skip navigation

www.Hilands.com


Content:: Malware - 04c4d0227cf4bb135e3b7ed1e27c827b :: www.hilands.com

MD5 - 04c4d0227cf4bb135e3b7ed1e27c827b

VirTool:Win32/Obfuscator.XG

The following information is provided in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Table of Contents
Known file name(s)
setup.exe, Protector-dgyc.exe, Protector-pcso.exe
Registry Modifications
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Info

When ran it connects to cmyip.com, assume it tries to log the IP address of the infected system to log back into. If the internet connection is down the application will open Internet Explorer in an attempt to connect.

Execution of regedit.exe and taskmgr.exe are denied by adding the two executables to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options which then triggers C:\documents and settings\<user>\application data\protector-pcso.exe. The same file is added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

Attempting to kill the process with # taskkill /pid <#> fails.

When attempting to run processexplorer procexp.exe is terminated.

Processmonitor procmon shows the application and it makes a call to mshta.exe which is a microsoft application created to use the .HTA extension of files.
Checksums

setup.exe
md5sum 04c4d0227cf4bb135e3b7ed1e27c827b
sha1sum 5b569fe06af5beaf9bb61395a478b691ffe3c65c
sha256sum 27ebbfc9a62d51fe6e26de8d3a27db36c8cef5f5949583122bbfb21898001409
sha512sum 27f9ac3756fd95814a70ae96db2548e311a8ffbbad28384bf36bcf6525badc15a30496d9f15c6471a9d6ca3a9c7121bb34e857ed9b628d94e45403c423c07fdc

Protector-dgyc.exe, Protector-pcso.exe
md5sum 04c4d0227cf4bb135e3b7ed1e27c827b
sha1sum 5b569fe06af5beaf9bb61395a478b691ffe3c65c
sha256sum 27ebbfc9a62d51fe6e26de8d3a27db36c8cef5f5949583122bbfb21898001409
sha512sum 27f9ac3756fd95814a70ae96db2548e311a8ffbbad28384bf36bcf6525badc15a30496d9f15c6471a9d6ca3a9c7121bb34e857ed9b628d94e45403c423c07fdc
Screenshots

Removal

To remove the application we can make a copy of the process explorer executable and rename it to something arbitrary. In this case I have named it poop.exe. Run the renamed executable.

Process Explorer can be obtained from the Microsoft website at http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx.
Inside of process explorer right click on the file Protector-xxxx.exe and select Kill Process.
With the application terminated we can now remove it from the registry locations. To expedite the process we can use the tool called Autoruns. Locate the section for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and uncheck the checkbox for Inspector

Autoruns can be obtained from the Microsoft website at http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Still in Autoruns scroll down to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options and uncheck the check boxes for regedit.exe and taskmgr.exe.

The application should now be dormant, to remove it you can simply delete the file c:\documents and settings\<user>\application data\protector-pcso.exe.
Obtained from
http://vulnerabilityefficiencydebug.info/78dee9e271084cb2/pr2/
Whois

Domain ID:D47137248-LRMS
Domain Name:VULNERABILITYEFFICIENCYDEBUG.INFO
Created On:09-Jul-2012 19:04:08 UTC
Last Updated On:09-Jul-2012 19:04:09 UTC
Expiration Date:09-Jul-2013 19:04:08 UTC
Sponsoring Registrar:DomainContext Inc. (R524-LRMS)
# nslookup
> vulnerabilityefficiencydebug.info           
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
Name:   vulnerabilityefficiencydebug.info
Address: 98.143.159.250
# nmap -sS 98.143.159.250

Starting Nmap 5.00 ( http://nmap.org ) at 2012-07-09 19:25 PDT
Interesting ports on 98.143.159.250.static.quadranet.com (98.143.159.250):
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 26.91 seconds
Last Modified: 2012-07-10