Understanding WinXPSP2.Cermalus coded by Pluf
 David Reguera Garca (Dreg) <Dreg fr33project org> |
Monday, October 12 2009 19:16.01 CDT |
Hello people, here my explanation of the WinXPSP2.Cermalus malware, this malware have a ring0 component which hook:
1. NtOpenFile: This routine infects the .exe, except the .exes inside windows directory. It checks if the .exe is already infected.
2. NtEnumerateBootEntries: It returns STATUS_SUCCESS when the args are: "0xBEBE, 0xCAFE".
3. NtDebugActiveProcess: It blocks the attach to ring3 process.
4. DbgPrint/DbgPrintEx/DbgPrintReturnControlC: It blocks the debug using DbgPrint*
5. PsSetCreateProcessNofityRoutine/PsSet//RemoveCreateThreadNotifyRoutine/: It returns STATUS_SUCCESS, but the hook is empty. It is useful to evade software monitors like ProcMon..
Dropper and ring3 component which load driver and other stuff, full explanation at:
http://biht.blogspot.com/2009/10/understanding-winxpsp2cermalus.html
you can download the src of virus here: http://66.98.184.55/%7Ebihtstor/vx/WinXPSP2.Cermalus/WinXPSP2.Cermalus.asm
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |