Dangerous trojans on the loose

TNT

I'm seeing only a blank page on xxx.kpmoi.com and no exploits on xxx.pictures.com even with AS enabled ?


StevieO

 

Hi TNT,

yes there is, see this test-thread in the test-forum:

https://www.wilderssecurity.com/showthread.php?t=148045

 

Did you read what I said? Those are not the domains, they are the filenames on the gromozon domains I wrote above... I even wrote "note that these are both executables loaded from the gromozon-related sites, not new domains"...

 

Thanks, I don't know how I didn't notice that.

 

No prob, can happen to all of us.

Keep up the good work !

 

TNT

Obviously not lol, but it looks like i'm Not the only one who didn't notice "Something" !

Just got the movies.com file and some older google.com ones they are still putting out.


StevieO

 

Try to send them to NOD32 and Dr.Web also if you like.

 

i emailed eset support asking them to take a look at this and asked also whether the IMON block list could be updated to include these sites (i don't know if it can block IP ranges or if it's just urls)

 

NOD32 should now have detection for the threats, and future variants should also be detected. The Gromozom web sites will most likely be added to the IMON block list also.

 

Hello. This is my 1st post, and first of all I want to thank you all for the support about this plague.

Now the news: this morning I was cleaning a pc gromozon-infected. There was the service, the administrative account, the rootkit, the linkoptimizer dll. Infection complete. Vary spyware scanners had found no more that gromozon. But I'd found, inside the logged user documents directory, two suspicious files, named "6d40.exe" and "86b4.exe", both 61440 bytes, fc/b identical, with no icon. No plain references to them in the registry. Date of creation 28 September 2006.

Looking strange, I've send the files to virustotal for analysis. Here the report:

Complete scanning result of "6d40.exe", processed in VirusTotal at 09/28/2006 15:47:34 (CET).

[ file data ]
* name: 6d40.exe
* size: 61440
* md5.: b9f43021cfd7d40a60bd30b59c7c651d
* sha1: 3ff24fa2d55cfe0318b5bf4b7d92c5f42429d9b7

[ scan result ]
AntiVir 7.2.0.18/20060928 found [HEUR/Malware]
Authentium 4.93.8/20060928 found nothing
Avast 4.7.892.0/20060927 found nothing
AVG 386/20060927 found nothing
BitDefender 7.2/20060928 found nothing
CAT-QuickHeal 8.00/20060928 found nothing
ClamAV devel-20060426/20060928 found nothing
DrWeb 4.33/20060928 found nothing
eTrust-InoculateIT 23.73.7/20060928 found nothing
eTrust-Vet 30.3.3104/20060928 found nothing
Ewido 4.0/20060928 found nothing
F-Prot 3.16f/20060928 found nothing
F-Prot4 4.2.1.29/20060928 found nothing
Fortinet 2.82.0.0/20060928 found nothing
Ikarus 0.2.65.0/20060928 found nothing
Kaspersky 4.0.2.24/20060928 found nothing
McAfee 4861/20060927 found nothing
Microsoft 1.1603/20060928 found nothing
NOD32v2 1.1781/20060928 found nothing
Norman 5.80.02/20060928 found nothing
Panda 9.0.0.4/20060927 found nothing
Sophos 4.10.0/20060928 found nothing
Symantec 8.0/20060928 found nothing
TheHacker 6.0.1.085/20060928 found nothing
UNA 1.83/20060927 found nothing
VBA32 3.11.1/20060928 found nothing
VirusBuster 4.3.7:9/20060928 found nothing

[ notes ]
packers: UPX
packers: UPX
packers: UPX

Bad, bad, bad. Someone other have seen this strange stuff before? Is this a gromozon new exploit or something else? If anyone want to have a look to the files, let me know...

ThankU

 

Here is the scan results of the un-upx-ed executable:

Complete scanning result of "6d40.exe", processed in VirusTotal at 09/28/2006 16:30:31 (CET).

[ file data ]
* name: 6d40.exe
* size: 81920
* md5.: f78387d77d8de6b67d5e11096bea18e9
* sha1: 333fec442476a9adcd6f570297875807e88650bc

[ scan result ]
AntiVir 7.2.0.18/20060928 found [HEUR/Malware]
Authentium 4.93.8/20060928 found nothing
Avast 4.7.892.0/20060927 found nothing
AVG 386/20060927 found nothing
BitDefender 7.2/20060928 found nothing
CAT-QuickHeal 8.00/20060928 found nothing
ClamAV devel-20060426/20060928 found nothing
DrWeb 4.33/20060928 found nothing
eTrust-InoculateIT 23.73.7/20060928 found nothing
eTrust-Vet 30.3.3104/20060928 found nothing
Ewido 4.0/20060928 found nothing
F-Prot 3.16f/20060928 found nothing
F-Prot4 4.2.1.29/20060928 found nothing
Fortinet 2.82.0.0/20060928 found nothing
Ikarus 0.2.65.0/20060928 found nothing
Kaspersky 4.0.2.24/20060928 found nothing
McAfee 4861/20060927 found nothing
Microsoft 1.1603/20060928 found nothing
NOD32v2 1.1781/20060928 found nothing
Norman 5.80.02/20060928 found nothing
Panda 9.0.0.4/20060927 found nothing
Sophos 4.10.0/20060928 found nothing
Symantec 8.0/20060928 found [Trojan.Linkoptimizer]
TheHacker 6.0.1.085/20060928 found nothing
UNA 1.83/20060927 found nothing
VBA32 3.11.1/20060928 found nothing
VirusBuster 4.3.7:9/20060928 found nothing

Seems confirmed that is a new component of gromozon...

PE info extract:

Imports from: C:\WINNT\system32\kernel32.dll
Image Import Descriptor
Original First Thunk: 0 $0 %0
Time/Date Stamp: 0 $0 %0
Forwarder Chain: 0 $0 %0
Name: 10592 $2960 %10100101100000
First Thunk: 8192 $2000 %10000000000000


No Hint Ordinal Name
1. - - LoadLibraryA
2. - - GetProcAddress

 

What OS did you manage to run those files on? Neither of them would run on my WinXP.

 

The files was found on a WinXP x86 SP2. I've found these two files because at the startup of the system there was an error about "6d40 will be closed...".

The file seem to crash on any OS... Very strange...

 

And that may be the reason why they are undetected. NOD32 is known for clean detection, meaning that corrupted and non-functional samples are not flagged. Anyway, we'll analyse them to make sure they don't run on other systems either.

 

Here the news. In my 1st post I've made an error. The files have the same dimension but they are different. I have unupxed the 86b4.exe and obtained a different exe, that I have tested on a test Win2000 pro.

Result, the same infection as www.google.com and others. The linkoptimizer installed, the admin account, the service, and so on.

At this point, testing the environment, I've launched the Prevx gromozon removal, which didn't started at all. I've removed manually the account, the service, the encrypted files, the linkoptimizer dll, the appinit_dll in the registry.

Reboot, and the system doesn't start any more. At login time, explorer is terminated as "memory can't be read", then all the svchost.exe processes are terminated one after another, until the system box appear with the 30second reboot initiated because of lsass.exe or services.exe.

Scanned disk with ADSspy, found EVERY JPG with Q30lsdxJoudresAaaqpcawXc files, with dimension from 4k to 12k, removed.

The system doesn't seem clean, yet. The lsass reboot continues.
What else ?

 

@ DianaBlu

If it had all these, service, the administrative account, the rootkit, and the linkoptimizer dll, then it has to be a gromozon infection.

AntiVir is very good with it's hueristics [HEUR/Malware], and obviously detected this new variant successfully with them, and nobody else did ?

The file size of 61440 bytes is less than half the usually expected, so it appears they are containing it all into a much smaller package now !

Interesting about those JPG's in the ADS with those tags.

Good posts, thanks and i hope you get it all cleaned up soon.

I download some new variations on the google.com files called hot.com the other day.


StevieO

 

I found a new domain: fgvmwyfstd8.com

gromozon.com
xearl.com
mioctad.com
td8eau9td.com
cvoesdjd.com
lah3bum9.com
mufxggfi.com
uv97vqm3.com
wlos.net
xoboe.com
fgvmwyfstd8.com

js.gbeb.cc
js.pceb.cc

 

Same old, same old.
195.225.176.0 - 195.225.179.255
195.225.176.0 - 255.255.252.0
195.225.176.0/22

Code:

<ip address/hostname>
[color=red][b]195.225.177.201
fgvmwyfstd8.com[/color][/b]
Host unreachable

<net block>
[b]195.225.176.0 - 195.225.179.255[/b]

<owner>
NetcatHosting
Ukraine
* Abuse contacts: abuse@netcathost.com *

<administrative contact>
Vsevolod Stetsinsky
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676

<technical contact>
Vsevolod Stetsinsky
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206.
phone: +38 050 6226676

<additional data>
NETCATHOST
Source: whois.ripe.net

 

Just found yet another new domain: ghr5rudiys.com

gromozon.com
xearl.com
mioctad.com
td8eau9td.com
cvoesdjd.com
lah3bum9.com
mufxggfi.com
uv97vqm3.com
wlos.net
xoboe.com
fgvmwyfstd8.com
ghr5rudiys.com

js.gbeb.cc
js.pceb.cc

 

This appears (note, I cannot confirm this at all right now) to be using a zero-day exploit in IE6...

All patches into place, IE crashes...

 

TNT

All i got on ghr5rudiys.com was the old fake Closed message, no crash etc with JS active using IE6 Win98se. No downloads either here for me.


StevieO

 

The exploits/trojans are still on a "subpage", not on the front "index" page. I sent you the location.

 

Thanks to saoche who pointed out two new domains I didn't know of: ou2dkuz71t.com and ozkkmkdk.com. Also, all points out that e-46.com (which was already in my blocklist) is gromozon-related; although I haven't seen an exploit on that domain, it shares the same IP as wlos.net, a known gromozon-related exploit/trojan hosting site.

All listing:

cvoesdjd.com
e-46.com
fgvmwyfstd8.com
ghr5rudiys.com
gromozon.com
js.gbeb.cc
js.pceb.cc
lah3bum9.com
mioctad.com
mufxggfi.com
ou2dkuz71t.com
ozkkmkdk.com
td8eau9td.com
uv97vqm3.com
wlos.net
xearl.com
xoboe.com

Please put all these in your block lists. The aforementioned can be put in your hosts file like this:

Code:

127.0.0.1       cvoesdjd.com
127.0.0.1       e-46.com
127.0.0.1       fgvmwyfstd8.com
127.0.0.1       ghr5rudiys.com
127.0.0.1       gromozon.com
127.0.0.1       js.gbeb.cc
127.0.0.1       js.pceb.cc
127.0.0.1       lah3bum9.com
127.0.0.1       mioctad.com
127.0.0.1       mufxggfi.com
127.0.0.1       ou2dkuz71t.com
127.0.0.1       ozkkmkdk.com
127.0.0.1       td8eau9td.com
127.0.0.1       uv97vqm3.com
127.0.0.1       wlos.net
127.0.0.1       xearl.com
127.0.0.1       xoboe.com

 

Hi guys (and girls),

I work for a computer repair shop in Italy. Today I met the last version of the gromozom root kit (I met in the past 2 previous versions).

This version doesn't allow to the user to run the prevx tool to remove the rootkit, nor the root kit revealer from sysinternals. I was finally able to run the f-secure blacklight tool after giving debug privileges to the administrator, but it did not found anything. Normal mode, safe mode, safe mode with command prompt, those two anti-rootkits previously mentioned did not ran.

Process Explorer, Autoruns and HijackThis! ran, and there were some entries in the HijackThis I fixed.

I found the random username created by the rootkit, but I didn't found this time the windows service associated with it, nor the executable files I found the other two times when we met.

Finally, I gave up this time and formatted that pc (I was in a big hurry to deliver it to my client), but I'm sure I will meet again this motherf***er

 

I had the exact same problem...couldn't open prevx removal tool or gmer antirootkit...ran blacklight and sophos antirootkit but they found nothing..I could not even get to prevx's site or even this forum...said..."this page cannot be found"...this rootkit is very nasty.

I finally found a program that worked to remove gromozon: SUPERAntiSpyware http://superantispyware.com
I was skeptical at first but it removed the threat....now I don't have to reformat

Any comments on this super AS? I never heard of it before yesterday.