26 May 2009

More Malware Installing Through Security Holes

by Roger Karlsson

I've been playing around with my malware honeypot for some days now and collected logs when malware installed through security holes. I've pasted the FreeFixer logs below, and marked the malware with red.

I'm currently running this honeypot on Windows XP service pack 1. I'll runs some test with Service Pack 2 or 3 later on to see if I get the same installs, or if something new turns up.

Malware Log 1

FreeFixer v0.40 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-05-23 12:38


Registry Startups
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background
HKCU\..\Run, Roger = C:\Documents and Settings\Roger\Roger.exe /i

Processes (19 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\Documents and Settings\Roger\Roger.exe
C:\Documents and Settings\Roger\Roger.exe
C:\Program\FreeFixer\freefixer.exe

Services (34 whitelisted)
NetDDEdsdmThemes, Network DDE DSDM NetDDEdsdmThemes, c:\windows\system32\1037l.exe

Drivers (27 whitelisted)
ws2_32sik, ws2_32sik, c:\windows\system32\drivers\ws2_32sik.sys

Malware Log 2

FreeFixer v0.40 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-05-22 19:47


Browser Helper Objects
{D6E0FAFC-2B61-4753-B3DA-D83BE96A2C39}, MS extension, mashtuic32.dll(file is missing)

Registry Startups
HKLM\..\Run, WinDLL (service.exe) = service.exe
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background
HKCU\..\Run, Roger = C:\Documents and Settings\Roger\Roger.exe /i

Processes (17 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\Program\FreeFixer\freefixer.exe
C:\WINDOWS\System32\wininet.exe
C:\Documents and Settings\Roger\Roger.exe
C:\Documents and Settings\Roger\Roger.exe
C:\Documents and Settings\Roger\Skrivbord\tools\gmer.exe
C:\WINDOWS\service.exe
C:\tmp\sleep.exe

Shell services (4 whitelisted)
SysRun, {D7FFD784-5276-42D1-887B-00267870A4C7}, C:\WINDOWS\System32\svshost.dll

Drivers (27 whitelisted)
acpi32, acpi32, c:\windows\system32\drivers\acpi32.sys

Malware Log 3

FreeFixer v0.40 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-05-21 21:49


Browser Helper Objects
{C420CF9F-D9D6-421F-958F-AA59906C2B12}, SpyPsy, C:\WINDOWS\System32\gopfa.dll

Registry Startups
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

Autostart shortcuts
MS-0905-upd211833.exe, , C:\Documents and Settings\All Users\Start-meny\Program\Autostart\MS-0905-upd211833.exe

Processes (14 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\Program\FreeFixer\freefixer.exe

Malware Log 4

FreeFixer v0.40 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-05-21 11:22


UserInits (1 whitelisted)
C:\DOCUME~1\Roger\LOKALA~1\Temp\init.exe

Registry Startups
HKLM\..\Run, WinAccestor = C:\WINDOWS\winaccestor.exe
HKLM\..\Run, mssysif = C:\WINDOWS\system32\LIAR6.EXE
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

Processes (15 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\Program\FreeFixer\freefixer.exe
C:\WINDOWS\winaccestor.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\LIAR6.EXE
C:\Documents and Settings\Roger\Skrivbord\tools\gmer.exe

Services (34 whitelisted)
NetlogonUPS, Net Logon NetlogonUPS, c:\windows\system32\advpackl.exe

Malware Log 5

FreeFixer v0.39 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-05-18 12:48


Registry Startups
HKLM\..\Run, PromoReg = C:\WINDOWS\Temp\wpv351242765100.exe
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

Processes (16 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\Temp\wpv351242765100.exe
C:\Program\FreeFixer\freefixer.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\TMP4.tmp
ns9.tmp (file is missing)
net.exe (file is missing)
net1.exe (file is missing)

Services (34 whitelisted)
VSSlanmanserver, Volume Shadow Copy VSSlanmanserver, c:\windows\system32\advpackv.exe

Malware Log 6

FreeFixer v0.39 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-05-18 12:53


System policies
HKCU\..\policies\system, DisableTaskMgr = 1
HKCU\..\policies\system, DisableRegistryTools = 1

Registry Startups
HKLM\..\Run, WinDLL (service.exe) = service.exe
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

Processes (15 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\winDDRYcZBRBIkB.exe
C:\WINDOWS\System32\wininet.exe
C:\WINDOWS\service.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\winfismyj.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\aeilmk.exe
C:\Documents and Settings\Roger\Skrivbord\gmer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe
C:\Program\FreeFixer\freefixer.exe

Shell services (4 whitelisted)
SysRun, {D7FFD784-5276-42D1-887B-00267870A4C7}, C:\WINDOWS\System32\svshost.dll

Comments

No comments posted yet.

Leave a reply

Your nickname (required):

Just to make sure you are human and not a spam bot, please answer the following question: How many eyes does a cat have? (required):

Your comment: