Results 1 to 12 of 12

Thread: the drivers are peed or wincom32 probably but the exe isnt detected by norton

  1. #1
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries

    the drivers are peed or wincom32 probably but the exe isnt detected by norton

    i saw this alt.exe trying to run and getting crashed

    alg is ok alt ??

    lets hunt

    in the process i found two drivers were installed (a generic search reveals they are peed or wincom32.sys rootkits)

    but none of the exe files in the zip is detected by a valid uptodate norton in my comp

    the zip contains two zips inside (password malware) for all pwed zips

    one zip contains three exes alt.exe,alt.exe.exe,pee.exe.exe one xml file,and one csv file (i grabbed the last two coz they had same time stamp)

    other zip contains rooty.sys (original name wincom32.sys) other is rootdev.sys (original name windev.randomno.sys) and two ini files that had the same names hidden in c:\windows\system32 folder

    password is malware again

    i havent checked any one of them yet just googled for five minutes to see if some info is there

    Attached Files Attached Files

  2. #2
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    as of now a few detect this and most not a scan result from jotti

    Scan taken on 22 May 2007 16:21:29 (GMT)
    A-Squared Found nothing
    AntiVir Found WORM/Zhelatin.Gen
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found Packed.Win32.Tibs.y
    Fortinet Found nothing
    Kaspersky Anti-Virus Found Packed.Win32.Tibs.y
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Rising Antivirus Found nothing
    VirusBuster Found Trojan.Tibs.Gen!Pac.122
    VBA32 Found nothing

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Just a little heads up on beginning the analysis of the drivers of this malware..

    To start with, the zip file blabberer attached - it contains 2 zip files as mentioned, but the file named 'wincom32' should actually be renamed ''. Then you can unzip it with the supplied password to get the 2 drivers.

    There is various infos about wincom32 around, I found that the service entry in the registry defines it as a Start Type 2 driver, a regular Win32 Service that is loaded by the Service Control Manager (SCM).

    "start" = "2"

    This means we can start the drivers manually with any old SCM loader and trace it in Softice. I used DriverMonitor in the Softice Tools directory. You could also use the OSR driver loader, or Greg Hoglunds instdrv, or your own or whatever..

    Recall how a driver is loaded through ntoskrnl!IopLoadDriver and the sequence:

    push dword ptr [ebp-0x0090]   // PUNICODE_STRING RegistryPath
    push edi                      // PDRIVER_OBJECT pDriverObject
    call [edi+0x2C]               // DriverEntry
    We can set a breakpoint on Call [edi+0x2C] in order to trace directly into the rootkit driver INIT routine. A combination of IDA + symbols + some digging will find this address for you. Or do it dynamically by tracing back into ntoskrnl from your own driver INIT..
    In XPsp2 this ntoskrnl address is 0x805A69D0.

    With Softice and this breakpoint we've now got a way to trace the driver.. Now let's take a look at the IDA disassembly for ROOTY.SYS (the file named ROOTDEV.SYS is similar):

    INIT:0001D300                 public start
    INIT:0001D300 start           proc near
    INIT:0001D300 arg_0           = dword ptr  4
    INIT:0001D300                 mov     edx, [esp+arg_0]  PDRIVER_OBJECT
    INIT:0001D304                 mov     edx, [edx+0Ch]    DRIVER_OBJECT.DriverStart
    INIT:0001D307                 add     edx, 0DB00h
    INIT:0001D30D                 mov     eax, 0DF95h
    INIT:0001D312                 pusha
    INIT:0001D313                 mov     ecx, 45Ch
    INIT:0001D318                 mov     esi, edx
    INIT:0001D31A                 mov     edi, esi
    INIT:0001D31C loc_1D31C:                              ; CODE XREF: start+29j
    INIT:0001D31C                 lodsd
    INIT:0001D31D                 sub     eax, 24738268h
    INIT:0001D322                 stosd
    INIT:0001D323                 sub     ecx, 4
    INIT:0001D326                 cmp     ecx, 0
    INIT:0001D329                 jge     short loc_1D31C
    INIT:0001D32B                 popa
    INIT:0001D32C                 add     edx, 8
    INIT:0001D32F                 jmp     edx
    INIT:0001D32F start           endp
    Hmmm, looks awfully like a decryption routine doesn't it?
    You can see that the first thing it does is get DRIVER_OBJECT.DriverStart from the stack parameters. This is the MZ header of the PE file. Then it adds the offset 0DB00h, which would be the start of the encrypted block.

    OK, so if the Base Offset of the file is 00010000h, then 0001DB00h must be...
    Wait a minute, this is outside of what IDA disassembled, what the heck?
    Well, from live tracing I already know that this offset is in the .reloc section.. ooh, that's different

    Take a look at the code characteristics of the PE file, .reloc section is defined as C0000060 (writable, executable, non-discardable). Normal .reloc characteristics would define the opposite of these - 42000040).

    OK, so we need to reanalyze the file in IDA, this time select the checkbox Manual Load from the IDA dialog box and when it asks you choose Yes to loading the .reloc section.

    Now we can create a little IDC script, adapted straight from the IDA site example, to mimic the simple decryption:

    // Decrypt rooty.sys (Wincom32)
    // decrypt_rooty.idc
    // decrypt(0x1DB00, 0x45C, 0x24738268);
    #include <idc.idc>
    static decrypt( from, size, key ) { 
      auto i, x;                // define the variables
      for ( i=0; i < size; i=i+4 ) { 
        x = Dword(from);        // fetch the dword
        x = (x - key);          // decrypt it
        PatchDword(from,x);     // put it back
        from = from + 4;        // next dword
    Load the IDC script and hit Shift-F2 to execute it with the proper command and parameters:
    decrypt(0x1DB00, 0x45C, 0x24738268);

    Scroll down to offset 0x1DB08 (the first 2 dwords of the encrypted bytes are zeroed out) and tell IDA to Convert to instruction (C) from the toolbar or menu. Viola, the code is decrypted.

    The various offsets are relative to ebp and don't make much sense unless you're also live tracing in Softice, but it's a start. The driver uses MmGetSystemRoutineAddress to do much of its work, I haven't traced much of it yet though.

    For interest/comparison you might want to look at Nicolas Brulez blog
    Kernel Driver Backdooring


  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    i was trying to windbg this crap
    but windbg is not as responsive as i wanted it to be
    and even with windbg i would have ended up spleunking headers to make it behave like i wished so as usual i ended up breaking this with ollydbg

    small recap of windbg trial (if any one out there an expert in windbg can point out some thing that i may have missed they are welcome)

    windbg has the ability to load sys files as dump files
    the command line is windbg -z "yoursys.sys"

    on loading a sysfile thus
    windbg gets us to Peheader->AddrofEntrypoint

    and we are stuck with deciphering what would be at [esp+4]

    now as kayaker has posted that a pointer to Driver_object that was passed as a param in nt!NtLoadDrivers -> IopLoadDriver -> indirect call

    Driver_OBJECT is
    lkd> dt _DRIVER_OBJECT
       +0x000 Type             : Int2B
       +0x002 Size             : Int2B
       +0x004 DeviceObject     : Ptr32 _DEVICE_OBJECT
       +0x008 Flags            : Uint4B
       +0x00c DriverStart      : Ptr32 Void
       +0x010 DriverSize       : Uint4B
       +0x014 DriverSection    : Ptr32 Void
       +0x018 DriverExtension  : Ptr32 _DRIVER_EXTENSION
       +0x01c DriverName       : _UNICODE_STRING
       +0x024 HardwareDatabase : Ptr32 _UNICODE_STRING
       +0x028 FastIoDispatch   : Ptr32 _FAST_IO_DISPATCH
       +0x02c DriverInit       : Ptr32     long
       +0x030 DriverStartIo    : Ptr32     void
       +0x034 DriverUnload     : Ptr32     void
       +0x038 MajorFunction    : [28] Ptr32     long
    so it is dereferncing +0x0c so it is DriverStart
    edx will hold Driver_object->DriverStart

    this particular member isnt documented in GOOGLE
    so assuming this will be MZ header we can safely decrypt 45c bytes from
    IMAGE_BASE+db00 (whatever addres it may be)

    windbg too has the ability to PatchDword like kayaker posted for ida

    usage is cryptical you have to use those pseudo register r $t0 to r $t9 and aliases

    a simple script to the tune of
    r $t0 = 0x1db00 (
    r $t1 = constant (the const thats subtracted)
    r $t2 = poi($t0) - $t1
    ed poi($t0) $t2
    $t0 = $t0+4
    jmp back till 45c bytes are done with

    would yield a decrypted stub
    and we can then modify the entry point too to point to 1db08
    and then dump this whole memory with

    but windbg didnt load the .reloc section and like i said i would have ended up spleunking headers again making the whole sys sections as one big section
    etc also i didnt know what else were in store further

    so i just discarded windbg approach

    and loaded my fav

    and ill let the animation speak for it self
    this is a compilation of 124 screen shots and it is running kinda absurd
    but i hope it is understandable

    i have broken till it resolved the first import

    this board doesnt allow more than 1 mb zip its already 1.4mb
    so i uploaded it to rapid share

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Quote Originally Posted by blabberer View Post
    this board doesnt allow more than 1 mb zip...
    ..all depends on who you know

  6. #6
    O.K. I'll ask for everybody. Who do you know??? Oh yah. Him!


