05 February 2008

Trojans in uTorrent Mods and BitTorrent (Armadillo) Mods packed?

sb-innovation.desb-innovation.de BitTorrent 6.x SBI Mods (Armadillo 5.x) - http://www.sb-innovation.de
check by some mods outgoing connections / requests activity to program exe's when the bittorrent 6 mod is closed. See firewall log by enable and disabled rule for bittorrent_mods exe's.

Remarks:
Kaspersky, BitDefender have a unpacking engine include for PECompact and Armadillo 4 - 5 also manual unpacking shows the same result in multi_100_seeder and one kind of mod by Bittorrent 6

uTorent seeder x100 Mods (PEcompact ver.2.78a ~2.80 with ADDED DLL INJECTION)
see screenshot:

NEW AV Signature Updates 05.02.2005

BitDefender Internet Security 2008 v11.0.15
Virus Database Date: 06.02.2008
Known Viruses: 979216

Now new av signatures improved. Detect already in inno setup installer: µtorrent 1.7.7 LP_setup.exe and others

AV-Signature + engine and modules hourly updates:
BitDefender Internet Security 2008 v11.0.15 German
Virus Database Date: 06.02.2008
Known Viruses: 979232

The 3th AV def. update today does not more show the above screen but by doing innounp / inno unpack or running setup, one mod utorrent 1.7.x. multi100_seeder.exe found positive Trojan AX patched in the temp folder and by skip also in the unpacked folder.

Software Description Software Version Virus Database Date Known Viruses
BitDefender Internet Security 2008 11.0.15 06.02.2008 979348

-------------------------------------------------------------------------------
Some (packers) are not detected:
new Backdoor

Creates the following files to Windir\Media folder (same as some very old Backdoors but different signatures):
C:\WINDOWS\Media\csrss.exe
C:\WINDOWS\Media\MSWINSCK.OCX

Adds to the value "Shell"="explorer.exe"

"Shell"="explorer.exe" C:\WINDOWS\Media\csrss.exe"
to the registry key:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

and maybe like the old Backdoor:
"RegWrite"="c:\windows\media\csrss.exe"
to the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run



After executing it run a "fake" csrss.exe from folder windir\Media in process manager as soon windows starts together with the original \system32 Microsoft Corporation Client Server Runtime Process (csrss.exe) and connect to a webserver.


After removing these files under windir\Media appears :

receive an error message upon startup that reads
No AV, Anti Spyware, Anti Malware Program or Startup Manager Tools ever monitored logon shell:
WinLogon = Explorer.exe for changes
extensions for example :

"Shell"="explorer.exe C:\WINDOWS\Media\csrss.exe"
"Shell"="explorer.exe C:\any application to run with startup test.dll"

21 comments:

Post a Comment

We would appreciate if you as readers of our blog, show us some feedback by signing up to this site with Friend Connect.
This will encourage us to publish updates in the future.

Archive

Dentoo.info - Hosting - Offering seedboxes and seedbox solutions

Connect

MoDs - BRD Push 2 Check Projects News all on one Page
Subscribe to rss feed! Powered By Blogger Creative Commons —
 Attribution-Noncommercial-No Derivative Works 1.0 Generic
GFC Accessibly Test

Site Stats Public Google Analytics stats

We respect your privacy. Your email address will never be shared with others.

My IP Address