Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Discovery? -- Need Assistance on reading code


  • Please log in to reply
2 replies to this topic

#1 Compsecadmin

Compsecadmin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 10 July 2014 - 01:56 AM

Yes.. still running XP :-/.  Got my new HP box.. but don't have it configured, locked down etc.. Nevertheless...

I noticed duel instances of "iexplorer.exe" starting up despite not using IE. I thought it was firing up when I launched FF. After doing a little digging, I saw a scheduled task which was installed just a few days ago. I saw the sched task pointing to "c:\windows\temp" which.. clearly any process running from a temp directory is not good.. :-/.

Here is a simmary of the scheduled task:
--------------------------------code below was detected in c:\windows\temp directory as lsutlo.dcx
It was being called via a scheduled task with the command line of:

  1. C:\WINDOWS\system32\cmd.exe /C "start /MIN C:\WINDOWS\system32\cscript.exe //E:javascript C:\WINDOWS\TEMP\lsutlo.dcx"

It was scheduled to run under the current user.
Scheduled to run daily at 12:11 AM.
Last run was discoverd to be 3:11 PM on the day found
Set toi run under: NT AUTHORITY\SYSTEM

=============== (EOS) =========================

Despite spending years in the industry..  doing everything from WIndows/AD/Networking and linux support at the workstations as well as server...  reading code is not my forte'.  I have a copy of the code "lsutlo.dcx", which clearly is some for of script/code.

If I was to post it, can someone eye-ball it and let me know what in the ba-jezus it's doing? The actual code was just over 7k bytes.

If posting such code here is a violation of acceptable usage, can I send it in text format to someone off-line what might be willing to decide?

I can tell you.. they used a great deal of usage of cryptic variables, amd tracing this is a PITA..  '

TIA for any assistance from anyone...

-csa


Edited by hamluis, 10 July 2014 - 06:22 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 2,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:12:41 PM

Posted 10 July 2014 - 04:34 AM

Hi,
 
You can submit the file here.

 

The file will be analyzed by several Antivirus and made accessible to several AV vendors. Also the file will be available to the Staff members at BC.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 Compsecadmin

Compsecadmin
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:41 AM

Posted 23 July 2014 - 03:18 AM

Ok folks... I know many sites prefer not to see posts from other sites.. but.. after spending several days trying to research all aspects of this bugger before bothering anyone here...  I did searched for the "scheduled taks" that keeps appearing and I have not found any hits.  I have tried doing various Inet searches on other componenents of this, and nothing. Sched task that keeps appearing is "syslsutloupd". I outlined some of the info above, and thios is the part that has me perplexed I searched for any reference to the file that is being called, partial names in the file system..  checking the registry etc. and I found this path:
C:\Documents and Settings\(Logged_in_user)\Application Data\Microsoft\Lsutlo

Under that are various files:

  1,029 5y2z9rZp
  1,029 8PfWgSp7D
  1,029 AmoQadbQZg
  1,029 baaX7kDZLT3
  1,187 BIvdQrp7CB
  1,029 G99RdbezeAt
  1,029 ggzOQ7GffJo
  1,187 HxYWlju
    755 lsutl.dll
253,952 lsutlo.exe
 16,608 lsutlo32.dll
  1,266 mHoQ7godM
  1,266 O5qDHYywI
  1,029 O7yv9bXeoN
 99,881 qjxvacj.dtg
  1,029 qx7UvJYJpdS
  1,029 V4zlIeN
  1,029 wB8ID2xdTyjX
  1,029 WwWEDmYBw
  1,187 YwCGXx1T
 388,608 bytes

 

Most of the files that are approx 1K in side, are text files listing the scheduled tasks in the box. My concern are the *.exe, and the DLL files.  Adding to this, saw the sched task was making a call to a script  file in "C:\windows\temp" which I already mentioned.  I also did seached on snipets of code from the "lsutlo.dcx" that is being called and I came up with this link below.  I looked at the "example code" in the top box and it is IDENTICAL to the actual code/script file I have in c:\windows\temp.

Can someone eyeball this and let me know what they think?  Also, given the refered path that some other related componenets are installed, it seems as though there is some association w/ Microsoft (I know that can be spoofed) but even after extensive Inet searches... I found nothing...

Nevertheless.. can someone check out this link... the code.. and the "decrypted" code in this site and let me know what they think?  I could upload the same code here, but.. give the "script" file the scheduled task is calling is identical to that on page below.. I just thought I'd save the time and provide the link to the code someone lese has put up elsewhere...

Here is the link: http://ddecode.com/hexdecoder/?results=99b609cb6425e5981115bb8fa8f86260

The "code" in the top box.. is identical to the script file ("C:\WINDOWS\TEMP\lsutlo.dcx") that is being called by the scheduled task tjat has magically started to appear...

Any thoughts.. comments.. ideas.. etc.. would be greatly appreciated...
-csa






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users