Trojaner-Board - TR/Hijack.AE

ok hier VirusTotal
1)C:\WINDOWS\system32\deploytk.dll

Code:

MD5...: 9d819b4ca8ed1010c5fa248bc1a75b9a

SHA1..: 2d77ff8ac23d32cbaa5581c1aafe8e432104ce34

SHA256: a72653ddb0485f0acb5df72fdf8e2876c67b078c4040dea382ce81897e9b58fa

SHA512: 8af2751d7d177fd335757b00fc80d257bd564afcaaf3141165bfde937051a66b

2d4c1ddd6970103e6139c498136a7299c28cb42ec6313b8d019e6a94193c4e5f

ssdeep: 6144:ztHJcBYwcG1f2UIEhWTx0AvU9hT7yy8R0cSjvj4k:t6zh2EhWTHvU9hT7yy

8R0njMk

PEiD..: -

TrID..: File type identification

DirectShow filter (53.7%)

Windows OCX File (32.9%)

Win32 Executable MS Visual C++ (generic) (10.0%)

Win32 Executable Generic (2.2%)

Generic Win/DOS Executable (0.5%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x10017273

timedatestamp.....: 0x48dcb760 (Fri Sep 26 10:20:16 2008)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x20d2a 0x21000 6.59 0dc24e7aa8f7843b58e8cce74dff3c48

.rdata 0x22000 0x7915 0x8000 5.10 cbb69fec91f392e32d4bf34978df9965

.data 0x2a000 0x327c 0x2000 3.25 83668cc1bdff8dbf0af10edea3b71ad7

.rsrc 0x2e000 0x32370 0x33000 4.01 067eff9128f3278c56ba1b8aebaa8487

.reloc 0x61000 0x322a 0x4000 4.90 174e9dc06c939285eb6b8781de3ac1e1
 

( 14 imports )

> ADVAPI32.dll: RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA, RegQueryInfoKeyA, RegEnumKeyExA, RegQueryValueExA, RegQueryValueA

> urlmon.dll: IsValidURL

> WININET.dll: InternetCrackUrlA, InternetCloseHandle, InternetReadFile, InternetTimeToSystemTime, HttpQueryInfoA, InternetErrorDlg, HttpSendRequestA, HttpAddRequestHeadersA, InternetTimeFromSystemTime, HttpOpenRequestA, InternetConnectA, InternetOpenA

> SHLWAPI.dll: PathFileExistsA

> COMCTL32.dll: -

> WINTRUST.dll: WinVerifyTrust

> WSOCK32.dll: -, -, -, -

> CRYPT32.dll: CryptMsgGetParam, CertOpenSystemStoreA, CertGetNameStringW, CertCloseStore, CryptMsgClose, CertFindCertificateInStore, CryptQueryObject, CertGetEnhancedKeyUsage

> SHELL32.dll: ShellExecuteExA, SHGetFileInfoA

> KERNEL32.dll: QueryPerformanceCounter, InterlockedExchange, GetACP, GetLocaleInfoA, GetThreadLocale, GetVersionExA, RaiseException, InitializeCriticalSection, DeleteCriticalSection, MultiByteToWideChar, lstrlenA, GetModuleFileNameA, WideCharToMultiByte, lstrlenW, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, GetProcessHeap, lstrcmpiA, DisableThreadLibraryCalls, InterlockedIncrement, InterlockedDecrement, lstrcpynA, IsDBCSLeadByte, MulDiv, FreeLibrary, SizeofResource, LoadResource, FindResourceA, LoadLibraryExA, GetModuleHandleA, HeapAlloc, FlushInstructionCache, GetCurrentProcess, GetCurrentThreadId, GetLongPathNameA, WaitForSingleObject, CloseHandle, GetExitCodeProcess, CreateProcessA, GlobalAlloc, lstrcmpA, GetTickCount, GetProcAddress, LoadLibraryA, LockResource, GlobalUnlock, GlobalLock, GetTempPathA, SetLastError, GlobalFree, GlobalHandle, GetTempFileNameA, lstrcatA, WriteFile, SetEndOfFile, SetFilePointer, CompareFileTime, SystemTimeToFileTime, Sleep, FileTimeToSystemTime, GetFileTime, GetFileSize, CreateFileA, lstrcpyA, SetEvent, CreateThread, CreateEventA, GlobalMemoryStatus, UnhandledExceptionFilter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, ReadFile, GetCPInfo, GetOEMCP, LCMapStringW, LCMapStringA, SetUnhandledExceptionFilter, TlsGetValue, TlsSetValue, TlsFree, TlsAlloc, HeapSize, TerminateProcess, IsBadWritePtr, VirtualFree, HeapCreate, HeapDestroy, ExitProcess, GetCommandLineA, GetSystemTimeAsFileTime, HeapReAlloc, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, RtlUnwind, GetCurrentProcessId, IsBadReadPtr, IsBadCodePtr, GetStringTypeA, GetStringTypeW, SetStdHandle, FlushFileBuffers, GetTimeZoneInformation, CompareStringA, CompareStringW, SetEnvironmentVariableA, FindClose, FileTimeToLocalFileTime, GetDriveTypeA, FindFirstFileA, GetFullPathNameA, GetCurrentDirectoryA, GetDiskFreeSpaceA

> USER32.dll: DestroyWindow, DefWindowProcA, PtInRect, CharNextA, UnregisterClassA, SetWindowPos, SetWindowRgn, OffsetRect, EqualRect, IntersectRect, ReleaseDC, GetDC, SetWindowLongA, GetWindowLongA, GetCursorPos, SetCursor, MapDialogRect, SetWindowContextHelpId, GetDlgCtrlID, LoadBitmapA, PostMessageA, EnableWindow, KillTimer, SetTimer, MessageBoxA, DialogBoxIndirectParamA, RegisterWindowMessageA, UnionRect, GetWindowTextLengthA, GetWindowTextA, SetWindowTextA, CreateAcceleratorTableA, GetActiveWindow, GetClassNameA, RedrawWindow, GetDlgItem, SendMessageA, DestroyAcceleratorTable, GetDesktopWindow, InvalidateRgn, FillRect, SetCapture, ReleaseCapture, DialogBoxParamA, GetSysColor, SendDlgItemMessageA, GetWindow, GetWindowRect, SystemParametersInfoA, EndDialog, LoadStringA, MsgWaitForMultipleObjects, IsWindowUnicode, GetMessageW, GetMessageA, TranslateMessage, DispatchMessageW, DispatchMessageA, PeekMessageA, RegisterClassExA, GetClassInfoExA, LoadCursorA, wsprintfA, CreateWindowExA, GetParent, SetFocus, ShowWindow, GetFocus, IsChild, BeginPaint, GetClientRect, EndPaint, GetKeyState, InvalidateRect, IsWindow, CallWindowProcA, MapWindowPoints

> ole32.dll: CoTaskMemRealloc, CoCreateInstance, OleRegEnumVerbs, OleRegGetUserType, CoTaskMemFree, CoTaskMemAlloc, CreateOleAdviseHolder, OleRegGetMiscStatus, OleLoadFromStream, WriteClassStm, OleSaveToStream, CLSIDFromString, StringFromGUID2, OleLockRunning, CreateStreamOnHGlobal, CoGetClassObject, CLSIDFromProgID, OleInitialize, OleUninitialize

> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

> GDI32.dll: CreateCompatibleBitmap, SelectObject, BitBlt, GetObjectA, GetStockObject, CreateSolidBrush, DeleteObject, CreateDCA, CreateFontIndirectA, DPtoLP, ModifyWorldTransform, SetGraphicsMode, StretchBlt, SetBkMode, SetTextColor, GetDeviceCaps, LPtoDP, SaveDC, SetMapMode, SetWindowOrgEx, SetViewportOrgEx, DeleteDC, RestoreDC, CreateCompatibleDC, CreateRectRgnIndirect
 

( 4 exports )

DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

(Kein Antivirus programm ergab ein Ergebnis)
2)C:\WINDOWS\system32\rmoc3260.dll

Code:

MD5...: e429c6a2b65fb276fbb0e3c005fd3c10

SHA1..: 92262cd4e1706726831ab28656774de11af9799f

SHA256: c52adc0cac5b701c80b2425328902865ff18799632570d9d662d0361c472fd75

SHA512: 7c623b0f1ea410845937b9e0f2c8737fc29bd5e27e3c4f3d2045dfa099ce75e2

4e5e7e827ada2e5ea620475454df2c5bbe533357c5dfcc77d5fc27898516b140

ssdeep: 3072:wqxtZO4f+Iq9aI+h9D1K0Op9WIRnGpdkw4oN4mHcnE:VxrOosQIgI0Op9WI

RnGpdkw4O

PEiD..: -

TrID..: File type identification

DirectShow filter (52.6%)

Windows OCX File (32.2%)

Win32 Executable MS Visual C++ (generic) (9.8%)

Win32 Executable Generic (2.2%)

Win32 Dynamic Link Library (generic) (1.9%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x63ab9e44

timedatestamp.....: 0x48c8266b (Wed Sep 10 19:56:27 2008)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x1ac67 0x1b000 6.31 f9784ca9d8603912c6caf595c5f57a9d

.rdata 0x1c000 0x3785 0x4000 5.49 37288aaf1dc6d9c415073deba8de8faa

.data 0x20000 0x7e8 0x1000 1.99 43968b3091ed83f61efe9b6c04d40dc5

.rsrc 0x21000 0x71c0 0x8000 4.58 bfb7f63434161e578e298d351bf7b459

.reloc 0x29000 0x216a 0x3000 4.63 2efafac5ed62ad00d352246586cc6aab
 

( 9 imports )

> ole32.dll: CoGetMalloc, CoTaskMemFree, CreateBindCtx, CreateOleAdviseHolder, CoCreateInstance, CoTaskMemAlloc

> KERNEL32.dll: GetLastError, GetLocaleInfoA, lstrcatA, SetErrorMode, GetSystemInfo, GetVersionExA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetFileSize, CreateFileA, CloseHandle, GetTempFileNameA, GetTempPathA, InterlockedDecrement, GetModuleFileNameA, GetEnvironmentVariableA, LeaveCriticalSection, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, ExitProcess, EnterCriticalSection, lstrcpyA, lstrlenA, MultiByteToWideChar, WideCharToMultiByte, GetVersion, lstrlenW, lstrcmpA, WinExec, DeleteFileA, GetProcAddress, LoadLibraryA, FreeLibrary, CreateThread, DeleteCriticalSection, InitializeCriticalSection, InterlockedIncrement

> USER32.dll: InvalidateRect, UpdateWindow, LoadCursorA, SetFocus, EnumChildWindows, CharPrevA, CharNextA, wsprintfA, CreateDialogParamA, IsDialogMessageA, WinHelpA, UnregisterClassA, ReleaseDC, GetDC, PtInRect, IsWindowVisible, GetParent, SendMessageA, CopyRect, BeginPaint, EndPaint, SetParent, DefWindowProcA, CreateWindowExA, GetKeyState, GetSystemMetrics, GetActiveWindow, GetWindowLongA, ShowWindow, EqualRect, OffsetRect, SetWindowRgn, SetWindowLongA, DestroyWindow, GetWindowRect, MapWindowPoints, SetWindowPos, LoadStringA, GetDlgItemTextA, SetDlgItemTextA, GetClientRect, GetClipboardFormatNameA, GetSysColor, FillRect, IntersectRect, RegisterClassA

> ADVAPI32.dll: RegEnumKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, RegOpenKeyExA, RegOpenKeyA, RegDeleteKeyA, RegCreateKeyA, RegQueryValueExA, RegQueryValueA, RegSetValueA, RegEnumKeyA, RegCloseKey

> GDI32.dll: CreateSolidBrush, CreateRectRgnIndirect, SetViewportOrgEx, SetWindowOrgEx, SetMapMode, CreateDCA, DeleteDC, LPtoDP, GetDeviceCaps, DeleteObject

> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -

> urlmon.dll: URLDownloadToCacheFileA, RegisterBindStatusCallback, CreateURLMoniker, HlinkSimpleNavigateToString

> MSVCR71.dll: _ismbcspace, memmove, _vsnprintf, strncmp, _CxxThrowException, __0exception@@QAE@ABV0@@Z, strchr, isdigit, _stricmp, __1exception@@UAE@XZ, printf, getenv, realloc, strstr, atoi, _lseeki64, _telli64, __security_error_handler, _except_handler3, __dllonexit, _onexit, _initterm, _adjust_fdiv, __CppXcptFilter, _unlink, __1type_info@@UAE@XZ, _terminate@@YAXXZ, __CxxFrameHandler, _errno, __0exception@@QAE@XZ, _fstat, _strnicmp, _putenv, _strcmpi, _close, _creat, _chsize, _open, _sopen, _lseek, _tell, _read, _write, strncat, __2@YAPAXI@Z, _snprintf, atol, sprintf, ___V@YAXPAX@Z, ___U@YAPAXI@Z, _purecall, wcslen, wcsncpy, strncpy, strrchr, __3@YAXPAX@Z, free, malloc

> MSVCP71.dll: __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBD@Z
 

( 4 exports )

DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

(Kein Antivirus programm ergab ein Ergebnis)
3)C:\Windows\system32\NULL

Code:

MD5...: d126c4a0b1b0db8c92c8515db10a53d9

SHA1..: 85bfa86d3e65f7e54e0a0688c62ecd9fcfc6af31

SHA256: 25930d0a3f280d59a2b90272d3460a8174e81c72c89403e79bddb76636d341a8

SHA512: 1fac20da181528925ec6a393e01e59d93404ab5529272e67b5940f77573dd8ad

66c1e2af7a1d836a3357866669a8cb0703c981c9ec69651c45e976018b73186a

ssdeep: 3072:gFACUsE4LyyuTDrtFogEmiYBVlPuvXH5NLqSGhqYZgQBeUgRkKcJ4TT/N3h

BuxPB:x

PEiD..: -

TrID..: File type identification

Unknown!

PEInfo: -

(Kein Antivirus programm ergab ein Ergebnis)
4)C:\WINDOWS\system32\drivers\secdrv.sys

Code:

MD5...: ba0d892d2f786bcebdf03b0a252b47f3

SHA1..: 0383b69f98d0a9c0383c8130d52d6b431c79ac48

SHA256: 4ed103bd45ece4d2b6029c36d0e209c8a6f1c34e0f72b01553742773cb1f43a1

SHA512: b57722c9dac359fdba24bfb17454f2b1f14c3b309ddc7cbbcc27a1b55f8233d9

6775fbf7fb69038d889dd9671de7c955dfdb0422030a2fb9d2262ef675744ec0

ssdeep: 384:lmRAXETwO/AyxL1zaUdzUaLPa71XoJczVZ3wFQ1J:iT3AyzaozbLPgNoJ+pw

FQb

PEiD..: -

TrID..: File type identification

Generic Win/DOS Executable (49.9%)

DOS Executable Generic (49.8%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x123a0

timedatestamp.....: 0x3dd38e7e (Thu Nov 14 11:52:30 2002)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x280 0x1b49 0x1b60 6.33 f46f58aed2dd87017f4a1f3b89cfffd6

.data 0x1de0 0x5b8 0x5c0 1.52 e76aaf59799fab4f6466637871812eb4

INIT 0x23a0 0x1f2 0x200 5.25 54cfd402b8213a6595784f687ed9dd43

.rsrc 0x25a0 0x408 0x420 3.32 784638d9652c444c84e21fcec74aca42

.reloc 0x29c0 0x1ae 0x1c0 5.54 eb43e1ece983474e97a1fb8920fd1868
 

( 1 imports )

> ntoskrnl.exe: IoDeleteSymbolicLink, IoDeleteDevice, IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, RtlEqualUnicodeString, NtBuildNumber, RtlQueryRegistryValues, PsGetVersion, KeTickCount, MmIsAddressValid, RtlUnwind, ExAllocatePoolWithTag, ExFreePool, IofCompleteRequest

(Kein Antivirus programm ergab ein Ergebnis)