XLab.Charrua.Katusha.Trojan.m

Publicado por SentiniX

Zmr.exe foi recolhido do computador de um cliente, foi relatado lentidão no sistema do mesmo, analisando o sistema com HijackThis e outras ferramentas percebi a inicialização deste executavel, mandando para o virus total tive a certeza que estava me deparando com algum tipo de Threat,

Breve Descrição retirada da internet

Katusha.M é um Trojan, que embora aparentemente inofensivo, pode realmente realizar ataques e intrusões: screenlogging, roubando dados pessoais, etc

Katusha.M não se espalha automaticamente, utilizando seus próprios meios. É preciso uma intervenção do usuário atacar, a fim de alcançar o computador afetado. Os meios de transmissão utilizados incluem, entre outros, disquetes, CD-ROMs, mensagens de e-mail com arquivos anexados, downloads da Internet, canais de FTP, IRC, peer-to-peer (P2P), redes de compartilhamento, etc

EFEITOS

Katusha.M permite que hackers entrem e realizem ações perigosas em computadores afetados, como a captura de screenshots, roubando dados pessoais, etc

File name:

Zmr.exe

Result:37/ 41 (90.2%)

Antivirus	Version	Last Update	Result
AhnLab-V3	2010.10.03.01	2010.10.03	Win-Adware/Rogue.FakeAV.168448
AntiVir	7.10.12.111	2010.10.01	TR/Crypt.XPACK.Gen2
Antiy-AVL	2.0.3.7	2010.10.03	Packed/Win32.Katusha.gen
Authentium	5.2.0.5	2010.10.03	W32/FraudLoad.F!Generic
Avast	4.8.1351.0	2010.10.03	Win32:MalOb-AS
Avast5	5.0.594.0	2010.10.03	Win32:MalOb-AS
AVG	9.0.0.851	2010.10.03	SHeur3.UXI
BitDefender	7.2	2010.10.03	Gen:Variant.Renos.14
CAT-QuickHeal	11.00	2010.10.01	Trojan.Katusha.m
ClamAV	0.96.2.0-git	2010.10.02	–
Comodo	6274	2010.10.03	MalCrypt.Indus!
DrWeb	5.0.2.03300	2010.10.03	Trojan.DownLoader1.5936
Emsisoft	5.0.0.50	2010.10.03	–
eTrust-Vet	36.1.7889	2010.10.02	Win32/Renos.D!generic
F-Prot	4.6.2.117	2010.10.03	W32/FraudLoad.F!Generic
Fortinet	4.1.143.0	2010.10.03	W32/CodecPack.fam!tr.dldr
GData	21	2010.10.03	Gen:Variant.Renos.14
Ikarus	T3.1.1.90.0	2010.10.03	–
Jiangmin	13.0.900	2010.10.02	Packed.Katusha.isx
K7AntiVirus	9.63.2662	2010.10.02	Trojan
Kaspersky	7.0.0.125	2010.10.03	Packed.Win32.Katusha.m
McAfee	5.400.0.1158	2010.10.03	FakeAlert-MY.c
McAfee-GW-Edition	2010.1C	2010.10.03	Heuristic.BehavesLike.Win32.Obfuscated.H
Microsoft	1.6201	2010.10.03	TrojanDownloader:Win32/Renos.KF
NOD32	5499	2010.10.03	a variant of Win32/Kryptik.EBP
Norman	6.06.07	2010.10.03	–
nProtect	2010-10-03.01	2010.10.03	Trojan/W32.Agent.168448.BG
Panda	10.0.2.7	2010.10.03	Trj/Katusha.M
PCTools	7.0.3.5	2010.10.02	Trojan.FakeAV
Prevx	3.0	2010.10.03	High Risk Cloaked Malware
Rising	22.67.02.07	2010.09.30	Dropper.Win32.Undef.bsl
Sophos	4.58.0	2010.10.03	Mal/FakeAV-CX
Sunbelt	6972	2010.10.03	VirTool.Win32.Obfuscator.hg!b (v)
SUPERAntiSpyware	4.40.0.1006	2010.10.03	Trojan.Agent/Gen-CDesc[Dx1]
Symantec	20101.2.0.161	2010.10.03	Trojan.FakeAV!gen29
TheHacker	6.7.0.1.047	2010.10.03	Trojan/Katusha.m
TrendMicro	9.120.0.1004	2010.10.03	TROJ_RENOS.SMDB
TrendMicro-HouseCall	9.120.0.1004	2010.10.03	TROJ_RENOS.SMDB
VBA32	3.12.14.1	2010.10.01	Malware-Cryptor.Win32.Palka
ViRobot	2010.8.31.4017	2010.10.03	Trojan.Win32.Katusha.168448
VirusBuster	12.66.12.0	2010.10.03	Trojan.Codecpack.Gen.4


