MSN/Windows Live and/or Yahoo IM Malware

Today I was confronted with malware and here are my results:

Registry:
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\conime.exe\wcoredk.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\conime.exe

C:\windows\system32\wcoredk.exe
C:\windows\prefetch\WCOREDK.EXE-3A9E970E.pf

netstat –aon -> showed the 203.228.244.187:32132 as destination

While it runs, wcoredk.exe ‘kills’ Sysinternals Tcpview/Nirsoft CurrPorts and Sysinternals Process Explorer. –> Finally, ANVIR helped me out!!!

Furthermore it disables ‘Show hidden files and folders’ shortly after it was set, and despite it had an PID it hasn’t an process name so it wasn’t listed under any task manager.

So looks like it is/was an Rootkit dressed Trojan/Mailer.

But the AV vendors are working onto it now:

1.) McAfee Labs

McAfee Labs – Beaverton

Current Scan Engine Version:5400.1158

Current DAT Version:5896.0000

Thank you for your submission.

Analysis ID: 5815572

File Name Findings Detection Type Extra

——————–|——————————|—————————-|————|—–

wcoredk.exe |new detection |spam-mailbot.u |Trojan |yes

AVERT has caught an issue with the EXTRA.DAT we generated for you. Your submission is

being forwarded to an AVERT Researcher for further analysis. In the meantime, it is

recommended that you update your DAT and engine files and scan your computer again.

You will be contacted through e-mail with the results of our analysis.

new detection [wcoredk.exe]

 

2.) Microsoft Security Essentials

Microsoft Malware Detection Center

About these ads
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s