Malware… oh malware

This afternoon, when I was working at my collage, I found an annoying nag screen from one of antivirus application which told me that the computer has been infected by a trojan. Since I had a curiousity with this kind of “software”, I decide to play around with the malware a little. 
I decide to download some standard application to help me analyze the malware. Here are some of the application :
  • CaptureBAT
  • TCPView
  • Ollydbg
  • Process Monitor
  • Telnet
  • Mandiant Red Curtain
Ok, the antivirus said that the application which was suspected as a trojan locate at C:\Windows\ and named with gwdrive32.exe. First I run the process monitor, try to end all the process. Next I run the captureBAT to watch the system with -n prefix, so captureBAT will also capture some network activity. Next I run the TCPView to watch the network process. From the tcpview and process monitor, it’s clearly that beside the trojan itself there also a lot of malware application running at background process.
From mandian red curtain and ollydbg, I could know that the application was build with microsoft visual basic. Shortly after analyze for some hour, I came with some conclusion.

File Info
NameValue
Size143430
MD5a3f85d336559620eefc5681a3a2e6d13
SHA137791dac9bf0b14354ec954e68de3b6adaab91fd
SHA25638c99bb7db6637cd5416f203dcf50c8487ccef75bab2a035491e82a40bf44061
ProcessExited
– Keys Created
NameLast Write Time
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer2009.01.12 14:48:02.203
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run2009.01.12 14:48:02.234

– Values Created
NameTypeSizeValue
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Microsoft Driver SetupREG_SZ50“C:\WINDOWS\gwdrive32.exe”
LM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver SetupREG_SZ50“C:\WINDOWS\gwdrive32.exe”
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\TEST\sample.exeREG_SZ92“C:\TEST\sample.exe:*:C:\WINDOWS\gwdrive32.exe”
– Values Changed
NameTypeSizeValue
LM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochREG_DWORD/REG_DWORD4/40x57/0x58

– Files Created

NameSizeLast Write TimeCreation TimeLast Access TimeAttr
C:\WINDOWS\gwdrive32.exe1434302009.01.12 14:47:54.6092009.01.12 14:48:02.1872009.01.12 14:48:02.1870x7
– Processes Created
PIdProcess NameImage Name
0x7ccsample.exeC:\TEST\sample.exe
– Processes Terminated
– Threads Created
PIdProcess NameTIdStartStart MemWin32 StartWin32 Start Mem
0x344svchost.exe0x1700x7c810856MEM_IMAGE0x7c910760MEM_IMAGE
0x7ccsample.exe0x7d00x7c810867MEM_FREE0x0MEM_FREE
– Modules Loaded
– Windows Api Calls
PIdImage NameAddressFunction ( Parameters ) | Return Value
0x7ccC:\TEST\sample.exe0x405f36CopyFileA(lpExistingFileName: “C:\TEST\sample.exe”, lpNewFileName: “C:\WINDOWS\gwdrive32.exe”, bFailIfExists: 0x0)|0x1
– DNS Queries
DNS Query Text
aaaaaaaa.schooluni.us IN A +
– Description
Suspicious Actions Detected
Copies self to other locations
Creates autorun records
Creates files in windows system directory
Disables windows firewall
– Mutexes Created or Opened
PIdImage NameAddressMutex Name
0x360C:\WINDOWS\gwdrive32.exe0x403d8ajng28gdcrg2fcs
0x360C:\WINDOWS\gwdrive32.exe0x403dafjng28gdcrg2fcs
0x360C:\WINDOWS\gwdrive32.exe0x771ba3ae_!MSFTHISTORY!_
0x360C:\WINDOWS\gwdrive32.exe0x771bc21cWininetConnectionMutex
0x360C:\WINDOWS\gwdrive32.exe0x771bc23dWininetProxyRegistryMutex
0x360C:\WINDOWS\gwdrive32.exe0x771bc2ddWininetStartupMutex
0x360C:\WINDOWS\gwdrive32.exe0x771d9710c:!documents and settings!user!cookies!
0x360C:\WINDOWS\gwdrive32.exe0x771d9710c:!documents and settings!user!local settings!history!history.ie5!
0x360C:\WINDOWS\gwdrive32.exe0x771d9710c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x7ccC:\TEST\sample.exe0x771ba3ae_!MSFTHISTORY!_
0x7ccC:\TEST\sample.exe0x771bc21cWininetConnectionMutex
0x7ccC:\TEST\sample.exe0x771bc23dWininetProxyRegistryMutex
0x7ccC:\TEST\sample.exe0x771bc2ddWininetStartupMutex
0x7ccC:\TEST\sample.exe0x771d9710c:!documents and settings!user!cookies!
0x7ccC:\TEST\sample.exe0x771d9710c:!documents and settings!user!local settings!history!history.ie5!
0x7ccC:\TEST\sample.exe0x771d9710c:!documents and settings!user!local settings!temporary internet files!content.ie5!
– Events Created or Opened
PIdImage NameAddressEvent Name
0x360C:\WINDOWS\gwdrive32.exe0x77a89422Global\crypt32LogoffEvent
0x7ccC:\TEST\sample.exe0x77a89422Global\crypt32LogoffEvent