  7. #7
    ok, i agree with kayaker, but after your post jmi .... do i know you?

    define "know"

    i like the "MALware BEware" formulation

    cheeers, 0xf001

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    ..all depends on who you know
    next time onwards i'll hunt the creeks and rapids first

  9. #9
    But be careful you don't end "up a creek without a paddle," as we say in this country! That's when you bump into those big, nasty rocks!


  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    Quote Originally Posted by JMI View Post
    But be careful you don't end "up a creek without a paddle," as we say in this country!

    When i am up a creek without a paddle, i'll appoint a Special Commission headed by YOU . and When i am up a creek without a paddle or a canoe, i'll appoint you as a Czar.

    i probabaly wont be munsoned in the middle of nowhere then

  11. #11
    For those of you who might not get the reference to:

    ""Munsoned" out in the middle of nowhere (meaning up the creek without a paddle)," it's a line from a movie, which you will find discussed here:


  12. #12
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    this anubis project sure rocks

    i was trolling around and saw this site and fed this alt.exe to it

    and it simply gives a very broad understanding of what the exe does

    also it seems this alt is invoking dwwin.exe intentionally
    and also plays with windows defaut debugger ntsd

    so what i commented that it getting to execute and crashing in my first post
    seems to be a valid observation

    Anubis: Analyzing Unknown Binaries  
    Home News Infos Sample Report Links 
     Analysis Report for 126968_alt.exe Comment on this report 
    Table of Contents
    1. General Information
    2. 126968_alt.exe
       2.a) Registry Activities 
       2.b) File Activities 
       2.c) Process Activities 
    3. dwwin.exe
       3.a) Registry Activities 
       3.b) File Activities 
       3.c) Process Activities 
       3.d) Other Activities 
    1. General Information 
    Information about Anubis' invocation 
    Time needed: 121 s 
    Report created: 5/22/2007, 4:13:55 PM 
    Termination reason: Timeout 
    Program version: 1.13 
    2. 126968_alt.exe
    General information about this executable 
    Analysis Reason: Primary Analysis Target 
    Filename: 126968_alt.exe 
    MD5: b0817868c6376c90aae57b14fdd6e424 
    CRC32: 4EF7937C 
    File Size: 133684 Bytes 
    Arguments: 126968_alt.exe  
    Process-status at analysis end: alive 
    Exit Code: 0 
    Load-time Dlls 
    Module Name Base Address Size 
    C:\​WINDOWS.0\​system32\​ntdll.dll 0x7C910000 0xB7000 
    C:\​InsideTm\​126968_alt.exe 0x400000 0x2A000 
    C:\​WINDOWS.0\​system32\​kernel32.dll 0x7C800000 0x106000 
    C:\​WINDOWS.0\​system32\​USER32.DLL 0x77D10000 0x90000 
    C:\​WINDOWS.0\​system32\​GDI32.dll 0x77EF0000 0x46000 
    C:\​WINDOWS.0\​system32\​MSVCRT.DLL 0x77BE0000 0x58000 
    C:\​WINDOWS.0\​system32\​URLMON.DLL 0x77230000 0x9D000 
    C:\​WINDOWS.0\​system32\​ole32.dll 0x774B0000 0x13C000 
    C:\​WINDOWS.0\​system32\​ADVAPI32.dll 0x77DA0000 0xAA000 
    C:\​WINDOWS.0\​system32\​RPCRT4.dll 0x77E50000 0x91000 
    C:\​WINDOWS.0\​system32\​SHLWAPI.dll 0x77F40000 0x76000 
    C:\​WINDOWS.0\​system32\​VERSION.dll 0x77BD0000 0x8000 
    C:\​WINDOWS.0\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\​comctl32.dll 0x773A0000 0x102000 
    Run-time Dlls 
    Module Name Base Address Size 
    C:\WINDOWS.0\system32\NETAPI32.dll 0x597D0000 0x54000 
    C:\WINDOWS.0\system32\faultrep.dll 0x69900000 0x16000 
