Moon-Player installer is hosted at
http://moon-player.com (203.169.164.18) (whois info). This particular Zlob variant is highly dangerous as it drops rootkit based spyware and also adds malicious DNS servers. Following HijackThis entry shows the rogue name servers added to the "NameServer" list of the system:O17 - HKLM\System\CCS\Services\Tcpip\..\{27C05F16-264E-4B56-9C02-90A5B7D0A17D}: NameServer = 85.255.112.143;85.255.112.94These name servers are located at Ukraine and whois information can be found here and here.
The rootkit component is a user mode rootkit that hides files by hooking APIs of ntdll.dll. Following screenshots show rooted file and hooked APIs:
The rootkit also injects a DLL into few of the standard Windows processes (alg.exe and spoolsv.exe), as shown in below screenshot.
The injected DLL
C:\Windows\System32\Dll.dll actually does not exist, and the file that is really injected is C:\Windows\Temp\tempX.tmp (where X is some random number). This can be seen from the DLL information shown by IceSword. It seems that the injected file changes its name in the module list maintained in process PEB, to a dummy/non-existent one.
VirusTotal scan result of the installer can be found here. An automated analysis of the installer can be found at this ThreatExpert page.
Update: A Zlob (Moon-Player and other fake video players) rootkit removal tutorial has been posted here.
0 comments:
Post a Comment