analysis | 2 CommentsOriginally posted Jan 9 2005, 11:02 PM
Found on GeeksToGo :
O4 – HKLM\..\Run: [ntsmod] C:\WINDOWS\system32\ntsmod.exe
Requested the file and found another file mentioned inside called:
msts32.exe
Requested a copy for that as well and scanned online (KAV):
msts32.exe – archived by NSIS
msts32.exe/data0001 – OK
msts32.exe/data0002 – OK
msts32.exe/data0003 – OK
msts32.exe/data0004 – infected by Trojan.Win32.VB.rl
msts32.exe/data0005 – packed with UPX
msts32.exe/data0005 – OK
msts32.exe/data0005 – OK
Both files were written in Visual Basic and are under investigation.
After running msts32.exe the following changes were made to my HijackThis log:
R3 – Default URLSearchHook is missing
O2 – BHO: Media Player support DLL – {2DC9D850-144D-11E1-B3C9-10805E499D95} – C:\WINDOWS\system32\mplay32.dll
Other important changes:
Recycler\Desktop.ini
[CODE] [.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{5ECE0BF7-7A99-4AD5-B2A3-1C8A8FDA7D92}</IDone>
<IDtwo>VT01</IDtwo>
<VERSION>200</VERSION> [/CODE]
One of the newly created executables in my system32 folder tried to contact:
69.20.20.161 port 80
Winlogon\Notify key in the registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
“Asynchronous”=dword:00000000
“DllName”=”C:\\WINDOWS\\system32\\iGshlpr.dll”
“Impersonate”=dword:00000000
“Logon”=”WinLogon”
Total Uninstall log of 10-1-2005 15:26:05
FILES
=====
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\0XQ701M3
(+)(FILE) Installer[1].exe = 15:14 10-01-05 610304 bytes
(FOLDER) C:\RECYCLER
(+)(FILE) desktop.ini = 15:14 10-01-05 165 bytes
(FOLDER) C:\WINDOWS
(*)(FILE) WindowsUpdate.log
13:30 10-01-05 377155 bytes ==> 15:14 10-01-05 377321 bytes
(FOLDER) C:\WINDOWS\system32
(+)(FILE) iGshlpr.dll = 15:14 10-01-05 223232 bytes
(+)(FILE) mplay32.dll = 13:00 31-03-01 126976 bytes
(+)(FILE) ntec32.exe = 11:58 09-12-04 26112 bytes
(+)(FILE) ntsmod.exe = 13:00 31-03-01 28672 bytes
(+)(FILE) sysdebug32.exe = 13:00 31-03-03 28672 bytes
REGISTRY
========
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\dtdp
(+)(REG VALUE) (Standaard) = ‘URL:dtdp Protocol’
(+)(REG VALUE) URL Protocol = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\dtdp\shell
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\dtdp\shell\open
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\dtdp\shell\open\command
(+)(REG VALUE) (Standaard) = ‘”C:\WINDOWS\system32\sysdebug32.exe” “%1″‘
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\MPLAYSUPObj.MPLAYSUPObj
(+)(REG VALUE) (Standaard) = ‘Media Player support DLL’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\MPLAYSUPObj.MPLAYSUPObj\CurVer
(+)(REG VALUE) (Standaard) = ‘MPLAYSUPObj.MPLAYSUPObj.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\MPLAYSUPObj.MPLAYSUPObj.1
(+)(REG VALUE) (Standaard) = ‘Media Player support DLL’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\MPLAYSUPObj.MPLAYSUPObj.1\CLSID
(+)(REG VALUE) (Standaard) = ‘{2DC9D850-144D-11E1-B3C9-10805E499D95}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}
(+)(REG VALUE) (Standaard) = ‘Media Player support DLL’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘C:\WINDOWS\system32\mplay32.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}\ProgID
(+)(REG VALUE) (Standaard) = ‘MPLAYSUPObj.MPLAYSUPObj.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}\VersionIndependentProgID
(+)(REG VALUE) (Standaard) = ‘MPLAYSUPObj.MPLAYSUPObj’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{D869E0B1-0103-42C2-A1EB-C3A5D58787F4}
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{D869E0B1-0103-42C2-A1EB-C3A5D58787F4}\Implemented Categories
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{D869E0B1-0103-42C2-A1EB-C3A5D58787F4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{D869E0B1-0103-42C2-A1EB-C3A5D58787F4}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘C:\WINDOWS\system32\iGshlpr.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{2DC9D84F-144D-11E1-B3C9-10805E499D95}
(+)(REG VALUE) (Standaard) = ‘ISTRAd32Obj’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{2DC9D84F-144D-11E1-B3C9-10805E499D95}\ProxyStubClsid
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{2DC9D84F-144D-11E1-B3C9-10805E499D95}\ProxyStubClsid32
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{2DC9D84F-144D-11E1-B3C9-10805E499D95}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{2DC9D842-144D-11E1-B3C9-10805E499D95}’
(+)(REG VALUE) Version = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0
(+)(REG VALUE) (Standaard) = ‘STRAd32 1.0 Type Library’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0\0
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0\0\win32
(+)(REG VALUE) (Standaard) = ‘C:\WINDOWS\system32\mplay32.dll’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0\FLAGS
(+)(REG VALUE) (Standaard) = ‘0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0\HELPDIR
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DC9D850-144D-11E1-B3C9-10805E499D95}
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
(+)(REG VALUE) {D869E0B1-0103-42C2-A1EB-C3A5D58787F4} = ”
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer
(+)(REG VALUE) Asynchronous = 0
(+)(REG VALUE) DllName = ‘C:\WINDOWS\system32\iGshlpr.dll’
(+)(REG VALUE) Impersonate = 0
(+)(REG VALUE) Logoff = ‘WinLogoff’
(+)(REG VALUE) Logon = ‘WinLogon’
(+)(REG VALUE) Shutdown = ‘WinShutdown’
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Clock
(+)(REG VALUE) sum = ‘1’
(-)(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
(-)(REG VALUE) {CFBFAE00-17A6-11D0-99CB-00C04FD64497} = ”
“Logoff”=”WinLogoff”
“Shutdown”=”WinShutdown”
2 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Originally posted by Mere_Mortal on Jan 18 2005, 10:05 PM
I’ve just used FileAlyzer on ntsmod.exe and noticed msts32.exe. This file was indeed in my system32 directory 🙁 Now eradicated. Check yours for ntec32.exe .
I believe the connection you witnessed would be to install VX2/Look2Me.
See this post… http://castlecops.com/postlite99590-.html
Funnily enough, I found the post you talk of in a seperate Google search. The user downloaded something to do with Torrent. I acquired these files after looking for VX2/Look2Me and downloaded Torrent Search. There is a website called bi-torrent.com which might have a lot to do with it.
Regards,
M_M
Comment by metallica — November 4, 2006 #
Originally posted at Jan 25 2005, 09:10 AM
Hi M_M,
These were the files created on my computer:
(+)(FILE) iGshlpr.dll = 15:14 10-01-05 223232 bytes
(+)(FILE) mplay32.dll = 13:00 31-03-01 126976 bytes
(+)(FILE) ntec32.exe = 11:58 09-12-04 26112 bytes
(+)(FILE) ntsmod.exe = 13:00 31-03-01 28672 bytes
(+)(FILE) sysdebug32.exe = 13:00 31-03-03 28672 bytes
The first one has a random name, mplay32.dll seems not to be created for everyone, but the last three should be the same for everyone.
Regards,
Pieter
Comment by metallica — November 4, 2006 #