    C:\WINDOWS.0\system32\WINSTA.dll 0x76300000 0x10000 
    C:\WINDOWS.0\system32\USERENV.dll 0x76620000 0xB5000 
    C:\WINDOWS.0\system32\WTSAPI32.dll 0x76F10000 0x8000 
    C:\WINDOWS.0\system32\SETUPAPI.dll 0x778F0000 0xF4000 
    C:\WINDOWS.0\system32\apphelp.dll 0x77B10000 0x22000 
    PEiD Output 
    Nothing found * 
    2.a) 126968_alt.exe - Registry Activities
    Registry Values Read: 
    Key Name Value Times 
    HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting AllOrNone 1 1 
    HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting DoReport 1 1 
    HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting IncludeKernelFaults 1 1 
    HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting IncludeMicrosoftApps 1 1 
    HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting IncludeWindowsApps 1 1 
    HKLM\​Software\​Microsoft\​PCHealth\​ErrorReporting ShowUI 1 1 
    HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​AeDebug Auto 1 1 
    HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​AeDebug Debugger drwtsn32 -p %ld -e %ld -g 1 
    HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName ComputerName TU-4NH09SMCG1HC 1 
    HKLM\​System\​Setup SystemSetupInProgress 0 1 
    2.b) 126968_alt.exe - File Activities 
    Files Created: 
    Files Read: 
    Files Modified: 
    File System Control Communication: 
    File Control Code Times 
    PIPE\lsarpc 1163287 6 
    Device Control Communication: 
    File Control Code Times 
    unnamed file 3735560 7 
    Memory Mapped Files: 
    File Name 
    2.c) 126968_alt.exe - Process Activities 
    Processes Created: 
    Executable Command Line 
     C:\WINDOWS.0\system32\dwwin.exe -x -s 1876 
    3. dwwin.exe
    General information about this executable 
    Analysis Reason: Started by 126968_alt.exe 
    Filename: dwwin.exe 
    Arguments: C:\WINDOWS.0\system32\dwwin.exe -x -s 1876 
    Process-status at analysis end: alive 
    Exit Code: 0 
    Load-time Dlls 
    Module Name Base Address Size 
    C:\​WINDOWS.0\​system32\​dwwin.exe 0x30000000 0x34000 
    C:\​WINDOWS.0\​system32\​ntdll.dll 0x7C910000 0xB7000 
    C:\​WINDOWS.0\​system32\​kernel32.dll 0x7C800000 0x106000 
    C:\​WINDOWS.0\​system32\​ADVAPI32.DLL 0x77DA0000 0xAA000 
    C:\​WINDOWS.0\​system32\​RPCRT4.dll 0x77E50000 0x91000 
    C:\​WINDOWS.0\​system32\​COMCTL32.DLL 0x5D450000 0x97000 
    C:\​WINDOWS.0\​system32\​GDI32.dll 0x77EF0000 0x46000 
    C:\​WINDOWS.0\​system32\​USER32.dll 0x77D10000 0x90000 
    C:\​WINDOWS.0\​system32\​OLEAUT32.DLL 0x770F0000 0x8C000 
    C:\​WINDOWS.0\​system32\​msvcrt.dll 0x77BE0000 0x58000 
    C:\​WINDOWS.0\​system32\​ole32.dll 0x774B0000 0x13C000 
    C:\​WINDOWS.0\​system32\​SHELL32.DLL 0x7C9D0000 0x81E000 
    C:\​WINDOWS.0\​system32\​SHLWAPI.dll 0x77F40000 0x76000 
    C:\​WINDOWS.0\​system32\​URLMON.DLL 0x77230000 0x9D000 
    C:\​WINDOWS.0\​system32\​VERSION.dll 0x77BD0000 0x8000 
    C:\​WINDOWS.0\​system32\​WININET.DLL 0x77180000 0xA7000 
    C:\​WINDOWS.0\​system32\​CRYPT32.dll 0x77A50000 0x95000 
    C:\​WINDOWS.0\​system32\​MSASN1.dll 0x77AF0000 0x12000 
    C:\​WINDOWS.0\​system32\​ShimEng.dll 0x5CF00000 0x26000 
    C:\​WINDOWS.0\​AppPatch\​AcGenral.DLL 0x6FD90000 0x1CA000 
    C:\​WINDOWS.0\​system32\​WINMM.dll 0x76AF0000 0x2E000 
    C:\​WINDOWS.0\​system32\​MSACM32.dll 0x77BB0000 0x15000 
    C:\​WINDOWS.0\​system32\​USERENV.dll 0x76620000 0xB5000 
    C:\​WINDOWS.0\​system32\​UxTheme.dll 0x5B0F0000 0x38000 
    C:\​WINDOWS.0\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\​comctl32.dll 0x773A0000 0x102000 
