Monday, 10 May 2010

Infostealer.Banker.G ripped Part 2

Welcome back to part two of the malware analyis.

When Installed this malware drops a dll in the system folder (C:\windows\system32\msls52.dll). Dll is pretty much packed with the same packer and the entry point of the dll looks similar to the dropper.
Very Interesting thing about this malware is that it infects windows Uxtheme.dll(system folder) and renames the clean copy as Uxtheme(random char).tmp.Infected Uxtheme.dll locks the file msls52.dll, when you try to delete it you get an "access denied" message. Use Kaspersky free removal tool to get rid of the dll on reboot. 
Since you've deleted the file msls52.dll the infected Uxtheme.dll tries to load it at the startup and gives the message "Unable to load msls52.dll" and makes your machine virtually unusable. 
To make it work again restart your machine with Windows Safe Mode with command prompt (press f8 on startup to safe mode menu). Once you are in safemode delete/rename the Uxtheme.dll and rename the Uxtheme(randomchar).tmp file as Uxtheme.dll. This should make your machine usable after reboot :-).Btw the infected Uxtheme.dll is detected as W32/Patched by some vendors  

Continuing  the analysis from the previous part if you follow the calls and jumps there are couple of interesting instructions.

.00409FA2 B9 BE 80 FF 1F  mov     ecx, 1FFF80BEh
.00409FA7 EB 41                  jmp     short loc_409FEA

00409FF6 C1 E1 02             shl     ecx, 2  ; ECX is now 7FFE02F8
00409FF9 EB 67                  jmp     short loc_40A062

0040A062 0F B6 09             movzx   ecx, byte ptr [ecx]

Hmmm..Ecx is now 7FFE02F8 and its trying to move the contents at the ecx value back into ecx register.
So what is this 7FFE02F8 any way. 7FFE0000 is KUSER_SHARED_DATA , this address is a region of the memory mapped in every process and is called as SharedUserData.7FFE000 + 2F8  refers to TestRetInstruction .In this malware i think its mainly used for antidebugging or anti emulation purposes.
If you continue analyzing the sample on the Ollydbg , Olly gets struck at one point unable to debug any further. You need to smartly change the control flow at this point and analyze further.
I didn't have much time to unpack this malware, as the packer in the malware uses VirtualProtect api , i'm sure you should be able find the unpacking routine around this area.
Hope this analysis helps you fight the bad forces.

1 comment:

  1. Nice article mate, thanks for posting

    -Vladmir Antevov