W32/Hunk.a / Orer.exe Reverse Code Engineering #1

Good Morning,

Orer.exe is the after-infection result of W32/Huhk.a. It’s name derives from explORER.exe, in other words it cuts explorer’s name.

The Malware, attacks indeed explorer executable by appending itself with the technique of Split Cavity, and makes an infected copy of explorer into Temp directory; so as you can understand is relatively easy to detect (but not to remove), please note that Executable’s date/time will correspond to the original explorer.exe.

Infection Symptoms

  • Desktop’s icons disappear for instants
  • RADmin and other Net-Monitoring tools will be unable to enstablish connections
  • Frequently, Win will report Memory Access Violations
  • MS Word is killed after some seconds that is opened
  • Particular programs, as FileMaker will be destroyed

Characteristics

Three Threads Created:

 

  1. The first one hooks the API function CreateProcessW in order to redirect the execution to the virus code.
  2. The second one infects files with the extension .exe located on removable disks and on the C drive.
  3. The last one infects files with the extension .exe on network shares.

.:: First Look Analysis ::.

Executable is not packer or crypted, important to mantain the same explorer size, except some easy and little portion of Self Modifing Code, debug informations are not stripped (remember that orer.exe, derives from explorer.exe) so RCE it’s truly easy.

At a first look of the Dead List, code seems perfectly equal to explorer:

01019634                 call    loc_10460D0 ; Entry Point Lands Here..
01019639                 sub     esp, 44h
0101963C                 push    esi
0101963D                 push    edi
0101963E                 push    10h             ; nInBufferSize
01019640                 push    offset aExplorerstartu ; “ExplorerStartup”
01019645                 call    sub_10146D4
0101964A                 call    sub_1019708
0101964F                 push    1               ; uMode
01019651                 call    ds:SetErrorMode

The code listed above corresponds to the Entry Point of orer, and suddlenly we can see a foundamental difference from explorer’s code, the call 010460D0 that contains a RunTime decrypt routine.

Soon the Second part of W32 Hunk.a RCE will be available🙂

Have a Nice Day

 

 

3 Responses to W32/Hunk.a / Orer.exe Reverse Code Engineering #1

  1. untitledfinale says:

    Really nice I look forward to the second part🙂

  2. Alice says:

    how do we remove this virus?

    • evilcodecave says:

      Hi,

      Due to the fact that orer.exe is a modified version of explorer, just substitute it and clear Temp folder🙂

      If desktop does not appear just download a substitute of explorer, like BlackBox
      http://blackboxwm.sourceforge.net/ you can type ctrl+alt+canc go in execute type cmd and launch it from cmd and next make the orer substitution😉

      Regards,
      Giuseppe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: