sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex ... - CrySyS Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Trial 2<br />
Nteps, soapr, to691 are removed to test if these files are needed for the malware to start.<br />
Windows update traffic starts after 1:40 min of starting rundll for startup. At iexplore exit<br />
ccalc32.sys immediately appeared. ~HLV files appear about 1:20 min after the appearance of<br />
ccalc32.sys. The exact timestamp was 23:45:00 (local time), the sharp seconds value (:00)<br />
seems suspicious.<br />
Results: nteps, soapr, to691 are not needed for startup<br />
Trial 4<br />
Starting with Rundll32 at 23:49:20<br />
23:51:06 windowsupdate traffic begins<br />
23:52:48 iexplore quits, about 3 seconds later ccalc appears<br />
23:54:25 ~HVL files found in windows/temp<br />
msglu32.ocx exists, creation time is 2004, change time is current local time<br />
Trial 5<br />
Removing nteps, soapr, to691, msglu to be sure that msglu is indeed created during startup.<br />
Results: Malware is still running, msglu32 is created just at the same time as ~HLV files begin<br />
to be created. Order of events:<br />
1. iexplore + windowsupdate traffic<br />
2. traffic stops, ccalc32 created, some 1:20 min delay<br />
3. ~HLV files begin to appear and msglu is deployed<br />
<strong>Lab</strong>oratory of Cryptography and System Security (<strong>CrySyS</strong>)<br />
Budapest University of Technology and Economics<br />
www.crysys.hu 16