ArcadeFAQSearchLogin
Register
It is currently Mon Dec 28, 2009 2:25 am

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: 508ad444da3155a54103b8a8b299ff11 -HappyBirthday-explorce.exe
PostPosted: Fri Jul 25, 2008 9:24 pm 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
File explorcr.exe
Result: 18/34 (52.95%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.21.0 2008.08.22 Win32/Autorun.worm.258605
AntiVir 7.8.1.23 2008.08.22 TR/Autorun.QN
Authentium 5.1.0.4 2008.08.22 -
Avast 4.8.1195.0 2008.08.21 Win32:AutoRun-YX
AVG 8.0.0.161 2008.08.21 -
BitDefender 7.2 2008.08.22 Trojan.Autorun.QN
CAT-QuickHeal 9.50 2008.08.21 Worm.AutoRun.cns
ClamAV 0.93.1 2008.08.22 -
DrWeb 4.44.0.09170 2008.08.22 -
eSafe 7.0.17.0 2008.08.21 Suspicious File
eTrust-Vet 31.6.6040 2008.08.22 Win32/SillyAutorun.FI
Ewido 4.0 2008.08.21 -
F-Prot 4.4.4.56 2008.08.21 -
Fortinet 3.14.0.0 2008.08.22 -
GData 2.0.7306.1023 2008.08.20 Win32:AutoRun-YX
Ikarus T3.1.1.34.0 2008.08.22 Trojan.Win32.Autoit.cr
K7AntiVirus 7.10.423 2008.08.21 IM-Worm.Win32.Sohanad.nh
Kaspersky 7.0.0.125 2008.08.22 Trojan.Win32.Autoit.cr
McAfee 5367 2008.08.21 -
Microsoft 1.3807 2008.08.22 -
NOD32v2 3378 2008.08.22 Win32/Autoit.CA
Norman 5.80.02 2008.08.21 -
Panda 9.0.0.4 2008.08.21 W32/Sality.AE
PCTools 4.4.2.0 2008.08.21 Worm.Autorun.AYK
Prevx1 V2 2008.08.22 -
Rising 20.58.40.00 2008.08.22 Worm.Win32.Agent.uh
Sophos 4.32.0 2008.08.22 -
Sunbelt 3.1.1571.1 2008.08.22 -
TheHacker 6.3.0.6.058 2008.08.22 -
TrendMicro 8.700.0.1004 2008.08.22 -
VBA32 3.12.8.4 2008.08.21 -
ViRobot 2008.8.21.1344 2008.08.21 Worm.Win32.Autorun.258605
VirusBuster 4.5.11.0 2008.08.21 Worm.Autorun.AYK
Webwasher-Gateway 6.6.2 2008.08.22 Trojan.Autorun.QN

PE Details:
File size: 315949 bytes
MD5...: 508ad444da3155a54103b8a8b299ff11
SHA1..: 787428e77804e5ec07941963c5c685da4b0fff3c
SHA256: 7577cad6346b57a9cd0bafaeb4afdd221d94ebfdcb701d9cf656707c40e3570d
SHA512: e8eb9e5eee7625bafeb22899de00cfc8e452411bfa770c509ac89b8d96ea4c7d
9551a379098ac85deacf6fb045c9607558fe3fcb11e0c376afae86103c7584a5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x49bad0
timedatestamp.....: 0x47493eaa (Sun Nov 25 09:21:46 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x64000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x65000 0x37000 0x36e00 7.92 0c927b8d47b210e61f255ca45a1ddb45
.rsrc 0x9c000 0x16000 0x15400 2.82 5a919d67b722296e8075811b6faf5020

( 13 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: ImageList_Remove
> comdlg32.dll: GetSaveFileNameW
> GDI32.dll: LineTo
> MPR.dll: WNetUseConnectionW
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> SHELL32.dll: DragFinish
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueW
> WINMM.dll: timeGetTime
> WSOCK32.dll: -

Happy Birthday

Name: Happy Birthday
Executable Name: explorce.exe
File Attributes: System/Hidden/Read Only (SHR)
Initiated: 21st of every month (This Malware authors GF's birthday is on the 21st )
Systems Affected: Windows 2000, Windows NT, Windows XP

Technical Details:

Mode of infection: This infection spreads through Emails and USB Removable Drive

Symptoms: Below mentioned are the common symptoms of this virus

Shows a tool tip near the mouse cursor with the texts ‘Happy Birthday’
Runs the process ‘explorce.exe’ in the process list
Disables commands like ‘cmd’, ‘regedit’ etc.
Operating System not booting and shows ‘NTLDR Missing’ after restart

Infection Details:

The infection spreads with Emails or with USB Removable Drive. Once the infected executable runs in the system, it copies itself to System32\explorce.exe.

It shows a tool tip under the mouse cursor with the text ‘Happy Birthday’

Once the infected USB Removable Drive is plugged and accessed in a clean system, the ‘Autorun.inf’ file is first accessed and the file name mentioned under the ‘Open=’ or ‘Shell Execute=’ entry is executed. This infects the system and runs the process explorce.exe in the system.

Once a clean USB Removable Drive is plugged in an infected system, the explorce.exe process running in the infected system creates a copy of itself in the USB Removable Drive and also writes the file ‘Autorun.inf’ that calls the explorce.exe

The infected process creates the following registry entry so that it runs every time Windows starts:

Either creates the entry in HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = System32\explorce.exe

Or can create the entry in HKEY_CURRENT USER
HKEY_CURRENT USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = System32\explorce.exe

The infected process disables commands like ‘Cmd’, ‘Regedit’ etc.

Deletes the ‘NTLDR’ file from the %SystemDrive% making the system unbootable after it is restarted.

Removal Instruction:

Please follow the below mentioned steps properly to remove the Happy Birthday Virus and also to recover the system before it becomes unbootable:

- Unplug any USB Removable Drive attached
- Kill the process explorce.exe running in the process list.
- Right click the UnHookExec.inf (from Symantec) and select Install. This would enable the Regedit option.
- Delete the below entry from the Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = System32\explorce.exe
Or
HKEY_CURRENT USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run = System32\explorce.exe
- Enable the Cmd option from the Registry.
- Open the Cmd option from Start > Run
- Type the below commands sequentially:
C:
Cd\
Cd C:\windows\system32
Del /ah/f explorce.exe
- Insert windows XP Installation CD and Copy ‘NTLDR’ from i386\NTLDR to %SystemDrive%
- Refer to the below URL for further details about restoring the NTLDR file
http://support.microsoft.com/kb/318728
- Reboot the system and check if the explorce.exeprocess is running or not.

Warning:

- If Infection is suspected don’t Reboot the System before following the above steps
- Dont open attachments from unknown recepients
- Before opening any USB Removable Drive check from command prompt the presence of Autorun.inf in the USB Drive with the 'attrib' command. If Autorun.inf exists delete it with the command 'del/ah/f autorun.inf'

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum