Virus Profiling

Publié le par Kareldjag








Processes:
PID    ParentPID    User    Path   
--------------------------------------------------
3328    1252        C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosVirusVirus.exe   

Ports:
Port    PID    Type    Path   
--------------------------------------------------

Explorer Dlls:
DLL Path    Company Name    File Description   
--------------------------------------------------
No changes Found           

IE Dlls:
DLL Path    Company Name    File Description   
--------------------------------------------------
No changes Found           

Loaded Drivers:
Driver File    Company Name    Description   
--------------------------------------------------

Monitored RegKeys
Registry Key    Value   
--------------------------------------------------
HKLMSoftwareMicrosoftWindowsCurrentVersionRun    Virus.exe=C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosVirusVirus.exe   

Kernel31 Api Log
   
--------------------------------------------------
***** Installing Hooks *****   
***** Install URLDownloadToFileA hook failed...Error: Asm Length failed? 0 JMP [F71788] Unknown identifier   
***** Install URLDownloadToCacheFile hook failed...Error: Asm Length failed? 0 JMP [F7178C] Unknown identifier   
719f70df     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)   
719f7cc4     RegOpenKeyExA (Protocol_Catalog9)   
719f737e     RegOpenKeyExA (0000000D)   
719f724d     RegOpenKeyExA (Catalog_Entries)   
719f78ea     RegOpenKeyExA (000000000001)   
719f78ea     RegOpenKeyExA (000000000002)   
719f78ea     RegOpenKeyExA (000000000003)   
719f78ea     RegOpenKeyExA (000000000004)   
719f78ea     RegOpenKeyExA (000000000005)   
719f78ea     RegOpenKeyExA (000000000006)   
719f78ea     RegOpenKeyExA (000000000007)   
719f78ea     RegOpenKeyExA (000000000008)   
719f78ea     RegOpenKeyExA (000000000009)   
719f78ea     RegOpenKeyExA (000000000010)   
719f78ea     RegOpenKeyExA (000000000011)   
719f78ea     RegOpenKeyExA (000000000012)   
719f78ea     RegOpenKeyExA (000000000013)   
719f78ea     RegOpenKeyExA (000000000014)   
719f78ea     RegOpenKeyExA (000000000015)   
719f78ea     RegOpenKeyExA (000000000016)   
719f78ea     RegOpenKeyExA (000000000017)   
719f78ea     RegOpenKeyExA (000000000018)   
719f78ea     RegOpenKeyExA (000000000019)   
719f78ea     RegOpenKeyExA (000000000020)   
719f78ea     RegOpenKeyExA (000000000021)   
719f2623     WaitForSingleObject(790,0)   
719f83c6     RegOpenKeyExA (NameSpace_Catalog5)   
719f737e     RegOpenKeyExA (00000005)   
719f7f5b     RegOpenKeyExA (Catalog_Entries)   
719f80ef     RegOpenKeyExA (000000000001)   
719f80ef     RegOpenKeyExA (000000000002)   
719f80ef     RegOpenKeyExA (000000000003)   
719f80ef     RegOpenKeyExA (000000000004)   
719f2623     WaitForSingleObject(788,0)   
719e1afa     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)   
719e1996     GlobalAlloc()   
7c80b511     ExitThread()   
7337e2cd     GetCommandLineA()   
733a7957     LoadLibraryA(C:WINDOWSsystem32VB6FR.DLL)=0   
7337edbc     GetVersionExA()   
5b0aef89     GetCurrentProcessId()=3328   
5b09b1ba     IsDebuggerPresent()   
7337f14e     LoadLibraryA(OLEAUT32.DLL)=770e0000   
774c2b33     LoadLibraryA(oleaut32.dll)=770e0000   
73380cf8     RegOpenKeyA (HKLMSOFTWAREMicrosoftVBAMonitors)   
77dcc449     RegOpenKeyExA (HKLMSOFTWAREMicrosoftVBAMonitors)   
7338ebb5     GetVersionExA()   
7338b7ee     LoadLibraryA(advapi32.dll)=77da0000   
40369d     RegOpenKeyA (HKCUSoftwareVFRun)   
77dcc449     RegOpenKeyExA (HKCUSoftwareVFRun)   
4040b6     RegCreateKeyA (HKCUSoftwareVFRun)   
77dcd5f4     RegCreateKeyExA (HKCUSoftwareVFRun,(null))   
4041d4     RegOpenKeyExA (HKCUSoftwareVFRun)   
404243     RegSetValueExA (FirstRun)   
4041d4     RegOpenKeyExA (HKLMSoftwareMicrosoftWindowsCurrentVersionRun)   
404243     RegSetValueExA (Virus.exe)   
7338b7ee     LoadLibraryA(user32)=77d10000   
73384b2a     GetCurrentProcessId()=3328   

