Malware City/Blog/

Aug
29
Filed Under:
WEEKLY REVIEW

Some harmless fakealerts

29 August 2008
You are probably asking yourself where last weeks review disappeared. Well, let's put it this way: the mountains took the best of me. Yep, I took a break, I'm all to blame. But hey, at least this week you're going to get an extra fat one from me.

Let's start with a harmless fakealert Trojan called Trojan.Fakealert.AAF. It drops two files, with random names, in the %windir%/system32 folder. One of them is a *.bmp file and the other a *.scr file. The first is used as a background image on the victims desktop warning him of fake malware infections (see Img 1). The second one is the bluescreen screensaver joke from Sysinternals meant to scare users and trick them into rebooting their computer in order to ensure the viruses' continuous execution (because it sets itself to execute at every system startup).

Spyware-warning

Img 1: Fake infection warning image used to scare users and trick them into buying rogue antivirus software

The next e-threat we are going to look at is also a fakealert Trojan, actually, a more advanced version of Trojan.Fakealert.AAF . Called Trojan.Fakealert.AAH by the BitDefender research lab, it downloads three files unlike it's predecessor. Two of them are the same bmp and scr files dropped by Trojan.Fakealert.AAF the third however is an executable file, a copy of itself. It creates and runs a *.bat file which will delete the original copy and launch the one from %windir%/system32. Furthermore, this Trojan downloads a rogue antivirus program called “Antivirus XP 2008” that is installed in a random named folder in %programfiles%. After being installed, it starts scanning the system and warns about false infections detected on the system, recommending him to buy o license to get clean. Trojan.Fakealert.AAH also creates registry keys to ensure that it start at every system reboot.

Trojan.Fakealert.ZV however is a different breed from the first two mentioned before. Upon infection it creates a file in %windir%/system32 called zgyhv.dll and sets it to load at system startup using following registry keys:

HKLMSoftwareClassesCLSID{2f199d0e-f3e7-41a7-a060-816c24cceea0}InProcServer32(Default) "C:\WINNT\system32\zgyhw.dll"
HKLMSoftwareClassesCLSID{2f199d0e-f3e7-41a7-a060-816c24cceea0}InProcServer32ThreadingModel "Apartment"

The dll file created a blinking system tray icon that warns the victims of fake malware infections. If the user clicks it, a browser window will open with the website of a rogue antivirus program called antispycheck. Trojan.Fakealert.ZV also creates an entry in the “add/remove programs” list called “Windows Safety Alert” which, however, only removes the executable file, that is obsolete at this point. In order to remove zgyhv.dll the user first has to delete the registry entries, reboot, then delete the file, because it is injected into explorer.exe.

Next we will take a look at Trojan.Downloader.JKIZ. As the name says, this Trojan is met to download other malicious applications and in order to do so, it downloads a list of URLs from different locations and saves them on the victims computer with random names like: “C:�00f60e91010983”. The content of these files looks similar to this:
36
http://0.0o-??????/zip1.exe
http://0.0o-??????/zip2.exe
http://0.0o-??????/zip3.exe
http://0.0o-??????/zip4.exe

Upon execution the malware drops two executables in the following locations: %windir%\system32\debug.exe and %windir%\system32\drivers\beep.sys. Beep.sys is installed as a windows service to start at every system reboot. Debug.exe is used to disable taskmanager and other antivirus applications through the registry, by replacing the original executed application with it. After the installation process the Trojan creates and launches a bat file which will delete the original executable.

The downloaded threats are usually online game password stealers.
This week we also have a nasty backdoor on our analysis list. Called Troajn.Spy.Wsnpoem.HA , it copies itself in %WINDIR%\system32\ntos.exe or %userprofile%\Application Data\ ntos.exe and adds registry entries to execute upon system startup. Troajn.Spy.Wsnpoem.HA also injects itself into svchost.exe and winlogon.exe to make it harder to delete. Besides backdoor capabilities it also provides a proxy to the attacker.
A more advanced and dangerous threat is Trojan.Spy.Zbot.KJ which actually makes use of Troajn.Spy.Wsnpoem.HA for certain actions. The Trojan has a *.xls (Excel Spreadsheet) file icon used to trick users into launching the application. It doesn't have its own spreading routing but it's being spammed out by email.

Trojan.Spy.Zbot comes in an encrypted form, but after executions, a version of Troajn.Spy.Wsnpoem is detected by BitDefender Antivirus. After creating the registry keys mentioned above and injecting svchost.exe and winlogon.exe, it opens random TCP ports for its backdoor and proxy functionalities. The Trojan deletes the Internet Explorer coockies and resets the default homepage. It hides its files using rootkit technology, making them invisible for the default explorer.exe.
It also creates the following files:
%windir%\sysproc64\sysproc32.sys, C:\Windows\system32\oembios.bin, %windir%\system32\oembios.dat that contain encrypted data.

It creates the following mutex as a signature of the infected system: __SYSTEM__91C38905__
It tries to download http://195.2.252.[removed]/n.bin containing encrypted data.

Further investigation shows that the download server was registered in the same ip class (near Moscow) as other server that were known to sell drugs such as Viagra, Cialis a.s.o.

As a last entry in this review, I will mention Worm.P2P.Dilly.A. It is a worm written in Delphi, generally 790,528 bytes long. It spreads using the DC++ peer-to-peer network disguised under fake pornographic movie names that actually end in a *.scr extention.

The worm locates the DC++ client folder using the registry path HKEY_LOCAL_MACHINE\SOFTWARE\MagnetHandlers\DC++, which has a value called ShellExecute containing the path to DCPlusPlus.exe. It then opens the program's configuration file, DcPlusPlus.xml, in which it expects to find in the Settings sub folder. From the configuration file the worm retrieves the list of shared folders.

In the shared folders it has found, the worm stores copies of itself to which it appends random numbers of null bytes in order to better resemble genuine video files. It uses words from the following list to generate random names: (full), hard, porn, ass, dildo, incest, pedo, fucked, piss, lesbi, girls, angels, r@ygold, preteen, lolita, sex, xxx, rape, bdsm, drunk, 11yo, 10yo. It then appends a fake .WMV, .AVI, .MPG, .MP4 or .MPEG extension and after it the real .SCR extension.

It also generates a "removal" script for all the copies of itself that it creates, which is an unusual behavior for a worm. The script is a batch file with the name generated using the following pattern: [root-folder]:_undo_[date]_[time].bat. The script contains a delete command for each copy, such as: del "c:\shared\RAPE sex Girls R@YGOLD Xxx angels.MP4.scr".

The original copy of the worm deletes itself using a batch script.






Related

15-08-2008 | The weekly BitDefender review has reached its 10th release

08-08-2008 | New E-Threats

04-08-2008 | Dangerous Trojan Activity This Week

25-07-2008 | Beware of the ActiveX

Comment on this

Name:

Email:

Website:

Your email adress will not be published.