Peeling “pci32b.exe”

Introduction
Rootkits and trojans are never any fun…at least not for the people who have to remove them.Â I recently found one infecting a PC in my house, and decided that as I was removing it, I would take a look and try to figure out what it was doing and where it was going.

I’m not sure exactly how this particular infection came about; I merely noticed it as I was scrolling through some active tasks and became suspicious of it.Â If someone would like to offer more information in this area (perhaps they have set up a dummy that they purposely infected with it), I would love to add it to this report.Â But for now, I’ll have to make do with the information I’ve collected here.

Executable Analysis
pci32b.exe (available here if you want a look-see) is just 300,032 bytes, making it a little over 293KB in file size.Â The executable comes installed with the read-only, hidden, and system attributes checked, making it difficult for someone who does not know about what these do to see or remove the file. If you suspect you’re infected, running the following two lines from a command console will make it visible for you (these commands are for Windows NT-based versions of Windows, I don’t recall Windows 9x ever having had the attrib command).

cd %SYSTEMROOT%\system32
attrib -r -s -h pci32b.exe

After these commands are run, the file should be visible from Windows Explorer and you can delete it at will.

One interesting thing about the binary is that when opened with a competent hex editor, the end of the file has the string “PADDINGXXPADDING” repeated approximately eight times.

Windows Start-Up
This little gem uses not one, but two startup points in the Windows Registry, neither all too far apart, labeling itself as “Windows Express” (which come to think of it is a very awkward and slightly suspicious name).Â They are:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Both of these commands simply execute “pci32b.exe”, which by analysis of the running copy on my machine is stored to your installation’s System32 folder (typically C:\Windows\System32, but can vary).

As long as either of these registry keys (and of course the appropriate file) are present, the little bugger will start up as your session does.

Application Start-Up
Unlike some applications of the type, pci32b does not bother hiding itself in the processes list, and is quite visible, using only a few hundred K (typically 200-300KB) of memory (which is a very small footprint for what goes on).Â Anyway, as the program is launched, it initiates a connection using the Internet Relay Chat protocol (the very same protocol I use to communicate, see Contact page if you don’t understand what I mean) to the server irc.elba967.myserver.t-online.de on the non-default port 20755.Â (In case the DNS changes at a later date, at the time of writing it resolves to 80.154.42.55.

As part of the authentication with an IRC server, you must declare the nickname you wish to use on the server.Â This bot approaches that with a solution by generating a nick consisting of your region, operating system, and the latest level of service pack installed, with (what appears to be) a 8-digit random number appended.Â The random number is crucial because otherwise, the same configuration would cause a collision; with it, even if the number is already in use, another one can simply be generated on the fly.Â The nickname generated for my copy, for instance, was [00|USA|XP|SP2]-(omitted for safety).

After a successful connection, the client joins the channel #bot, where no other bots are visible (due to the server configuration in effect).Â However, the channel (or in this case, bot) “administration” is, and when I connected with a plain IRC client, the only one who seemed to be in the control channel was “PROPH3T”. Â A simple ‘whois’command resolved that “PROPH3T” was connecting from noob.und.so (which at the time of writing resolves to absolutely nowhere, indicating that it is a fake hostmask employed by the user).

Botnet!
It can only be assumed what this bot can be used for, because I have not logged any actual activity in the time I’ve been monitoring the channel.Â If you want to, go ahead, and either run your copy of the executable with a copy of WireShark monitoring your traffic as well, or join up with any old client (as long as they don’t notice you in a sea of user lists, or you can hide yourself with a similar nickname to the one I’ve pasted as an example, you should be fine).Â If it’s like any other bot, it will probably just be for distributed denial-of-service attacks and possible spam-sending.

Commentary/Conclusion
Considering the behaviors of the malware, and the description provided by several prominent security companies, pci32b may not be far off from a variant of Bifrose/Bifrost, a long-known family of malware, and hopefully will be caught by future virus definitions for your favorite virus suite.

In the meantime, keep your guard up and be on the lookout (as always) for odd-looking applications running on your system.

Appendix (1/2/2007)
I found a service called VirusTotal that will allow you to upload files and test them against 32 common virus scanners for infection, and additionally opt-in to submit suspicious files to the virus definition teams for each client for analysis and detection in later updates.Â Obviously I was not the first to upload the file, as it already had results logged, and they were very surprising.

I’ve used Symantec AntiVirus for ages (the lightweight version of Norton, without all the yellow newbie stuff and the taskbar bloat), and at the time of submission (and even as I add this) it still fails to see anything wrong with the file.Â Surprisingly, McAfee fares no better; the less-common software such as AVG and BitDefender have no problem identifying the malware.

Of course, the best path is to have multiple layers of protection against such elements, and find someone who can not only help you fix your problem, but identify it, analyze it, and give you a list of any avenues of entry it may have come in through.Â Tools like VirusTotal are also good for identification; if you think something is suspicious, you can very well send it to the service and have it run against a multitude of up-to-date tools at once.

Recently Tweeted
- @mrmcbastard I'd be very interested in the results, seeing as we appear to suffer(?) from a common issue. 20 hrs ago
- More updates...
Recently Played
- The Church – Under The Milky Way 21 hours ago
- Sisely Treasure – That You Like 21 hours ago
- Modest Mouse – The World at Large 21 hours ago
Tags
AOL blogging cell phones cellular telephone Chicago Comment Block Compaq computing eBay Facebook Google Internet Linux Microsoft MP3 operating system RAM search engine social networking software software developer Twitter United States USD web services

Calendar
February 2012

S M T W T F S

« Jul

1 2 3 4

5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 21 22 23 24 25

26 27 28 29
Revision History
- July 2011 (1)
- January 2011 (1)
- January 2010 (1)
- October 2009 (2)
- September 2009 (2)
- August 2009 (2)
- July 2009 (3)
- June 2009 (3)
- May 2009 (3)
- April 2009 (2)
- March 2009 (5)
- February 2009 (28)
- January 2009 (3)
- December 2008 (5)
- November 2008 (4)
- October 2008 (3)
- September 2008 (2)
- August 2008 (6)
- July 2008 (3)
- June 2008 (7)
- May 2008 (4)
- April 2008 (4)
- March 2008 (8)
- January 2008 (4)
- December 2007 (4)
- October 2007 (4)
- September 2007 (4)
- August 2007 (5)
- July 2007 (5)
- June 2007 (4)
- May 2007 (1)

Two Slashes

Peeling “pci32b.exe”

Recently Tweeted

Recently Played

Tags

Calendar

Revision History

Me Elsewhere

People I Like

Things I Like

Recently Posted

Recent Comments

Archives

February 2012
S	M	T	W	T	F	S
« Jul
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29