[MALWARE] Happy-2008.exe Win32.Zhelatin.pk Rootkit

Happy-2008 seems to be a new kind of virus, created in occasion of
new year.

Its spreaded in form of Executable, not packed or PE Tricked.
It can be downloaded from an E-Card WebSite.

At the actual state seems that AVs does not detects it, only someone
show it as Suspect-Zipped-File.

.:: The Essay :..
Gets the Current System Directory and next sets up as working directory
Next with GetFullPathNameA retrives “C:\WINDOWS\System32\init_sys.config

If file exists tries to determine its attributes, else creates a file

0040126A  PUSH EBX                                 ; /hTemplateFile => NULL
0040126B  PUSH 80                                  ; |Attributes = NORMAL
00401270  PUSH 2                                   ; |Mode = CREATE_ALWAYS
00401272  PUSH EBX                                 ; |pSecurity => NULL
00401273  PUSH 7                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE|4
00401275  PUSH 40000000                            ; |Access = GENERIC_WRITE
0040127A  LEA EAX,DWORD PTR SS:[EBP-114]           ; |
00401280  PUSH EAX                                 ; |FileName = “C:\WINDOWS\System32\init_sys.config”
00401281  CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA

00401293  PUSH ESI ;Points to an Embedded Executable
00401294  PUSH EDI
00401295  MOV EDI,DWORD PTR DS:[<&KERNEL32.WriteFi>;  kernel32.WriteFile
0040129B  PUSH 0
0040129D  LEA EAX,DWORD PTR SS:[EBP-C] ;System Path
004012A0  PUSH EAX
004012A1  LEA ESI,DWORD PTR DS:[EBX+422A98] ; [config] String

A file “init_sys.config” is created and filled with three entries:
Successively, a series of values are attached into this config file, immediately after
[peers] and have this form:


0040132D  CALL happy-20.0040122D       ;Builds init_sys.config and fill it
00401332  LEA ECX,DWORD PTR SS:[EBP-8]
00401335  CALL happy-20.004016E8

00401351  CALL happy-20.00401634 ;EAX = String obtained from GetSystemTime Output

After some calls, EAX points to a new string “init_1a30-12f1”

00401391   PUSH EAX                                 ; /pFilenameInPath
00401392   PUSH DWORD PTR SS:[EBP-8]                ; |Path
00401395   PUSH EBX                                 ; |MaxPathSize
00401396   PUSH DWORD PTR SS:[EBP-4]                ; |FileName
00401399   CALL DWORD PTR DS:[<&KERNEL32.GetFullPat>; \GetFullPathNameA
0040139F   PUSH happy-20.004020D4                   ;  ASCII “.sys”
004013A7   CALL happy-20.00401108

Inside the call 00401108 a new string is assembled “init_1a30-12f1.sys”
please note that the numerical part of the Sys file, changes at every run
because it depends from GetSystemTime output.

004013B1   PUSH ESI ;NULL
004013B2   PUSH ESI ;NULL
004013B3   CALL OpenSCManagerA
004013B9   CMP EAX,ESI
004013BE   JE happy-20.004014D9

After opening Service Manager for LocalHost, Service Status is enumerated and:

00401407  PUSH DWORD PTR SS:[EBP-18]             ; /Arg3
0040140A  PUSH EDI                               ; |Arg2
0040140B  PUSH DWORD PTR DS:[EBX]                ; |Arg1 = 0012FE62 ASCII “Abiosdsk”
0040140D  CALL happy-20.00401579                 ; \happy-20.00401579

This Call compares the Services Name presents in the sistem, with ‘init_’

abp480n5,ACPI,adpu16, etc..

After this check an GetLastError is called:

0040142E  JNZ SHORT happy-20.0040143D
00401430  CALL GetLastError
00401436  CMP EAX,0EA
0040143B  JE SHORT happy-20.004013D1

If the Service exists and is running, the task of happy_2008 ends here.
Else, a copy of a Device Driver is extracted from the executable and runned as
Kernel’s Service.

I’ve extracted that device driver with an HexEditor, it starts at 00403018 and ends at

This rootkit hides itself, but in the next part we will discover what that what it

See you to the Second  part..🙂

One Response to [MALWARE] Happy-2008.exe Win32.Zhelatin.pk Rootkit

  1. […] на разним сајтовима труби како је реч о malware-у за phishing (Evilcodecave се осврнуо на техничке карактеристике ове гамади, а и […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: