Raidhost(¥¶¾³¿¸¤£ù²¯².exe ) Virus Report and Recover Tool

Friday, November 27, 2009 Posted by Kanishka Dilshan
hott raidhost update
Imago Labs Comment
Anti-virus Tool
raidhost.exe (CRC32 : D8AB4DA6) is a backdoor virus. It supports to create a bot net. raidhost.exe is the parent virus. when it is executed it downloads other viruses from its master servers. In Imago labs we detected the servers are 64.131.83.170 on port 80 and 216.17.104.155 on port 51987. It downloads a malcious file dl.exe from above servers and executes it. Then dl.exe download another malcious file update.exe .
"Raidhost" use autorun.inf to propagate himself. It creates a system folder called cold. Inside cold directory it creates a system folder hott which appears as a recycle bin.then it copies its clone (¥¶¾³¿¸¤£ù²¯².exe and ¥¶¾³¿¸¤£ù²¯² ) into hott directory.
raidhost.exe resides in %system drive% \ Windows. dl.exe and update.exe resides on the root of the system drive.
File Details
Size: 425984 Bytes
Version: 2.0.133.0
CRC-32: D8AB4DA6
MD5: 6A1120F815EEA114A79EB1789E6C6D00
SHA1: 3C12CEC16915560A65E8BA00C15F5D5EAF881182
Read only: Yes
Hidden: Yes
System file: Yes
Directory: No
Archive: Yes
Symbolic link: No
Values Added To The Registry:(12)
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP Default 0x00000000 1
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP DllFile %SystemRoot%\system32\iedkcs32.dll 2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-INTERNET-SIGNUP FileExtensions .ins 2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG Default 0x01000000 1
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG DllFile %SystemRoot%\system32\jsproxy.dll 2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG FileExtensions .pac;.jvs;.js 2
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\APPLICATION/X-NS-PROXY-AUTOCONFIG Flags 0x01000000 1
HKLM\SOFTWARE\CLASSES\MIME\DATABASE\CONTENT TYPE\TEXT/HTML Extension .htm 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager CriticalSectionTimeout 2592000 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings UrlEncoding 0x00000000 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run raidhost raidhost.exe
Values Modified In The Registry:(n) [Original Value Value = Green , Modified Value = Red]
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings info ProxyEnable 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths info Directory C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths info Paths 4
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 info CacheLimit 40852
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 info CachePath C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\Administrator\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\Administrator\Local Settings\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ info IntranetName 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ info ProxyBypass 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ info UNCAsIntranet 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings info MigrateProxy 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings info ProxyEnable 0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections info SavedLegacySettings 0x3c0000000500000009000000000000000000000000000000000000000000
Created Files:(7)
%system drive% \ Windows\raidhost.exe
%system drive% \dl.exe
%system drive% \update.exe
%removable drives% \cold\hott\¥¶¾³¿¸¤£ù²¯².exe
%removable drives% \cold\hott\¥¶¾³¿¸¤£ù²¯²
%removable drives% \cold\hott\desktop.ini
%removable drives% \auTORUN.inf
Files Deleted:(0)
No file deletions were detected.
Files Modified:(0)
No folder deletions were detected.
Network Activities:(n)
Sends following HTTP headers to the server 64.131.83.170 on port 80
Sent:
Request: GET /index.html?x=0x11223344
Response: 200 "OK"
Received
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Fri, 20 Nov 2009 14:28:31 GMT
Accept-Ranges: bytes
ETag: "76dc15bced69ca1:0"
Server: Microsoft-IIS/7.0
Date: Tue, 24 Nov 2009 17:14:22 GMT
Content-Length: 67
Connection: close
Age: 0

Another Packets to 216.17.104.155 on port 51987 over TCP with length 122, 143, 23, 41, 85, 89, 20, 19.....
Then 216.17.104.155 sents malcious files to the infected machine.
ex:
Sent:
10:55:10.6863440 PM raidhost.exe 644 TCP Send imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 19
10:56:40.6660112 PM raidhost.exe 644 TCP Send imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 19
10:50:35.4783041 PM raidhost.exe 644 TCP Send imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 23
Received:
10:55:03.3958241 PM raidhost.exe 644 TCP Receive imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 143
10:53:59.8657657 PM raidhost.exe 644 TCP Receive imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 123
10:56:07.6358705 PM raidhost.exe 644 TCP Receive imago-3bec08987. :1052 -> 216.17.104.155:51987 SUCCESS Length: 74
More Info :( )
Autorun file








Abuser's Details (Please Report This Person) 
More Details
Location :US, United States
City Falls: Church, VA 22043
Organization: Minh Nguyen
ISP : ServInt Corp.
OrgID: SRVN
Address: 6861 Elm Street
Address: 4th Floor
City: McLean
StateProv: VA
PostalCode: 22101
AS Number: AS25847
Country: US
RAbuseHandle: NO178-ARIN
RAbuseName: ServInt Engineering
RAbusePhone: +1-703-847-1381
RAbuseEmail: ipdept@servint.com
OrgAbuseHandle: ABUSE2161-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-847-1381
OrgAbuseEmail: abuse@servint.com
Please report about the IP 216.17.104.155 to poc@a1colo.com
Please report about the IP 64.131.83.170 to abuse@servint.com and ipdept@servint.com

Anti-virus Tool
For more info visit my website
Tell A Friend
Labels:

Post a Comment

Subscribe to: Post Comments (Atom)