Happy-2008 seems to be a new kind of virus, created in occasion of
new year.
Its spreaded in form of Executable, not packed or PE Tricked.
It can be downloaded from an E-Card WebSite.
At the actual state seems that AVs does not detects it, only someone
show it as Suspect-Zipped-File.
/system32.
If file exists tries to determine its attributes, else creates a file
0040126B PUSH 80 ; |Attributes = NORMAL
00401270 PUSH 2 ; |Mode = CREATE_ALWAYS
00401272 PUSH EBX ; |pSecurity => NULL
00401273 PUSH 7 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE|4
00401275 PUSH 40000000 ; |Access = GENERIC_WRITE
0040127A LEA EAX,DWORD PTR SS:[EBP-114] ; |
00401280 PUSH EAX ; |FileName = “C:\WINDOWS\System32\init_sys.config”
00401281 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
00401293 PUSH ESI ;Points to an Embedded Executable
00401294 PUSH EDI
00401295 MOV EDI,DWORD PTR DS:[<&KERNEL32.WriteFi>; kernel32.WriteFile
0040129B PUSH 0
0040129D LEA EAX,DWORD PTR SS:[EBP-C] ;System Path
004012A0 PUSH EAX
004012A1 LEA ESI,DWORD PTR DS:[EBX+422A98] ; [config] String
004012A7 PUSH DWORD PTR DS:[ESI]
[config]
[local]
[peers]
[peers] and have this form:
00003D6C8F338A3FDD3DF3648666F55C=0CCFC042170F00
0040132D CALL happy-20.0040122D ;Builds init_sys.config and fill it
00401332 LEA ECX,DWORD PTR SS:[EBP-8]
00401335 CALL happy-20.004016E8
…
00401351 CALL happy-20.00401634 ;EAX = String obtained from GetSystemTime Output
…
After some calls, EAX points to a new string “init_1a30-12f1”
00401391 PUSH EAX ; /pFilenameInPath
00401392 PUSH DWORD PTR SS:[EBP-8] ; |Path
00401395 PUSH EBX ; |MaxPathSize
00401396 PUSH DWORD PTR SS:[EBP-4] ; |FileName
00401399 CALL DWORD PTR DS:[<&KERNEL32.GetFullPat>; \GetFullPathNameA
0040139F PUSH happy-20.004020D4 ; ASCII “.sys”
004013A4 LEA ECX,DWORD PTR SS:[EBP-8]
004013A7 CALL happy-20.00401108
please note that the numerical part of the Sys file, changes at every run
because it depends from GetSystemTime output.
004013B1 PUSH ESI ;NULL
004013B2 PUSH ESI ;NULL
004013B3 CALL OpenSCManagerA
004013B9 CMP EAX,ESI
004013BB MOV DWORD PTR SS:[EBP-C],EAX
004013BE JE happy-20.004014D9
After opening Service Manager for LocalHost, Service Status is enumerated and:
00401407 PUSH DWORD PTR SS:[EBP-18] ; /Arg3
0040140A PUSH EDI ; |Arg2
0040140B PUSH DWORD PTR DS:[EBX] ; |Arg1 = 0012FE62 ASCII “Abiosdsk”
0040140D CALL happy-20.00401579 ; \happy-20.00401579
This Call compares the Services Name presents in the sistem, with ‘init_’
abp480n5,ACPI,adpu16, etc..
After this check an GetLastError is called:
0040142E JNZ SHORT happy-20.0040143D
00401430 CALL GetLastError
00401436 CMP EAX,0EA
0040143B JE SHORT happy-20.004013D1
If the Service exists and is running, the task of happy_2008 ends here.
Else, a copy of a Device Driver is extracted from the executable and runned as
Kernel’s Service.
I’ve extracted that device driver with an HexEditor, it starts at 00403018 and ends at
00424FF8.
This rootkit hides itself, but in the next part we will discover what that what it
does 🙂
See you to the Second part.. 🙂
[…] на разним сајтовима труби како је реч о malware-у за phishing (Evilcodecave се осврнуо на техничке карактеристике ове гамади, а и […]