Jump to content

The hunt for the mysterious drowor.a


Guest Bomb123

Recommended Posts

Guest Bomb123

Well i decided to create this thread to show how i will hunt down and capture a mysterious drowor.a virus that is hiding in the computers memory. It infects the memory of the shimeng.dll and is detected by Ikarus in the memory dump of the shimeng.dll file. Here is the virustotal report http://www.virustotal.com/file-scan/report...3946-1287777911

Now let us take a look of some facts about the shimeng.dll file here is a link http://www.file.net/process/shimeng.dll.html The file can be injected to all windows processes but why in it's memory there is a piece of code that launch that drowor.a detection? Well that is a good question and thats what i am about to research in this thread... Now lets take a look of the virustotal report of the shimeng.dll that is located in the system32 folder http://www.virustotal.com/file-scan/report...faf3-1287821229

Now we can see that no scanner detects it like that only in it's memory space is the virus.

Link to post
Share on other sites

Guest Bomb123

Now that i have continued my epic research of this virus infection i have found that the shimeng.dll is injected to the following processes:

alg.exe

explorer.exe

lsass.exe

services.exe

spoolsv.exe

svchost.exe 10 instances

wmiprvse.exe

The shimeng.dll address seems to be 0x5cb70000 in all those files dumbing this causes a 4 bytes file that is detected as corrupt.ep by two scanners in virustotal but not by Ikarus...

http://www.virustotal.com/file-scan/report...2a04-1287841061

http://www.precisesecurity.com/threats/worms/corrupt-ep/

Link to post
Share on other sites

Guest Bomb123
Guest Bomb123
Now that i have continued my epic research of this virus infection i have found that the shimeng.dll is injected to the following processes:

alg.exe

explorer.exe

lsass.exe

services.exe

spoolsv.exe

svchost.exe 10 instances

wmiprvse.exe

The shimeng.dll address seems to be 0x5cb70000 in all those files dumbing this causes a 4 bytes file that is detected as corrupt.ep by two scanners in virustotal but not by Ikarus...

http://www.virustotal.com/file-scan/report...2a04-1287841061

http://www.precisesecurity.com/threats/worms/corrupt-ep/

After looking at that 4 bytes memory dump with filealyzer i found out that i must also examine the kernel32.dll and i dumped it's memory. Here is the virustotal report http://www.virustotal.com/file-scan/report...e4b8-1287843144

Link to post
Share on other sites

Guest Bomb123

And now we shall take a look of all the files memory dumps that are injected by the shimeng.dll...

explorer.exe http://www.virustotal.com/file-scan/report...9d3b-1287854806

alg.exe http://www.virustotal.com/file-scan/report...1dc8-1287855016

lsass.exe http://www.virustotal.com/file-scan/report...ac04-1287855149

services.exe http://www.virustotal.com/file-scan/report...2c66-1287855286

spoolsv.exe http://www.virustotal.com/file-scan/report...8d9f-1287855412

svchost.exe http://www.virustotal.com/file-scan/report...b493-1287855553

wmiprvse.exe http://www.virustotal.com/file-scan/report...0a76-1287855696

http://www.trustedsource.org/malware-virus...t-CodeExec-NLLH

I think that the antivirus company that can add this virus/rootkit to their virus definitions should be called the greatest antivirus of all the time...

Link to post
Share on other sites

Guest Bomb123

So i scanned my computer for some alternate data streams and there were found them in both notepad and regedit, so i uploaded notepad to virustotal and it was detected as banker http://www.virustotal.com/file-scan/report...44f5-1287926349

regedit was not detected but when i dumped it's memory it was detected by fsecure, gdata and bitdefender as Gen:Trojan.Heur.FU.zmZ@amfNK4d http://www.virustotal.com/file-scan/report...797a-1287926862

Also these files use the shimeng.dll file.

I used the streamarmor to scan for these streams... Here are the results concerning notepad.exe and regedit.exe...

Stream Name Size Content Type Threat Information Base Type File Date Stream File Path

d83c-9a8f 13 B Unknown Binary file carrying Streams is suspicious File 01-01-2010 C:\WINDOWS\notepad.exe:d83c-9a8f

d83c-9a8f 13 B Unknown Binary file carrying Streams is suspicious File 03-08-2004 C:\WINDOWS\regedit.exe:d83c-9a8f

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.