with no time for good posts, I just paste here some analysis performed on YolRootX, a new malware that I analyzed yesterday.
File System Changes:
(Adding a new certificate!)
- C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1078081533-1677128483-1801674531-500\699c4b9cdebca7aaea5193cae8a50098_5fc4e98d-1101-4864-b0bf-e0b3f6d9d878
- C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1078081533-1677128483-1801674531-500\699c4b9cdebca7aaea5193cae8a50098_5fc4e98d-1101-4864-b0bf-e0b3f6d9d878
(Some cookies ... just in case ;) )
- C:\Documents and Settings\Administrator\Cookies\administrator@globo[1].txt
(Internet Explorer settings ... )
- C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt
- C:\Documents and Settings\Administrator\Cookies\administrator@www.globo[1].txt
(hidden content into \Temp)
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFC517.tmp
..\software\microsoft\internet explorer\main
(Ahh Ahmm ! autostart key under reg\user !)
user\current\software\Microsoft\Internet Explorer\Toolbar\Locked = 01000000
(Did I ask for these queries ? ;) )
Query DNS: www.oviedolocal3476.com
Query DNS: www.globo.com
Query DNS: ads.globo.com
Query DNS: ads.img.globo.com
Query DNS: fpdownloadocument.macromedia.com
Query DNS: fpdownloadocument.macromedia.com.gateway.2wire.net
Query DNS: activex.microsoft.com
Query DNS: codecs.microsoft.com
Query DNS: video.globo.com
Query DNS: www.google-analytics.com
Query DNS: imagem2.buscape.com.br
Query DNS: www.google.com
Query DNS: clients1.google.com
Query DNS: id.google.com
(I don't speak spanish at all ...)
Internet connection: Connects to "65.55.13.243" on port 80 (TCP - HTTP).
Internet connection: Connects to "201.7.178.53" on port 80 (TCP - HTTP).
Internet connection: Connects to "74.125.19.113" on port 80 (TCP - HTTP).
(Processes, new service and binary injection ?? )
Created process: (null),explorer.exe http://www.globo.com,(null)
Opened a service named: ShellHWDetection
Injected code into process: explorer.exe
Injected code into process: iexplore.exe
( loading interesting Windows API)
LoadLibrary(netapi32.dll)
LoadLibrary(kernel32.dll)
LoadLibrary(version.dll)
LoadLibrary(explorer.exe)
LoadLibrary(comctl32.dll)
LoadLibrary(shell32.dll)
LoadLibrary(windowsshell.manifest)
LoadLibrary(browselc.dll)
LoadLibrary(wsock32)
LoadLibrary(mswsock.dll)
LoadLibrary(hnetcfg.dll)
LoadLibrary(wshtcpip.dll)
LoadLibrary(actxprxy.dll)
LoadLibrary(msmsgs.exe)
LoadLibrary(jscript.dll)
