06.09.2012, 20:13
Hmm a więc tak obczaiłem sobie tego Crystal Security
napisany jest Microsoft Visual C#/Basic.NET entropia 5,80 można określić jako średnia program prze zemnie jest klasyfikowany jako spyware/keylogger,co robi a no na tyle że podczas uruchomienia i przy otwartej przeglądarce odczytuje wszystkie strony jakie w tym momencie są otwarte czyli ich zawartość głownie zdjęcia,avatary,jak i ikony i zrzuca je do folderu ukrytego w tej lokalizacji C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 następuje również duża ilość połączeń jak i zapytania dns
log z wykonania
File name: c:\users\tachion\desktop\malware\crystal security 2.4.5.31\crystal security.exe
[ Changes to filesystem ]
* Modifies file (hidden) C:\Users\tachion\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Internet Explorer\DOMStore\SV9OOFF7\www.google.co[1] .xml
* Modifies file C:\Users\tachion\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
* Modifies file (hidden) C:\Users\tachion\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
* Modifies file (hidden) C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\b_8d5afc09[1] .png
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\fe83311bbf12d6ad[1] .js
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\nav_logo114[1] .png
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\rs=AItRSTPaBvP4g8hqk_5n2KnxHEqRe2jifg[1] .js
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\search[1] .htm
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\sem_54e2402a5e33215e251a3491f27fcbad[1] .js
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\swxa[1] .gif
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\tia[1] .png
* Creates file (empty) C:\Users\tachion\AppData\Roaming\Crystal Security\ActivityMonitor.txt
* Creates file (empty) C:\Users\tachion\AppData\Roaming\Crystal Security\Blacklist.txt
* Creates file (empty) C:\Users\tachion\AppData\Roaming\Crystal Security\CustomArea.txt
* Creates file C:\Users\tachion\AppData\Roaming\Crystal Security\CustomType.txt
* Creates file C:\Users\tachion\AppData\Roaming\Crystal Security\Settings.txt
* Creates file (empty) C:\Users\tachion\AppData\Roaming\Crystal Security\Whitelist.txt
* Modifies file (hidden) C:\Users\tachion\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
* Creates file C:\Users\tachion\AppData\Roaming\Microsoft\Windows\Cookies\SZ9DLFZ7.txt
* Creates file C:\Users\tachion\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Crystal Security.exe
[ Changes to registry ]
* Modifies value "Name=Crystal Security.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication
old value "Name=FileAlyzer2.exe"
* Modifies value "ID=50435974" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication
old value "ID=4E8ECC88"
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASAPI32
* Creates value "FileDirectory=2500770069006E0064006900720025005C00740072006100630069006E0067000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASAPI32
binary data=%windir%\tracing
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASMANCS
* Creates value "FileDirectory=2500770069006E0064006900720025005C00740072006100630069006E0067000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Trac
* Modifies value "SavedLegacySettings=4600000062030000090000000000000000000000000000000400000000000000B566FCFF307BCD010000000000000000000000000200000002000000C0A8380100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A80102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=4600000061030000090000000000000000000000000000000400000000000000B566FCFF307BCD010000000000000000000000000200000002000000C0A8380100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A80102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
[ Network services ]
* Looks for an Internet connection.
* Queries DNS
* Queries DNS
* C:\Users\tachion\Desktop\malware\Crystal Security 2.4.5.31\Crystal Security.exe Connects to "31.170.163.241" on port 80 (TCP - HTTP).
* C:\Users\tachion\Desktop\malware\Crystal Security 2.4.5.31\Crystal Security.exe Connects to "173.194.39.151" on port 80 (TCP - HTTP).
* C:\Users\tachion\Desktop\malware\Crystal Security 2.4.5.31\Crystal Security.exe Connects to "209.85.148.120" on port 80 (TCP - HTTP).
[ Process/window/string information ]
* Keylogger functionality.
* Enables process privileges.
* Gets user name information.
* Checks for debuggers.
* Creates an event named "Global\CPFATE_3684_v4.0.30319".
* Opens a service named "RASMAN".
* Opens a service named "WinHttpAutoProxySvc".
* Starts a service.
* Lists all entry names in a remote access phone book.
* Opens a service named "Sens".
* Creates a mutex "Local\!IETld!Mutex".
* Creates a mutex "Local\!PrivacIE!SharedMemory!Mutex".
* Opens a service named "FontCache".
* Creates a mutex "MSIMGSIZECacheMutex".
* Creates a mutex "Local\IESQMMUTEX_0_274".
* Creates a mutex "Local\__DDrawExclMode__".
* Creates a mutex "Local\__DDrawCheckExclMode__".
* Creates a mutex "Local\DDrawWindowListMutex".
* Creates a mutex "Local\DDrawDriverObjectListMutex".
* Opens a service named "WSearch".
* Creates an event named "OleDfRootBA453D2BBDB955A4".
* Creates a mutex "Local\http://www.google.co.uk/".
napisany jest Microsoft Visual C#/Basic.NET entropia 5,80 można określić jako średnia program prze zemnie jest klasyfikowany jako spyware/keylogger,co robi a no na tyle że podczas uruchomienia i przy otwartej przeglądarce odczytuje wszystkie strony jakie w tym momencie są otwarte czyli ich zawartość głownie zdjęcia,avatary,jak i ikony i zrzuca je do folderu ukrytego w tej lokalizacji C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 następuje również duża ilość połączeń jak i zapytania dns
[Aby zobaczyć linki, zarejestruj się tutaj]
Kod:
48 54 54 50 2F 31 2E 31 |HTTP/1.1
20 32 30 30 20 4F 4B 0D | 200 OK.
0A 43 6F 6E 74 65 6E 74 |.Content
2D 54 79 70 65 3A 20 69 |-Type: i
6D 61 67 65 2F 70 6E 67 |mage/png
0D 0A 4C 61 73 74 2D 4D |..Last-M
6F 64 69 66 69 65 64 3A |odified:
20 4D 6F 6E 2C 20 30 32 | Mon, 02
20 41 70 72 20 32 30 31 | Apr 201
32 20 30 30 3A 31 33 3A |2 00:13:
32 33 20 47 4D 54 0D 0A |23 GMT..
44 61 74 65 3A 20 54 68 |Date: Th
75 2C 20 30 36 20 53 65 |u, 06 Se
70 20 32 30 31 32 20 30 |p 2012 0
37 3A 30 30 3A 31 35 20 |7:00:15
47 4D 54 0D 0A 45 78 70 |GMT..Exp
69 72 65 73 3A 20 46 72 |ires: Fr
69 2C 20 30 36 20 53 65 |i, 06 Se
70 20 32 30 31 33 20 30 |p 2013 0
37 3A 30 30 3A 31 35 20 |7:00:15
47 4D 54 0D 0A 58 2D 43 |GMT..X-C
6F 6E 74 65 6E 74 2D 54 |ontent-T
79 70 65 2D 4F 70 74 69 |ype-Opti
6F 6E 73 3A 20 6E 6F 73 |ons: nos
6E 69 66 66 0D 0A 53 65 |niff..Se
72 76 65 72 3A 20 73 66 |rver: sf
66 65 0D 0A 43 6F 6E 74 |fe..Cont
65 6E 74 2D 4C 65 6E 67 |ent-Leng
74 68 3A 20 31 35 31 0D |th: 151.
0A 58 2D 58 53 53 2D 50 |.X-XSS-P
72 6F 74 65 63 74 69 6F |rotectio
6E 3A 20 31 3B 20 6D 6F |n: 1; mo
64 65 3D 62 6C 6F 63 6B |de=block
0D 0A 43 61 63 68 65 2D |..Cache-
43 6F 6E 74 72 6F 6C 3A |Control:
20 70 75 62 6C 69 63 2C | public,
20 6D 61 78 2D 61 67 65 | max-age
3D 33 31 35 33 36 30 30 |=3153600
30 0D 0A 41 67 65 3A 20 |0..Age:
34 30 35 35 34 0D 0A 0D |40554...
0A 89 50 4E 47 0D 0A 1A |.‰PNG..
0A 00 00 00 0D 49 48 44 |.....IHD
52 00 00 00 13 00 00 00 |R.......
0B 08 06 00 00 00 9D D5 |......ťŐ
B6 3A 00 00 00 04 73 42 |¶:....sB
49 54 08 08 08 08 7C 08 |IT....|.
64 88 00 00 00 4E 49 44 |d...NID
41 54 28 91 ED 90 31 0A |AT(‘í1.
C0 30 0C 03 2F A1 83 FE |Ŕ0../ˇţ
EC 25 E0 4F 6B 4B A7 42 |ě%ŕOkK§B
C9 52 48 3C F6 16 61 63 |ÉRH<öac
24 E1 96 99 D3 36 A7 48 |$á–™Ó6§H
A2 57 18 01 D8 A6 3F C3 |˘W.ئ?Ă
18 E3 48 01 5A 44 CC 92 |ăH.ZDĚ’
6A F0 37 DB E0 5A 17 EF |jđ7ŰŕZď
A4 2F D6 DB DA 9F 49 2A |¤/ÖŰÚźI*
31 92 C4 0D 3D 86 3C 5C |1’Ä.=†<\
3C BA FC 96 00 00 00 00 |<şü–....
49 45 4E 44 AE 42 60 82 |IEND®B`‚
log z wykonania
File name: c:\users\tachion\desktop\malware\crystal security 2.4.5.31\crystal security.exe
[ Changes to filesystem ]
* Modifies file (hidden) C:\Users\tachion\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Internet Explorer\DOMStore\SV9OOFF7\www.google.co[1] .xml
* Modifies file C:\Users\tachion\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT
* Modifies file (hidden) C:\Users\tachion\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
* Modifies file (hidden) C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\b_8d5afc09[1] .png
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\fe83311bbf12d6ad[1] .js
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\nav_logo114[1] .png
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\rs=AItRSTPaBvP4g8hqk_5n2KnxHEqRe2jifg[1] .js
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\search[1] .htm
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\sem_54e2402a5e33215e251a3491f27fcbad[1] .js
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\swxa[1] .gif
* Creates file C:\Users\tachion\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC6EU9PM\tia[1] .png
* Creates file (empty) C:\Users\tachion\AppData\Roaming\Crystal Security\ActivityMonitor.txt
* Creates file (empty) C:\Users\tachion\AppData\Roaming\Crystal Security\Blacklist.txt
* Creates file (empty) C:\Users\tachion\AppData\Roaming\Crystal Security\CustomArea.txt
* Creates file C:\Users\tachion\AppData\Roaming\Crystal Security\CustomType.txt
* Creates file C:\Users\tachion\AppData\Roaming\Crystal Security\Settings.txt
* Creates file (empty) C:\Users\tachion\AppData\Roaming\Crystal Security\Whitelist.txt
* Modifies file (hidden) C:\Users\tachion\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
* Creates file C:\Users\tachion\AppData\Roaming\Microsoft\Windows\Cookies\SZ9DLFZ7.txt
* Creates file C:\Users\tachion\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Crystal Security.exe
[ Changes to registry ]
* Modifies value "Name=Crystal Security.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication
old value "Name=FileAlyzer2.exe"
* Modifies value "ID=50435974" in key HKEY_LOCAL_MACHINE\software\microsoft\DirectDraw\MostRecentApplication
old value "ID=4E8ECC88"
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASAPI32
* Creates value "FileDirectory=2500770069006E0064006900720025005C00740072006100630069006E0067000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASAPI32
binary data=%windir%\tracing
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\Crystal Security_RASMANCS
* Creates value "FileDirectory=2500770069006E0064006900720025005C00740072006100630069006E0067000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Trac
* Modifies value "SavedLegacySettings=4600000062030000090000000000000000000000000000000400000000000000B566FCFF307BCD010000000000000000000000000200000002000000C0A8380100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A80102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=4600000061030000090000000000000000000000000000000400000000000000B566FCFF307BCD010000000000000000000000000200000002000000C0A8380100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A80102000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
[ Network services ]
* Looks for an Internet connection.
* Queries DNS
[Aby zobaczyć linki, zarejestruj się tutaj]
* Queries DNS ssl.gstatic.com* Queries DNS
[Aby zobaczyć linki, zarejestruj się tutaj]
* C:\Users\tachion\Desktop\malware\Crystal Security 2.4.5.31\Crystal Security.exe Connects to "31.170.163.239" on port 80 (TCP - HTTP).* C:\Users\tachion\Desktop\malware\Crystal Security 2.4.5.31\Crystal Security.exe Connects to "31.170.163.241" on port 80 (TCP - HTTP).
* C:\Users\tachion\Desktop\malware\Crystal Security 2.4.5.31\Crystal Security.exe Connects to "173.194.39.151" on port 80 (TCP - HTTP).
* C:\Users\tachion\Desktop\malware\Crystal Security 2.4.5.31\Crystal Security.exe Connects to "209.85.148.120" on port 80 (TCP - HTTP).
[ Process/window/string information ]
* Keylogger functionality.
* Enables process privileges.
* Gets user name information.
* Checks for debuggers.
* Creates an event named "Global\CPFATE_3684_v4.0.30319".
* Opens a service named "RASMAN".
* Opens a service named "WinHttpAutoProxySvc".
* Starts a service.
* Lists all entry names in a remote access phone book.
* Opens a service named "Sens".
* Creates a mutex "Local\!IETld!Mutex".
* Creates a mutex "Local\!PrivacIE!SharedMemory!Mutex".
* Opens a service named "FontCache".
* Creates a mutex "MSIMGSIZECacheMutex".
* Creates a mutex "Local\IESQMMUTEX_0_274".
* Creates a mutex "Local\__DDrawExclMode__".
* Creates a mutex "Local\__DDrawCheckExclMode__".
* Creates a mutex "Local\DDrawWindowListMutex".
* Creates a mutex "Local\DDrawDriverObjectListMutex".
* Opens a service named "WSearch".
* Creates an event named "OleDfRootBA453D2BBDB955A4".
* Creates a mutex "Local\http://www.google.co.uk/".