Interesting Rootkit
Thursday, January 18, 2007
Found an interesting piece of malware on a victim's laptop -- the rootkit killed GMER when I first tried to run it, but renaming the executable was enough to trick it. The file's (random) name is "brazhmqltx.exe", found in C:\Windows\system32.
Size: 275,968 bytes (276KB)
MD5: 909b3f5072ec3228b9d596d3bb5cb22e
SHA1: da799a12ae69a2d00e026e54291d54ccac4504fc
Packers: PecBundle, PECompact
Detection is almost nonexistent as of right now on VirusTotal:
| AntiVir | 7.3.0.21 | 01.18.2007 | no virus found |
| Authentium | 4.93.8 | 01.17.2007 | no virus found |
| Avast | 4.7.936.0 | 01.17.2007 | no virus found |
| AVG | 386 | 01.18.2007 | no virus found |
| BitDefender | 7.2 | 01.18.2007 | no virus found |
| CAT-QuickHeal | 9.00 | 01.17.2007 | (Suspicious) - DNAScan |
| ClamAV | devel-20060426 | 01.18.2007 | no virus found |
| DrWeb | 4.33 | 01.18.2007 | no virus found |
| eSafe | 7.0.14.0 | 01.18.2007 | no virus found |
| eTrust-InoculateIT | 23.73.116 | 01.18.2007 | no virus found |
| eTrust-Vet | 30.3.3334 | 01.18.2007 | no virus found |
| Ewido | 4.0 | 01.17.2007 | no virus found |
| Fortinet | 2.82.0.0 | 01.18.2007 | no virus found |
| F-Prot | 3.16f | 01.17.2007 | no virus found |
| F-Prot4 | 4.2.1.29 | 01.17.2007 | no virus found |
| Ikarus | T3.1.0.27 | 01.09.2007 | no virus found |
| Kaspersky | 4.0.2.24 | 01.18.2007 | no virus found |
| McAfee | 4941 | 01.17.2007 | no virus found |
| Microsoft | 1.1904 | 01.18.2007 | no virus found |
| NOD32v2 | 1988 | 01.18.2007 | no virus found |
| Norman | 5.80.02 | 01.18.2007 | no virus found |
| Panda | 9.0.0.4 | 01.17.2007 | Adware/NaviPromo |
| Prevx1 | V2 | 01.18.2007 | no virus found |
| Sophos | 4.13.0 | 01.17.2007 | no virus found |
| Sunbelt | 2.2.907.0 | 01.12.2007 | VIPRE.Suspicious |
| TheHacker | 6.0.3.149 | 01.18.2007 | no virus found |
| UNA | 1.83 | 01.17.2007 | no virus found |
| VBA32 | 3.11.2 | 01.18.2007 | no virus found |
| VirusBuster | 4.3.19:9 | 01.18.2007 | no virus found |
I'm going to attempt a bit more analysis this afternoon -- I'm curious as to just what this is. (The computer seemed clean otherwise).
~ Nexus7
Labels: malware analysis, rootkit
posted by David @ 7:59 AM,
