1/5

Alina 3.4 (POS Malware)
xylibox.com/2013/02/alina-34-pos-malware.html

The malware come from: http://vxvault.siri-urz.net/ViriFiche.php?ID=23179
 Hosted on the site of a deputy.

 

 
GetPCname:

 

http://www.xylibox.com/2013/02/alina-34-pos-malware.html
http://1.bp.blogspot.com/-VgWOgs07T7s/UQ_O9PUNeUI/AAAAAAAARno/oviI4mww8dU/s1600/04-02-2013+16-08-07.png


2/5

 
Create a mutex:

 
Create /%appdata%/java.exe

If the malware can't he will try with different name (jusched.exe, jucheck.exe, desktop.exe,
dwm.exe, win-firewall.exe, adobeflash.exe)
If all names are take and in read only mode the malware is trapped on infinit loop :))) Write
the file:

 
and if he fail to write he will Copy it:

http://2.bp.blogspot.com/-3fd9qasYR0E/UQ5_lefV5lI/AAAAAAAARjA/GfpSa0q5jDE/s1600/03-02-2013+16-11-41.png
http://4.bp.blogspot.com/-58i2wIjKtY8/UQ6A9nASNII/AAAAAAAARjI/zTB4-HTvRQI/s1600/03-02-2013+16-23-07.png
http://2.bp.blogspot.com/-P41thV67f-s/UQ6EPaXYqJI/AAAAAAAARjQ/bir2BlJPcA0/s1600/03-02-2013+16-36-27.png
http://2.bp.blogspot.com/-hvy8rAzzcPk/UQ6FGwjQcMI/AAAAAAAARjY/yPQhWIlS75A/s1600/03-02-2013+16-39-04.png
http://1.bp.blogspot.com/-Sijo2aNXr8c/UQ6Kgp3--QI/AAAAAAAARjo/SzQK3w5inmA/s1600/03-02-2013+17-03-45.png


3/5

 
Add a registry persistence:

 
Launch the process:

 
Encode something (i've not checked what)

 
Call the C&C

http://4.bp.blogspot.com/-YbJJ4VYeWcU/UQ6Lbo_kZGI/AAAAAAAARjw/0d84WMyIfqI/s1600/03-02-2013+17-07-39.png
http://3.bp.blogspot.com/-JhyTBZAjg48/UQ6L3mM8wFI/AAAAAAAARj4/YPdjLi53-cE/s1600/03-02-2013+17-09-06.png
http://3.bp.blogspot.com/-j3OfWsMSlVo/UQ6MkC7CmiI/AAAAAAAARkA/VkAZfYDzE4o/s1600/03-02-2013+17-12-36.png
http://2.bp.blogspot.com/-ieJ8DO8hVjE/UQ6UkLc9gOI/AAAAAAAARkI/HTVaYpNz3iI/s1600/03-02-2013+17-45-21.png
http://3.bp.blogspot.com/-KuGK6QtpoZg/UQ6VLGAwS7I/AAAAAAAARkQ/5equmFHwOog/s1600/03-02-2013+17-49-12.png


4/5

 
And fail because the first is dead, so retry with 208.98.63.228
Backend info:
208.98.63.228:
OrgName: Sharktech
OrgId: SHARK-7
Address: 100 Pinehurst Ct.
City: Missoula
StateProv: MT
PostalCode: 59803
Country: US
 
http://xxx.98.63.228/main.php
http://xxx.98.63.228/info.php
http://xxx.98.63.228/test.php
http://xxx.98.63.228/test2.php
http://xxx.98.63.228/api.php
http://xxx.98.63.228/config.php
http://xxx.98.63.228/autoupdate.php
http://xxx.98.63.228/404.html
http://xxx.98.63.228/wordpress/admin.php
http://xxx.98.63.228/forum/admin.php
http://xxx.98.63.228/blog/admin.php
http://xxx.98.63.228/blog/export.php
http://xxx.98.63.228/blog/config.php
http://xxx.98.63.228/blog/front/stats.php
http://xxx.98.63.228/blog/front/cards.php
http://xxx.98.63.228/blog/front/settings.php
http://xxx.98.63.228/blog/front/logs.php
 

 
This one is cool because coder leaved comments for each action...

http://1.bp.blogspot.com/-wI8QcU3yE5g/UQ_QOHR9jAI/AAAAAAAARnw/cfv7McLXsD0/s1600/04-02-2013+16-13-46.png
http://2.bp.blogspot.com/-YJ6BhKQzVEk/UQ6XTPhnA8I/AAAAAAAARkY/EMaWTfMmZW8/s1600/03-02-2013+17-57-57.png


5/5

 
I tried to trigger it to send data but i've not succeeded yet.
I will see the rest later.
Alina is interesting i've found many version: http://www.kernelmode.info/forum/viewtopic.php?
f=16&t=1756&start=40#p18008
Still i've not checked these files for the moment, i don't know differences.

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1756&start=40#p18008