Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

June 29th, 2009

Inside Win32:Abigor

Win32:Abigor is a complex file infector consisting of the replicating part, a backdoor and a keylogger. Its source is known, but it is interesting to look at the file also from the other side.

abig_stg0

The redirection to the virus body is done by hooking the reference to ExitProcess or CRT _exit function. We can see the push + ret redirection in this case. The rest of the code remains untouched, the virus itself is injected to the last section. Here we go:

abig_stg1

The virus body is highly obfuscated, it contanins only few instructions needed to decrypt the payload and many garbage instructions. This technique makes the emulation of decryptor quite slow. Anyway, after a bit of time we can get the decrypted code and data.

abig_stg2

abig_stg3

The first picture shows the decrypted code, which performs the loading of kernel32 and checks a breakpoint on GetProcAddress. The second screenshot contains the list of AV services, which are suspended by the virus and the list of files, which are patched to do nothing. As mentioned above, the file infector comes along with a backdoor engine, which begins on the next picture.

abig_stg4

abig_stg5

There’s the rest of the killed AV executables and the embedded PE binary on the picture above. The other picture contains the signature of the virus creator. Now it’s time to dump the binary and take a separate look on it.

abig_stg6

The binary was compressed with UPX. After unpacking it we can see some interesting strings from the backdoor engine. There’s also a reference to the keylogger (a hooking function from embedded library). Another interesting strings are shown on the next screenshot.

abig_stg7

Last part which can be a bit interesting is the embedded keylogger. Let’s look at the last screen.

abig_stg8

The very last thing is the detection coverage of the binaries. Here are the results from virustotal: http://www.virustotal.com/en/analisis/eba51e28a8b24940f01a9aff3efa6e44 http://www.virustotal.com/en/analisis/89492671981914813c171e28553aea37 http://www.virustotal.com/en/analisis/c4b265d21eedd7b708f4eed699c5026f http://www.virustotal.com/en/analisis/fd10ac0af93949b5b7b44420aafaca53

Categories: analyses Tags:
  1. steve7132
    July 23rd, 2009 at 06:59 | #1

    Attn: Michal Krejdl I have something interesting I had found when reading about this…email me for a link you should really read….I was looking over the code in the pictures you have on this Win32:Abigor. I really can’t beleive what I found.

  2. July 23rd, 2009 at 09:11 | #2

    What kind of interesting stuff can I expect?

  3. steve7132
    July 24th, 2009 at 05:31 | #3

    How about the author, and also pieces of the programming that went into making this thing….?

  4. steve7132
    July 24th, 2009 at 05:32 | #4

    Oh and one more thing…how about the original source code.

  5. July 24th, 2009 at 09:14 | #5

    @steve7132
    Everything could be easily googled ;-) .

  6. steve7132
    July 24th, 2009 at 17:45 | #6

    I found a website that contains the names and source code for tons of infections

  7. July 24th, 2009 at 18:21 | #7

    @steve7132
    NetLux or something similar?

  8. steve7132
    July 25th, 2009 at 03:51 | #8

    Ok, well, I guess you want me to advertise this stuff, which is really against my gut instincts….

    [edited]

    Please delete this post after you read it..

  9. July 25th, 2009 at 11:04 | #9

    @steve7132
    Yes, that’s what I meant. The same content as NetLux.

  10. steve7132
    July 27th, 2009 at 00:03 | #10

    I hope you read his program file and his comment that this is his first attempt at a win32 infection…He really did the job…a lot of people must have noticed…I presume something is being done about that site? Yes?

  11. July 27th, 2009 at 10:25 | #11

    @steve7132
    Yeah, there’s a lot of hard work behind such complex viruses.

Comments are closed.