Pages

Monday, July 7, 2008

Trojan Downloader Agent in Winsock an Armadillo v1.xx - v2.xx protected compressed, DLL name: engt32.dll

Symptom: engt32.dll Hooks with 2 entries in Winsock LSP's
Internet speed may slow down by single connections 30 - 60 %
Age: The file have been first scanned in year 2006 by www.virustotal.com and found the same results by all Antiviruses as now in year 2008.

To found with: Spybot -Search and Destroy (unknown MS-...) 2 entries
or Trend Micro HijackThis v2.0.2
To remove: LSPFix cexx.org's Winsock 2 (Layered Service Provider) repair utility.

Antiviruses that can not found it are Microsoft, Kaspersky, NOD32, Norman, TrendMicro, F-Secure, Prevx...

Live On Care 2.x include latest Beta can not more start the integrated Live on care firewall.

Info:
AhnLab-V3 2008.7.8.0 2008.07.07 Win-Trojan/Agent.81920.Z
AntiVir 7.8.0.64 2008.07.07 TR/Dldr.Agent.DLL.A
Authentium 5.1.0.4 2008.07.07 W32/Downldr2.VEB
Avast 4.8.1195.0 2008.07.07 Win32:Trojan-gen {Other}
AVG 7.5.0.516 2008.07.07 Downloader.Small.BCP
BitDefender 7.2 2008.07.08 Trojan.Downloader.AUT
CAT-QuickHeal 9.50 2008.07.07 - FOUND NOTHING!
ClamAV
0.93.1 2008.07.08 - FOUND NOTHING!
DrWeb 4.44.0.09170 2008.07.07 Trojan.DownLoader.12131
eSafe 7.0.17.0 2008.07.07 - FOUND NOTHING!
eTrust-Vet
31.6.5934 2008.07.07 - FOUND NOTHING!
Ewido 4.0 2008.07.07 Downloader.Agent.a
F-Prot 4.4.4.56 2008.07.07 W32/Downldr2.VEB
F-Secure 7.60.13501.0 2008.07.08 - FOUND NOTHING!
Fortinet 3.14.0.0 2008.07.07 PossibleThreat
GData 2.0.7306.1023 2008.07.08 Win32:Trojan-gen
Ikarus T3.1.1.26.0 2008.07.08 Trojan-Downloader.12131
Kaspersky 7.0.0.125 2008.07.08 - FOUND NOTHING!
McAfee 5333 2008.07.07 Generic.di
Microsoft 1.3704 2008.07.08 - FOUND NOTHING!
NOD32v2 3248 2008.07.07 - FOUND NOTHING!
Norman
5.80.02 2008.07.07 - FOUND NOTHING!
Panda 9.0.0.4 2008.07.08 Trj/Downloader.KHR
Prevx1 V2 2008.07.08 - FOUND NOTHING!
Rising 20.51.60.00 2008.07.06 Trojan.DL.Agent.ana
Sophos 4.31.0 2008.07.08 Mal/Generic-A
Sunbelt 3.1.1509.1 2008.07.04 Trojan-Downloader.Gen
Symantec 10 2008.07.08 Downloader
TheHacker 6.2.96.374 2008.07.07 - FOUND NOTHING!
TrendMicro
8.700.0.1004 2008.07.07 - FOUND NOTHING!
VBA32 3.12.6.8 2008.07.07 Trojan.DownLoader.12131
VirusBuster 4.5.11.0 2008.07.07 - FOUND NOTHING!
Webwasher-Gateway 6.6.2 2008.07.07 Trojan.Dldr.Agent.DLL.A

File info:
File size: 81920 bytes
MD5...: 38a169d6eb7dbc243a2c395eb981833b
SHA1..: 1fa66f684c15566b87301c04949c8072c577a7a6
SHA256: 9ce760b1982e32000a5637ad4422c5639dc1b334013700e303e967342595df69
SHA512: a51f9f6aee0e488d899012e05c78296056403e94e788382c31cd65b28da1a359
ffecced13b0a3101ea2216d4f846c3881b259d74d218944b8ebff4bab410ca70
PEiD..: Armadillo v1.xx - v2.xx
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10003969
timedatestamp.....: 0x44bf3cca (Thu Jul 20 08:20:26 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xad5a 0xb000 6.60 1e2ac2efe8a2e97d6cdcff740aa8b8c7
.rdata 0xc000 0x14ea 0x2000 3.89 c226fc9e70ce25bd077963ed95f88541
.data 0xe000 0x4f0c 0x4000 0.92 573d4ed926f2ab855c9ad82a6525471f
.reloc 0x13000 0x1160 0x2000 3.06 6a09bba2d154e82f41c98399f03643e2

( 5 imports )
> KERNEL32.dll: DeleteFileW, GetModuleFileNameW, GetModuleFileNameA, WritePrivateProfileStringW, CloseHandle, CopyFileW, GetLastError, CreateMutexW, GlobalFree, GlobalAlloc, FreeLibrary, GetProcAddress, LoadLibraryW, ExpandEnvironmentStringsW, GetSystemDirectoryW, GetTempPathW, FindClose, FindFirstFileW, SetErrorMode, CreateFileW, SetFileTime, GetSystemTimeAsFileTime, CompareStringW, CompareStringA, FlushFileBuffers, GetDriveTypeA, SetStdHandle, GetStringTypeW, GetStringTypeA, LoadLibraryA, GetOEMCP, GetACP, GetCurrentDirectoryW, IsBadCodePtr, IsBadReadPtr, SetUnhandledExceptionFilter, SetFilePointer, GetTimeZoneInformation, GetSystemTime, GetLocalTime, InterlockedDecrement, InterlockedIncrement, RtlUnwind, HeapFree, HeapAlloc, FileTimeToSystemTime, FileTimeToLocalFileTime, GetDriveTypeW, GetCommandLineA, GetVersion, MultiByteToWideChar, WideCharToMultiByte, LCMapStringA, LCMapStringW, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, GetFullPathNameW, GetCurrentDirectoryA, TerminateProcess, GetCurrentProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, GetCPInfo, SetEnvironmentVariableA
> USER32.dll: MessageBoxA
> SHELL32.dll: ShellExecuteW
> urlmon.dll: URLDownloadToFileW
> WS2_32.dll: WSCDeinstallProvider, WSCGetProviderPath, WSCInstallProvider, WSCWriteProviderOrder, WSCEnumProtocols

( 9 exports )
Dll_CheckRunning, Dll_GetInfo, Dll_GetVersion, Dll_Install, Dll_LoadInstance, Dll_ShowVersion, Dll_Uninstall, UpdateCore, WSPStartup

More info: http://www.firefox123.cn/English/e/engt32.dll.htm
Process File: engt32.dll
Process Name: Troj_Polymorphic.File.Exploit
Description: N/A
Author: unknown
Part of: unknown
Common Path(s): Windows\system32
Secuirty Risk (0-5): 0
Spyware: Yes
Adware: Yes
Virus: Yes
Trojan: Yes
System Process: No
Application: No
Background Process: Yes
Uses Network: Yes
Uses Internet: No
Related Process:
IP Internet System Internet

After Winsock LSP's the two entries are cleaned and the file been removed Live OnCare Firewall works again:



In Stulle eMule Private old version 0.48a from ed2k net another Virus Worm.Win32.DownLoad.gh ???:
Rising AntiVirus Find all Trojans Scanned all other eMule Mods, no Virus found there! some Stulle eMule v0.49 Privat is the same Worm.Win32.DownLoad.gh! eMule Morph Private 0.48 and 0.49a is clean!!!


Microsoft security AV team USA is sleeping 34h ago after submition - no responce, bcc via PR section Munich, DE, Vibrio

Rising updated deep analyse: C:\fn-virus\fn-virus\engt32.dll
Trojan.DL.Agent.ana

VBA32 (Virus Block Ada 32) Scanner (not much up to date): ftp://anti-virus.by/pub/Vba32Scan.zip or http://vba32.de/anonymous/pub/Vba32Scan.zip

Program full from:
http://vba32.de/demo/content/view/15/31/ (3Months Free Fullversion) or: http://www.anti-virus.by/en/ (1Months Free Fullversion)
Info: http://anti-virus.by/about/vba/
is not bad too to scan for Trojans:

Normal Mod - fast check:


Deep Scan Mod - full check:

Find more deep embedded Trojans as some others!

2 comments:

Anonymous said...

Please submit this to NOD and Kasper for the analysis team to update there detection databases.

IlLusioN said...

Thank you, all submitted.
Wish virusfree P2P filesharing fellows!

Post a Comment