DirwatchData
   
--------------------------------------------------
WatchDir Initilized OK   
Watching C:DOCUME~1ADMINI~1.POSLOCALS~1Temp   
Watching C:WINDOWS   
Watching C:Program Files   
Modifed: C:WINDOWSPrefetch   
Created: C:WINDOWSPrefetchSNIFF_HIT.EXE-1AB02EA8.pf   
Modifed: C:WINDOWSPrefetchSNIFF_HIT.EXE-1AB02EA8.pf   
Created: C:DOCUME~1ADMINI~1.POSLOCALS~1Temp~DF39A5.tmp   
Modifed: C:DOCUME~1ADMINI~1.POSLOCALS~1Temp~DF39A5.tmp   
File: Virus.exe
Size: 28672 Bytes
MD5: ECEDE8B3CCA910E04BFC3950A01BC25C


File Properties: CompanyName      Hipposaver
FileDescription 
FileVersion      1.00
InternalName     Virus
LegalCopyright  
OriginalFilename Virus.exe
ProductName      Project1
ProductVersion  

Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 28Kb in 0 seconds
Urls
--------------------------------------------------


RegKeys
--------------------------------------------------
SoftwareVFRun
HKEY_CURRENT_USERSoftwareVFRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

ExeRefs
--------------------------------------------------
File: Virus_dmp.exe_
Virus.exe
Virus.exe
Virus.exe

Raw Strings:
--------------------------------------------------
File: Virus_dmp.exe_
MD5:  650394a54a4a07727f42f4ab9e0632b0
Size: 28674