MD5 : 4b70832abe531d047a7e93bbb6fb1dad
SHA1 : b18ba4a0e8f3a173c190ca10dd1b26ed7232a0d1
SHA256: 7b6bd8aa4a8919ac3f1fefc3fff21a86a6aea591e9deabd585bff59d20b750ff
ssdeep: 3072:ZFP1FYLk0QfaKCzyr+ieysina2mQHtmst6ztGov:Zjaper+irsF+m1
File size : 168448 bytes
First seen: 2010-10-03 17:18:32
Last seen : 2010-10-03 17:18:32
TrID: Win32 Executable Generic (58.4%) Clipper DOS Executable (13.8%) Generic Win/DOS Executable (13.7%) DOS Executable Generic (13.7%) VXD Driver (0.2%)
sigcheck: publisher….: n/a copyright….: n/a product……: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments…..: n/a signers……: – signing date.: – verified…..: Unsigned
PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x4A90 timedatestamp….: 0x4A85FF6E (Sat Aug 15 00:21:02 2009) machinetype……: 0x14c (I386) [[ 5 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 CODE, 0x1000, 0x96DF, 0x9800, 5.87, 96e2ce3da5cdbea623436f8d1811d27b .edata, 0xB000, 0x323A5, 0x1E400, 7.37, 2834b1cd7c18713a61e6808898dcf872 .bss, 0x3E000, 0x1D6, 0x200, 0.00, bf619eac0cdf3f68d496ea9344137e8b .data, 0x3F000, 0x661, 0x800, 0.00, c99a74c555371a433d121f551d6c6398 .init, 0x40000, 0x7C8, 0x800, 0.23, 2e57ac6212313667931e89dcd758368c [[ 7 import(s) ]] user32.dll: GetSysColor, GetScrollRange, EqualRect, DrawMenuBar, MessageBoxA, EnumChildWindows, GetParent, GetDlgItem, GetMenu, ClientToScreen, SetWindowPos, EnumWindows, GetFocus, GetScrollPos, GetPropA, DispatchMessageW, GetScrollInfo, GetMenuItemInfoA, GetMenuItemID, GetSubMenu, GetMenuStringA, IsChild, GetWindow, IsWindowVisible, IsWindowEnabled, GetWindowTextA, GetMessagePos, GetSysColorBrush, GetActiveWindow, GetMenuState, EnableMenuItem GDI32.dll: CreateFontIndirectA, CreatePenIndirect KERNEL32.dll: SetLastError, GlobalAddAtomA, GetStringTypeA, GetTickCount, GetCurrentProcessId, GetModuleFileNameA, ResetEvent, LoadResource, DeleteCriticalSection, GetStringTypeW, SetErrorMode, GetEnvironmentStrings, VirtualAlloc, HeapDestroy, lstrcmpA, MoveFileA, GetStartupInfoA, DeleteFileA, GetFileSize, InitializeCriticalSection, SetEndOfFile, GetOEMCP, lstrcmpiA, lstrlenA, GetFileType, GetACP, GetCommandLineA, GetLastError, GlobalFindAtomA, GetVersionExA, GetStdHandle, Sleep, GetFullPathNameA, lstrcpynA, RaiseException, LocalFree, FormatMessageA, CreateThread, GlobalDeleteAtom, GetModuleHandleA, MulDiv, ExitThread, LoadLibraryExA, LockResource, LocalReAlloc, GetDiskFreeSpaceA, GetCPInfo, ExitProcess, GetDateFormatA, CloseHandle, SetFilePointer, GetCurrentThread, ReadFile, LocalAlloc, SizeofResource, SetEvent, GetProcAddress, lstrcatA, VirtualQuery, HeapAlloc, GetUserDefaultLCID, CreateEventA, SetThreadLocale shlwapi.dll: PathFileExistsA shell32.dll: SHGetFileInfoA MSVCRT.dll: atan, memmove, calloc, strcmp ADVAPI32.dll: RegOpenKeyExA, GetUserNameA, RegOpenKeyA, RegEnumKeyA

ExifTool: file metadata CodeSize: 38912 EntryPoint: 0x4a90 FileSize: 164 kB FileType: Win32 EXE ImageVersion: 0.0 InitializedDataSize: 128512 LinkerVersion: 4.14 MIMEType: application/octet-stream MachineType: Intel 386 or later, and compatibles OSVersion: 4.0 PEType: PE32 Subsystem: Windows GUI SubsystemVersion: 4.0 TimeStamp: 2009:08:15 02:21:02+02:00 UninitializedDataSize: 81920

Cuidado ao abrir o arquivo Zmr.exe
Senha para descompactação do arquivo: virus

XLab.Charrua.Katusha.Trojan.m

Projeto CharruaSecurity