Trojan VBS/Bicololo at infected WordPress
12 Jan 2013 #MalwareMustDie! Trojan VBS/Bicololo at infected WordPress..==================================================== SHA256: 3ee1ee6a1a725769f066d4ccd272663558dd8786525cc7a0aedeb33a95b6f1d9 SHA1: f05b0a6734391f19838bdcb41d29d173a1d45b02 MD5: f54715875c3327953965072927e86bd0 File size: 179.9 KB ( 184243 bytes ) File name: GOLAYA-BABE・exe File type: Win32 EXE Tags: peexe bobsoft Detection ratio: 11 / 44 Analysis date: 2013-01-11 12:51:39 UTC ( 5 minutes ago ) URL --->>[VirusTotal] https://www.virustotal.com/latest-scan/3ee1ee6a1a725769f066d4ccd272663558dd8786525cc7a0aedeb33a95b6f1d9 GData : VBS:Bicololo-BG TrendMicro-HouseCall : TROJ_GEN.F47V0111 Avast : VBS:Bicololo-BG [Trj] Kaspersky : UDS:DangerousObject.Multi.Generic Jiangmin : Trojan/StartPage.bim Malwarebytes : Trojan.StartPage.ooo Panda : Trj/Qhost.MR Ikarus : Trojan.Win32.Qhosts Kingsoft : Win32.Troj.Undef.(kcloud) TheHacker : Trojan/Bicololo.a Microsoft : Trojan:Win32/QHosts.BFDrops temporary files here:
C:\DOCUME~1\Drops the malicious data here...~1\LOCALS~1\Temp\$inst\temp_0.tmp C:\DOCUME~1\ ~1\LOCALS~1\Temp\$inst\2.tmp
C:\Program Files\LuaZ\PTka\kroka.txt C:\Program Files\LuaZ\PTka\_nekjg_jdkgsfkj(.)bat C:\Program Files\LuaZ\PTka\nasdfsfgdfsdfgkrasit(.)vbs C:\Program Files\LuaZ\PTka\i1_r2123r23r23r234at(.)vbsRewrite your hosts file...
C:\WINDOWS\System32\drivers\etc\hostsActivating the below the internet settings
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet HKU\..\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxyRegister to run the Windows Script Engine & execution of BAT file
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\WINDOWS\System32\WScript・exe --> With value: Microsoft (R) Windows Based Script Host HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\(.)vbs\OpenWithProgids\VBSFile HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\Program Files\LuaZ\PTka\_nekjg_jdkgsfkj(.)bat --> With value: _nekjg_jdkgsfkjThen we'll see these processes start:
C:\Program Files\LuaZ\PTka\_nekjg_jdkgsfkj(.)bat C:\WINDOWS\System32\WScript・exe C:\WINDOWS\System32\WScript・exe" "C:\Program Files\LuaZ\PTka\nasdfsfgdfsdfgkrasit(.)vbs" C:\WINDOWS\System32\WScript・exe C:\WINDOWS\System32\WScript・exe" "C:\Program Files\LuaZ\PTka\i1_r2123r23r23r234at(.)vbs"Network activity
GET access to 199.241.191.138:1115/stat/tuk/189 was detected: Connecting to 199.241.191.138:1115... seconds 0.00, connected. GET /stat/tuk/189 HTTP/1.0 Host: 199.241.191.138:1115 : HTTP request sent, awaiting response... : HTTP/1.1 200 OK Server: nginx/1.2.6 Date: Fri, 11 Jan 2013 12:26:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.3.10 Set-Cookie: ci_session=lNb4MOHKeePb113cZmW1LPvsBDZB6QAZgOsKFsyAkJfB2pG01hSIDsiLZ u2YSAbZolV3GxA9ioFoe66yUnzxOJTJiKAahUI3Uox10uBHN515h0I8TIOXKoFcpsb%2FmK6FgAj800S wH2eBJaZvqBi1FNzXarlSEOEw5fGW9JseV6hpLg42b5JPEARB6FUAX6grZJrArggr1XK%2FY%2FsOR3d nzhBfOYS4o%2Fy37GpS7mq%2FuOXEaZkU5vftqHLQxYldFYDakC7lQGMRNiQKiDi2ot2qgJDG0fUm8l0 5pkjQELLzaj6NkTPUeyXHeRMG1nbIxvZnhFHjGQ%2FSko6g20y0ZTn%2F5776nJdK1CiMAxw3wTwXXfW Xx0RCrspbjB9WEoIL%2FbZe; path=/ : 200 OK : Stored cookie 199.241.191.138 1115 /Response was "OK" (at first attempt) or "ne_unik" on the next attempts..[expiry none] ci_sessi on lNb4MOHKeePb113cZmW1LPvsBDZB6QAZgOsKFsyAkJfB2pG01hSIDsiLZu2YSAbZolV3GxA9ioFoe 66yUnzxOJTJiKAahUI3Uox10uBHN515h0I8TIOXKoFcpsb%2FmK6FgAj800SwH2eBJaZvqBi1FNzXarl SEOEw5fGW9JseV6hpLg42b5JPEARB6FUAX6grZJrArggr1XK%2FY%2FsOR3dnzhBfOYS4o%2Fy37GpS7 mq%2FuOXEaZkU5vftqHLQxYldFYDakC7lQGMRNiQKiDi2ot2qgJDG0fUm8l05pkjQELLzaj6NkTPUeyX HeRMG1nbIxvZnhFHjGQ%2FSko6g20y0ZTn%2F5776nJdK1CiMAxw3wTwXXfWXx0RCrspbjB9WEoIL%2F bZe
----
#MalwareMustDie