By a rather impressive constructed scam, I was persuaded to download and execute this file
http://iwantsoft.ne1.net/through this site
http://www.xcobot.tk/Now the suposed "MacroEngine" does not do what its advertised to do.
It will install a "Macroengine.exe" wich upon unsuccessfull insalltion will be deleted through a, from the program, constructed batch program (im on winxp sp2 btw), so u need to back it up before deletion, or halt the install progress some other way(like a debugger) before it gets to that.
This i have verified by debugging the bastard program with olly.
Referenced text strings, besides the construction of the batch program, includes
"enjoi kerspasky"
"systm.exe"
"sysbm.bat"
"\w32_"
The first is pretty obvious! Gotta give thanks to the author for the dead giveaway, vanity truely is a sin. Accidently kaspersky av software dont install, it gets interrupted halfway through installation, aborted, go figure.
The 2,3,4 is files in the \winxp directory.
Now I go to debug this bastard w32_systm.exe
First thing i see, this is a delphi app ... windows native ? idontthinkso
Its a longer story, but it has hardcoded windows homes for xp, 2000 and nt4 as far as i can tell, aim messages, and operations for iexplorer.
This too contain segments of batch operations, like
"If exist sys*.ss del sys*.ss"
Now my XP home aint in c:\winxp, and ie is not my default browser.
Non the less, the behavior i observe now is that
1. firefox is autostarted when the pc is powered on
2. it will try to connect to a predestend site (somewhere in .no) on a specific port once a minute
3. the execution path to firefox(read through olly) is not c:\program files\mozilla.... as usual but rather c:\program~1\mozill~1\.... (something expected from delphi?)
4. memory footprint is small, like 6M, opposed to regular ~20m upon startup
There is no sign of these executables in the registry! (i suppose i should post a hijack log too, will do that in a followup)
Now i've attached to the suspect firefox process, and while there's things that might be suspicious, i cannot say for certain.
Here's how I THINK it could play out.
- Bastard process starts a firefox process, threadinjects it to do its bidding (thread injection however requires detailed knowledge of the structure of the code, that seems unlikely!!!!)
- Firefox program is comprimised, bastard code activated by other bastard process
- The first program (with the greeting to kaspersky) is a standard wrapper wich the delphi code is simply wrapped in.
I am tired right now, im sure im leaving stuff of my investegation out, ill look into the hijack thingie and return...
Suggestions so far ?