    Run-time Dlls 
    Module Name Base Address Size 
    C:\WINDOWS.0\system32\1031\dwintl.dll 0x314C0000 0xC000 
    C:\WINDOWS.0\system32\NETAPI32.dll 0x597D0000 0x54000 
    C:\WINDOWS.0\system32\WS2HELP.dll 0x71A00000 0x8000 
    C:\WINDOWS.0\system32\WS2_32.dll 0x71A10000 0x17000 
    C:\WINDOWS.0\system32\sensapi.dll 0x72240000 0x5000 
    C:\WINDOWS.0\system32\MSCTF.dll 0x746A0000 0x4B000 
    C:\WINDOWS.0\system32\riched20.dll 0x74DB0000 0x6C000 
    C:\WINDOWS.0\system32\imm32.dll 0x76330000 0x1D000 
    C:\WINDOWS.0\system32\shfolder.dll 0x76730000 0x9000 
    C:\WINDOWS.0\system32\PSAPI.DLL 0x76BB0000 0xB000 
    C:\WINDOWS.0\system32\iphlpapi.dll 0x76D20000 0x19000 
    C:\WINDOWS.0\system32\rtutils.dll 0x76E40000 0xE000 
    C:\WINDOWS.0\system32\rasman.dll 0x76E50000 0x12000 
    C:\WINDOWS.0\system32\TAPI32.dll 0x76E70000 0x2F000 
    C:\WINDOWS.0\system32\RASAPI32.DLL 0x76EA0000 0x3C000 
    C:\WINDOWS.0\system32\msv1_0.dll 0x77C40000 0x23000 
    C:\WINDOWS.0\system32\Secur32.dll 0x77FC0000 0x11000 
    3.a) dwwin.exe - Registry Activities
    Registry Values Modified: 
    Key Name New Value 
    HKU\​S-1-5-21-842925246-1677128483-1957994488-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders AppData C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten 
    HKU\​S-1-5-21-842925246-1677128483-1957994488-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders Personal C:\Dokumente und Einstellungen\Administrator\Eigene Dateien 
    Registry Values Read: 
    Key Name Value Times 
    HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion DigitalProductId 0xa40000000300000035353337352d3634302d313435373233362d32333435 1 
    HKLM\​Software\​Microsoft\​Windows\​CurrentVersion CommonFilesDir C:\Programme\Gemeinsame Dateien 1 
    HKLM\​Software\​Microsoft\​Windows\​CurrentVersion ProgramFilesDir C:\Programme 1 
    HKU\​S-1-5-21-842925246-1677128483-1957994488-500\​Software\​Microsoft\​Internet Explorer\​Settings Anchor Color 0,0,255 4 
    HKU\​S-1-5-21-842925246-1677128483-1957994488-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders AppData %USERPROFILE%\Anwendungsdaten 1 
    HKU\​S-1-5-21-842925246-1677128483-1957994488-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders Personal %USERPROFILE%\Eigene Dateien 1 
    3.b) dwwin.exe - File Activities 
    Files Created: 
    Files Read: 
    Device Control Communication: 
    File Control Code Times 
    unnamed file 3735560 4 
    Memory Mapped Files: 
    File Name 
    3.c) dwwin.exe - Process Activities 
    Thread Overview: 
    Time Number of threads 
    After 9 seconds 2 
    Foreign Memory Regions Read: 
    Process: C:\InsideTm\126968_alt.exe 
    3.d) dwwin.exe - Other Activities 
    Mutexes Created: 
    Secure Systems Lab, Vienna University of Technology 
    Attached Files Attached Files

Similar Threads

  1. drivers
    By arboc in forum OllyDbg Support Forums
    Replies: 4
    Last Post: October 31st, 2005, 17:33
  2. Softice detected by software
    By saber in forum The Newbie Forum
    Replies: 2
    Last Post: June 4th, 2005, 07:07
  3. flexLM/'system clock setback detected' problem
    By incredibledible in forum The Newbie Forum
    Replies: 8
    Last Post: April 5th, 2005, 23:36
  4. norton antivirus 2003
    By bytexus in forum The Newbie Forum
    Replies: 1
    Last Post: February 16th, 2003, 19:38
  5. Debbuger detected message ???
    By Solo in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: August 30th, 2001, 02:35


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts