Hidden directories and mirarka.exe file in pendrive

Learn about Computer Security Virus/Malware Removal Assistance
1

I’ve earlier posted topic about suspecting infections on my PC.
I’ve even seen some symptoms: when i used public PC for printing documents, Avast AV on this PC detected few times trojans (different versions, don’t remember their names) and cleaned this. But before Avast detection, Comodo IS didn’t found anything, also Kaspersky Rescue Disk didn’t found anything nor TDSSKiller, nor MBAM nor Hitman Pro.

Today i’ve used Ubuntu 11.10 Live USB and this pendrive which was recently infected. I found few hidden directories, not visible on Windows.
Those directories are: appstod, escuchado, importa, toasten, turbi, zaman and hydriq. The last one, hydriq, has hidden file in it, named mirarka.exe - here’s scan of this file using VirusTotal.

As you can see, Comodo didn’t found nothing, nor MBAM did, nor Hitman Pro, nor Kaspersky Rescue Disk.

No i have to make use of Google and found way to dump firmware of every hardware using Linux, and send those dumps to VirusTotal…

2

Here’s CAMAS verdict.

It remains undetected but indeed is malicious: create file C:\Documents and Settings\User\gjzbkt.exe and connects using DNS Query Text slade.safehousenumber.com IN A +, which is known to be used for malicious purposes and remains blacklisted.

Even Avast detected this stuff, shame on you Comodo…

3

Additional information from VT:

ssdeep
1536:7aLet+6XUziU0+uSJdLX/SYgFBl7dofv6gSW+aOFrFKzgINiFAMbO:u964nuSj9gFn7daCc+8DNgAMa

TrID
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

PEiD packer identifier
Armadillo v1.71

ExifTool

MIMEType…: application/octet-stream
Subsystem…: Windows GUI
MachineType…: Intel 386 or later, and compatibles
TimeStamp…: 2008:10:12 19:35:28+02:00
FileType…: Win32 EXE
PEType…: PE32
CodeSize…: 5120
LinkerVersion…: 6.0
EntryPoint…: 0x1734
InitializedDataSize…: 28672
SubsystemVersion…: 5.0
ImageVersion…: 0.0
OSVersion…: 5.0
UninitializedDataSize…: 0

Sigcheck

publisher…: unoo Nc
product…: Imeto
internal name…: Exuize Cabl
copyright…: ilooism (c) aci 1991 - 2001
original name…: hize.exe
file version…: 7.4.2800.3300
description…: Unee

Portable Executable structural information

Compilation timedatestamp…: 2008-10-12 17:35:28
Target machine…: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address…: 0x00001734

PE Sections…:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 4819 5120 5.77 2678e5dc1e76c46bb1f67e11346eb5f9
.data 12288 50685 9216 6.70 383fa2b40191b396019c7e6f5109d811
.rsrcE 65536 19396 19456 4.38 0052611b59e60112162fb63efc4cec12

PE Imports…:

[[comdlg32.dll]]
GetOpenFileNameA

[[gdi32.dll]]
TranslateCharsetInfo, CreateCompatibleDC, ScaleViewportExtEx, FillPath, BeginPath, InvertRgn, LineTo, GetNearestPaletteIndex, ExtCreateRegion, GetBkMode, RectInRegion, TextOutA, PtInRegion, GetStretchBltMode, OffsetClipRgn, CombineRgn, CreateDCW, GetEnhMetaFileBits, EnumFontsA, SetViewportOrgEx, PolyBezierTo

[[kernel32.dll]]
SetThreadLocale, LCMapStringW, GetStartupInfoA, GetTempPathA, RaiseException, LCMapStringA, GetPrivateProfileStringA, GetSystemInfo, GetNumberFormatA, GetFileAttributesA, IsValidCodePage, SetUnhandledExceptionFilter, GetTempPathW, InterlockedDecrement, GetThreadLocale, lstrcpynA

[[msvcrt.dll]]
_except_handler3, strchr, _acmdln, __p__fmode, realloc, _adjust_fdiv, __setusermatherr, _iob, sqrt, _cexit, _exit, memcpy, fprintf, _XcptFilter, __getmainargs, calloc, free, _initterm, fopen, __p__commode, __set_app_type

[[advapi32.dll]]
RegFlushKey, GetSecurityDescriptorDacl, RegOpenKeyExW, OpenThreadToken, ControlService, InitializeAcl, LookupPrivilegeValueW, RegOpenKeyW, RegCreateKeyA

[[ole32.dll]]
CreateItemMoniker, StgCreateDocfileOnILockBytes, CoGetInterfaceAndReleaseStream, CoRevokeClassObject, CoDisconnectObject, OleSetMenuDescriptor, PropVariantClear, OleSetClipboard, OleInitialize

[[user32.dll]]
InsertMenuA, GetDesktopWindow, BeginPaint, CheckMenuItem, TranslateMessage, InflateRect, GetMenuStringA, SetDlgItemTextA, OffsetRect, RegisterWindowMessageA, SetPropA, SetTimer, GetDlgItem, GetTopWindow, SetClassLongA, GetSysColor, WaitMessage, LoadBitmapA, RemoveMenu

[[comctl32.dll]]
ImageList_Read, ImageList_GetImageCount, ImageList_GetIconSize, InitCommonControlsEx, ImageList_Destroy, ImageList_GetImageInfo, CreatePropertySheetPageW, ImageList_DragLeave, ImageList_DragShowNolock, ImageList_Create, PropertySheetW, ImageList_LoadImageW, ImageList_Add

PE Resources…:

Resource type Number of resources
RT_ICON 9
RT_GROUP_ICON 1
RT_MESSAGETABLE 1
RT_VERSION 1
RT_MANIFEST 1

Resource language Number of resources
ENGLISH US 13

Symantec Reputation
Suspicious.Insight

First seen by VirusTotal
2012-08-25 17:53:57 UTC ( 50 minutes ago )

Last seen by VirusTotal
2012-08-25 17:53:57 UTC ( 50 minutes ago )

File names (max. 25)

hize.exe
mirarka.exe
Exuize Cabl

Look at time stamp: TimeStamp…: 2008:10:12 19:35:28+02:00

This one is daaamn old malware…

I wonder how many rootkits in the wild weren’t still spotted and researched?

4

And here’s autorun.inf file content:

[autorun]
^gjvfgjegkjweGJklJASLKfj????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
shell\\\Open\\\command=hydriq\mirarka.exe
@G?????????????????????????????????????????????????????????????????????
action=Open folder to view files using Windows Explorer
&f?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
Shell\\\open\\\command=hydriq\mirarka.exe
%#j5????????????????????????????????????????????????????????????????????????????????
shellexecute=hydriq\mirarka.exe
U&$???????????????????????????????????????????????????????????????????????????????????????????????????????
shell\\\explore\\\command=hydriq\mirarka.exe
&fe??????????????????????????????????????????????????????????????????????????????????????????????
icon=SHELL32.dll,4
aFJ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
open=hydriq\mirarka.exe
/fr???????????????????????????????????????????????????????????????????????????????
USEAUTOPLAY=1
!ge??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
5

All signature based detection programs will miss programs sometimes. In fact, the sad fact is that it is very common for malware to be missed. If you look at the VirusTotal results you will see that many other very well known anti-malware vendors also miss the sample.

CIS will be able to protect you from malware, regardless of whether it is already recognized as such or not. However, in terms of cleaning a computer which is already infected you should always clean it with multiple programs. This is because a single product is unlikely to be able to detect all malware on your computer. For example, Avast happens to detect this one but I know for a fact it will miss many others.

Now don’t think I’m bashing Avast. It is a very good antivirus. I’m just pointing out the weaknesses of relying entirely on signature based detection.

By the way, in order to make sure that your computer is no longer infected please follow the advice I give in my article about How to Know If Your Computer Is Infected.

Thanks.

6

Yeah i know, AV software protects only against known threats. If heuristic engine is effective it can also detect unknown malware, but this goal is very hard to achieve.

HIPS/HIDS are very helpful in this field.
But the best anti-malware system is in your head - just learn and use it wise.

7

I’ve proceeded with ClamAV scan using Ubuntu Live USB. Set PUA scan to on, here are the results.
Most of them are false-positives and on first sight i can’t see anything suspicious. Anybody sees here anything malicious?

8

I saw that someone upvoted this scanned trojan as unharmful.
Probably it’s creator :wink: