Monday, July 7, 2008

Trojan Downloader Agent in Winsock an Armadillo v1.xx - v2.xx protected compressed, DLL name: engt32.dll

Symptom: engt32.dll Hooks with 2 entries in Winsock LSP's
Internet speed may slow down by single connections 30 - 60 %
Age: The file have been first scanned in year 2006 by and found the same results by all Antiviruses as now in year 2008.

To found with: Spybot -Search and Destroy (unknown MS-...) 2 entries
or Trend Micro HijackThis v2.0.2
To remove: LSPFix's Winsock 2 (Layered Service Provider) repair utility.

Antiviruses that can not found it are Microsoft, Kaspersky, NOD32, Norman, TrendMicro, F-Secure, Prevx...

Live On Care 2.x include latest Beta can not more start the integrated Live on care firewall.

AhnLab-V3 2008.7.8.0 2008.07.07 Win-Trojan/Agent.81920.Z
AntiVir 2008.07.07 TR/Dldr.Agent.DLL.A
Authentium 2008.07.07 W32/Downldr2.VEB
Avast 4.8.1195.0 2008.07.07 Win32:Trojan-gen {Other}
AVG 2008.07.07 Downloader.Small.BCP
BitDefender 7.2 2008.07.08 Trojan.Downloader.AUT
CAT-QuickHeal 9.50 2008.07.07 - FOUND NOTHING!
0.93.1 2008.07.08 - FOUND NOTHING!
DrWeb 2008.07.07 Trojan.DownLoader.12131
eSafe 2008.07.07 - FOUND NOTHING!
31.6.5934 2008.07.07 - FOUND NOTHING!
Ewido 4.0 2008.07.07 Downloader.Agent.a
F-Prot 2008.07.07 W32/Downldr2.VEB
F-Secure 7.60.13501.0 2008.07.08 - FOUND NOTHING!
Fortinet 2008.07.07 PossibleThreat
GData 2.0.7306.1023 2008.07.08 Win32:Trojan-gen
Ikarus T3. 2008.07.08 Trojan-Downloader.12131
Kaspersky 2008.07.08 - FOUND NOTHING!
McAfee 5333 2008.07.07 Generic.di
Microsoft 1.3704 2008.07.08 - FOUND NOTHING!
NOD32v2 3248 2008.07.07 - FOUND NOTHING!
5.80.02 2008.07.07 - FOUND NOTHING!
Panda 2008.07.08 Trj/Downloader.KHR
Prevx1 V2 2008.07.08 - FOUND NOTHING!
Rising 2008.07.06 Trojan.DL.Agent.ana
Sophos 4.31.0 2008.07.08 Mal/Generic-A
Sunbelt 3.1.1509.1 2008.07.04 Trojan-Downloader.Gen
Symantec 10 2008.07.08 Downloader
TheHacker 2008.07.07 - FOUND NOTHING!
8.700.0.1004 2008.07.07 - FOUND NOTHING!
VBA32 2008.07.07 Trojan.DownLoader.12131
VirusBuster 2008.07.07 - FOUND NOTHING!
Webwasher-Gateway 6.6.2 2008.07.07 Trojan.Dldr.Agent.DLL.A

File info:
File size: 81920 bytes
MD5...: 38a169d6eb7dbc243a2c395eb981833b
SHA1..: 1fa66f684c15566b87301c04949c8072c577a7a6
SHA256: 9ce760b1982e32000a5637ad4422c5639dc1b334013700e303e967342595df69
SHA512: a51f9f6aee0e488d899012e05c78296056403e94e788382c31cd65b28da1a359
PEiD..: Armadillo v1.xx - v2.xx
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10003969
timedatestamp.....: 0x44bf3cca (Thu Jul 20 08:20:26 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xad5a 0xb000 6.60 1e2ac2efe8a2e97d6cdcff740aa8b8c7
.rdata 0xc000 0x14ea 0x2000 3.89 c226fc9e70ce25bd077963ed95f88541
.data 0xe000 0x4f0c 0x4000 0.92 573d4ed926f2ab855c9ad82a6525471f
.reloc 0x13000 0x1160 0x2000 3.06 6a09bba2d154e82f41c98399f03643e2

( 5 imports )
> KERNEL32.dll: DeleteFileW, GetModuleFileNameW, GetModuleFileNameA, WritePrivateProfileStringW, CloseHandle, CopyFileW, GetLastError, CreateMutexW, GlobalFree, GlobalAlloc, FreeLibrary, GetProcAddress, LoadLibraryW, ExpandEnvironmentStringsW, GetSystemDirectoryW, GetTempPathW, FindClose, FindFirstFileW, SetErrorMode, CreateFileW, SetFileTime, GetSystemTimeAsFileTime, CompareStringW, CompareStringA, FlushFileBuffers, GetDriveTypeA, SetStdHandle, GetStringTypeW, GetStringTypeA, LoadLibraryA, GetOEMCP, GetACP, GetCurrentDirectoryW, IsBadCodePtr, IsBadReadPtr, SetUnhandledExceptionFilter, SetFilePointer, GetTimeZoneInformation, GetSystemTime, GetLocalTime, InterlockedDecrement, InterlockedIncrement, RtlUnwind, HeapFree, HeapAlloc, FileTimeToSystemTime, FileTimeToLocalFileTime, GetDriveTypeW, GetCommandLineA, GetVersion, MultiByteToWideChar, WideCharToMultiByte, LCMapStringA, LCMapStringW, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, GetFullPathNameW, GetCurrentDirectoryA, TerminateProcess, GetCurrentProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, GetCPInfo, SetEnvironmentVariableA
> USER32.dll: MessageBoxA
> SHELL32.dll: ShellExecuteW
> urlmon.dll: URLDownloadToFileW
> WS2_32.dll: WSCDeinstallProvider, WSCGetProviderPath, WSCInstallProvider, WSCWriteProviderOrder, WSCEnumProtocols

( 9 exports )
Dll_CheckRunning, Dll_GetInfo, Dll_GetVersion, Dll_Install, Dll_LoadInstance, Dll_ShowVersion, Dll_Uninstall, UpdateCore, WSPStartup

More info:
Process File: engt32.dll
Process Name: Troj_Polymorphic.File.Exploit
Description: N/A
Author: unknown
Part of: unknown
Common Path(s): Windows\system32
Secuirty Risk (0-5): 0
Spyware: Yes
Adware: Yes
Virus: Yes
Trojan: Yes
System Process: No
Application: No
Background Process: Yes
Uses Network: Yes
Uses Internet: No
Related Process:
IP Internet System Internet

After Winsock LSP's the two entries are cleaned and the file been removed Live OnCare Firewall works again:

In Stulle eMule Private old version 0.48a from ed2k net another Virus ???:
Rising AntiVirus Find all Trojans Scanned all other eMule Mods, no Virus found there! some Stulle eMule v0.49 Privat is the same! eMule Morph Private 0.48 and 0.49a is clean!!!

Microsoft security AV team USA is sleeping 34h ago after submition - no responce, bcc via PR section Munich, DE, Vibrio

Rising updated deep analyse: C:\fn-virus\fn-virus\engt32.dll

VBA32 (Virus Block Ada 32) Scanner (not much up to date): or

Program full from: (3Months Free Fullversion) or: (1Months Free Fullversion)
is not bad too to scan for Trojans:

Normal Mod - fast check:

Deep Scan Mod - full check:

Find more deep embedded Trojans as some others!


Anonymous said...

Please submit this to NOD and Kasper for the analysis team to update there detection databases.

Anonymous said...

Yet I found it again. Have zip it with the password for WindowsOneCare submition:
False Negative:

As written here:

How should I submit it to NOD and Kaspersky i dont have there any Accounts nor Forum Access?

Do they have any upload urls so that I can send it?

the filename is inside is the dll which I found before active as virus under system32 loaded in winsock with 2 entries. Did fix it manually cause I was not have Rising on it after I seen by that rising can found it.

Anonymous said...

Sorry for the semi long reply.

For Kaspersky:


Hope that helps friend. Just follow the instructions on those given links. Pretty easy if your up to it :)

IlLusioN said...

Thank you, all submitted.
Wish virusfree P2P filesharing fellows!

Post a Comment