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc
MSVBVM60.DLL
DYEs
iFsn
I9ss
GsNbFs
hFs'T9s
Gs$sDs
Gs)/Es,E9s
I9sx
Fs|gDs[N9s
fFsNcFsG
Gs|iEs
[EsibEs
cFs=]Fs>
$Es-
GsSH9s
I9s6
Fs^G9sq
ule=ReProject1
gRead.b
Form1
Little Virus
Form1
Timer1
VB5!
Virus
Project1
Project1
Project1
modHook
RegRead
RegWrite
Form1
kernel32
RtlMoveMemory
user32
GetKeyState
SetWindowsHookExA
CallNextHookEx
UnhookWindowsHookEx
VBA6.DLL
__vbaFreeVar
__vbaI2I4
__vbaSetSystemError
shell32.dll
ShellExecuteA
advapi32.dll
RegCloseKey
RegCreateKeyA
h<!@
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
hX"@
RegFlushKey
RegLoadKeyA
RegNotifyChangeKeyValue
hT#@
RegOpenKeyA
RegOpenKeyExA
RegQueryValueA
h($@
RegQueryValueExA
__vbaErrorOverflow
RegReplaceKeyA
RegRestoreKeyA
RegSetValueA
hd%@
RegSetValueExA
RegUnLoadKeyA
__vbaInStr
__vbaLenBstr
__vbaFreeStrList
__vbaFreeVarList
__vbaVarDup
__vbaStrVarMove
__vbaStrMove
__vbaVarTstEq
__vbaOnError
__vbaStrCopy
__vbaFreeStr
__vbaStrToUnicode
__vbaStrToAnsi
__vbaVarMove
__vbaVarCmpEq
__vbaVarAdd
__vbaVarCmpNe
__vbaVarOr
__vbaBoolVarNull
__vbaStrCat
__vbaStrCmp
__vbaStrI2
__vbaAryUnlock
__vbaAryLock
__vbaVarForNext
__vbaUI1I2
__vbaGenerateBoundsError
__vbaI4Var
__vbaVarForInit
__vbaRedim
__vbaVarCopy
Form
C:Program FilesMicrosoft Visual StudioVB98VB6.OLB
Timer1
ShowWindow
GetWindowTextA
h`-@
GetWindow
IsWindowVisible
GetCaption
__vbaStrVarVal
__vbaVarTstNe
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
hWnd
0SVW
zf=6
h  @
[f=7
h( @
<f=8
h0 @
h8 @
h(6@
QVWj
h(6@
XSVW
h@7@
(SVW
Qht'@
PhL(@
Qhx(@
$h7@@
h7@@
h7@@
 SVW
hHP@
9=HP@
hDP@
=LP@
5LP@
hHP@
9=HP@
hDP@
=LP@
5LP@
h<+@
jPhL+@
Ph0/@
h<+@
hL+@
hH,@
QhL/@
PSVW
MSVBVM60.DLL
__vbaStrI2
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaLenBstr
__vbaFreeVarList
_adj_fdiv_m64
_adj_fprem1
__vbaStrCat
__vbaVarCmpNe
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaVarForInit
__vbaOnError
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaBoolVarNull
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaVarTstEq
__vbaI2I4
DllFunctionCall
__vbaVarOr
_adj_fpatan
__vbaRedim
EVENT_SINK_Release
__vbaUI1I2
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaStrVarVal
_CIlog
__vbaErrorOverflow
__vbaNew2
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaI4Var
__vbaVarCmpEq
__vbaAryLock
__vbaVarAdd
__vbaStrToAnsi
__vbaVarDup
__vbaVarCopy
_CIatan
__vbaStrMove
_allmul
_CItan
__vbaAryUnlock
__vbaVarForNext
_CIexp
__vbaFreeObj
__vbaFreeStr
8shz&
 Gs$ Gs, Gs4 Gs< GsD GsL GsT Gs Gsd Gsl Gst Gs| Gs
!Gs$!Gs,!Gs4!Gs<!GsD!GsL!GsT!Gs!Gsd!Gsl!Gst!Gs|!Gs
"Gs$"Gs,"Gs4"Gs<"GsD"GsL"GsT"Gs"Gsd"Gsl"Gst"Gs|"Gs
#Gs$#Gs,#Gs4#Gs<#GsD#GsL#GsT#Gs#Gsd#Gsl#Gst#Gs|#Gs
$Gs$$Gs,$Gs4$Gs<$GsD$GsL$GsT$Gs$Gsd$Gsl$Gst$Gs|$Gs
1u 

Unicode Strings:
---------------------------------------------------------------------------
@isual StudioVB98;C:WINDOWSsystem32;
@*AC:Documents and SettingsHP_AdministratorDesktopMattsMyProgramsVirusProject1.vbp
SoftwareVFRun
FirstRun
Error
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
The Registry Database is corrupt!
Bad Key Name
Can't Open Key
Can't Read Key
Access to this key is denied
Can't Write Key
Out of memory
Invalid Parameter
There is more data than the buffer has been allocated to hold.
Undefined Error Code: 
HKEY_
Incorrect Format:
HKEY_CURRENT_USERSoftwareVFRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Virus.exe
Virus.exe
Project1
@*AC:Documents and SettingsHP_AdministratorDesktopMattsMyProgramsVirusProject1.vbp
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
CompanyName
Hipposaver
ProductName
Project1
FileVersion
1.00
ProductVersion
1.00
InternalName
Virus
OriginalFilename
Virus.exe

Publié dans METHODOLOGY

Commenter cet article