Turkish television has released video of four journalists on assignment in Georgia being shot at.
The crew from NTV were in an area of Georgian-Russian fighting between the Georgian town of Gori and South Ossetia.
Real photo in the attachment
attach password: 123
The Georgia.zip file contains joined.exe. When executed, the malware creates %Temp%\LOADER.19B099.EXE and uses the BITS (Background Intelligent Transfer Service) to download filebyaka.exe and exe.php from the Chinese hosted site reddii.org (220.196.42.217). The exe.php page returns a 404 error.
http[:]//reddii.org//traffic/all/files/filebyaka.exe
http[:]//reddii.org//traffic/all/files/filebyaka.exe
http[:]//reddii.org/traffic/ft08/exe.php
The malware filebyaka.exe copies itself as %system%\lphcavej0e7bp.exe and creates the following files
%system%\phcavej0e7bp.bmp
%system%\blphcavej0e7bp.scr
%temp%\.tt2.tmp
%temp%\.tt2.tmp.vbs
%temp%\.tt3.tmp
%temp%\.tt4.tmp
%temp%\.tt5.tmp
%temp%\.tt6.tmp
%system%\phcavej0e7bp.bmp
%system%\blphcavej0e7bp.scr
%temp%\.tt2.tmp
%temp%\.tt2.tmp.vbs
%temp%\.tt3.tmp
%temp%\.tt4.tmp
%temp%\.tt5.tmp
%temp%\.tt6.tmp
The following registry keys set phcavej0e7bp.bmp and blphcavej0e7bp.scr as the Windows desktop background and screensaver respectively.
HKEY_CURRENT_USER\Control Panel\Desktop
"ConvertedWallpaper" = C:\WINDOWS\System32\phcavej0e7bp.bmp
"SCRNSAVE.EXE" = C:\WINDOWS\System32\blphcavej0e7bp.scr
"WallpaperStyle" = 0
"ScreenSaveActive" = 1
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
"EulaAccepted" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
"InstallID" = Data: dfc9f3e6-e26c-4c13-bbb8-0bda4ea03ccd
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"ConvertedWallpaper" = C:\WINDOWS\System32\phcavej0e7bp.bmp
"SCRNSAVE.EXE" = C:\WINDOWS\System32\blphcavej0e7bp.scr
"WallpaperStyle" = 0
"ScreenSaveActive" = 1
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
"EulaAccepted" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
"InstallID" = Data: dfc9f3e6-e26c-4c13-bbb8-0bda4ea03ccd
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"NoDispBackgroundPage" = 1
"NoDispScrSavPage" = 1
"NoDispScrSavPage" = 1
A registry key launches the malware lphcavej0e7bp.exe at startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"lphcavej0e7bp" = Data: C:\WINDOWS\System32\lphcavej0e7bp.exe
The file .tt2.tmp.vbs is used to prevent installation restore points in System Restore.
The malware lphcavej0e7bp.exe retrieves graphics from the following domains and performs unresolved DNS requests for variable_string.chr.santa-inbox.com.
avxp-2008.net (78.159. 96.17)
stat-avxp-2008.net (78.159. 96.16)
www[.]avxp-2008.net (78.159. 96.16)
DNS Sample:
404562.1.ea1791ca31f623f9821f379c529dc3f5.chr.santa-inbox.com
.tt5.tmp:1288
The file .tt5.tmp:1288, originally created by filebyaka.exe, creates several temp files and a persistent window that attempts to force a victim into installing the rogue antispyware program Antivirus XP 2008.
%Temp%\nsn7.tmp
%Temp%\nsn8.tmp
%Temp%\nsn9.tmp
%Temp%\nsd9.tmp\MachineKey.dll
%Temp%\nsd9.tmp\Mutex.dll
%Temp%\nsd9.tmp\System.dll
%Temp%\.tt5.tmp.exe
%Temp%\nsd9.tmp\md5dll.dll
%Temp%\nsd9.tmp\rc4hex.dll
%Temp%\nsd9.tmp\euladlg.dll
%Temp%\nsn7.tmp
%Temp%\nsn8.tmp
%Temp%\nsn9.tmp
%Temp%\nsd9.tmp\MachineKey.dll
%Temp%\nsd9.tmp\Mutex.dll
%Temp%\nsd9.tmp\System.dll
%Temp%\.tt5.tmp.exe
%Temp%\nsd9.tmp\md5dll.dll
%Temp%\nsd9.tmp\rc4hex.dll
%Temp%\nsd9.tmp\euladlg.dll
Clicking on the persistent Antivirus XP 2008 window causes the file .tt5.tmp:1288 to create the Program Files folder rhcevej0e7bp and several Antivirus XP 2008 installation files.
C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
C:\Program Files\rhcevej0e7bp\database.dat
C:\Program Files\rhcevej0e7bp\msvcp71.dll
C:\Program Files\rhcevej0e7bp\MFC71.dll
C:\Program Files\rhcevej0e7bp\MFC71ENU.DLL
C:\Program Files\rhcevej0e7bp\msvcr71.dll
C:\Program Files\rhcevej0e7bp\license.txt
C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe.local
C:\Program Files\rhcevej0e7bp\Uninstall.exe
The file rhcevej0e7bp.exe creates %system%\pphcavej0e7bp.exe
The following registry keys launch rhcevej0e7bp.exe (Antivirus XP 2008) at startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
"rhcevej0e7bp" = CA, 1E, B7, 48
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
"AntivirXP08" = AntivirXP08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SMrhcevej0e7bp" = C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcevej0e7bp "DisplayName" = AntivirXP08
"UninstallString" = "C:\Program Files\rhcevej0e7bp\uninstall.exe" HKEY_LOCAL_MACHINE\SOFTWARE\rhcevej0e7bp
"(Default)" = C:\Program Files\rhcevej0e7bp
"ADVid" = ea1791ca31f623f9821f379c529dc3f5
"AutomaticallyUpdates" = 1
"BackgroundScan" = 1
"BackgroundScanTimeout" = 1
"BuyDiscUrl" = HEX
"BuyUrl" = HEX
"DatabaseVersion" = 2.1
"DaysInterval" = 7
"domain" = HEX
"EngineVersion" = 2.1
"GuiVersion" = 2.1
"InstallDir" = C:\Program Files\rhcevej0e7bp
"LastTimeStamp" = 0C, 01, 00, 00
"MinimizeOnStart" = 0
"ProgramVersion" = 2.1
"ProxyName"
"ProxyPort" = 0
"ScanDepth" = 2
"ScanPriority" = 1
"ScanSystemOnStartup" = 1
"SoftID" = AntivirXP08
The rogue antispyware program Antivirus XP 2008 displays fake alerts in order to persuade users into buying the rogue antispyware program. The malware is detected as Trojan.Blusod (Symantec).
The following files were collected during malware analysis.
Filename, MD5 Size, (Bytes)
.tt2.tmp.vbs, 9df700c8f6fd43fac0a89aef04214bbd, 1002
.tt5.tmp.exe, 94d00b0ea3c0fc69c52f761efcb49c0c, 1613465
blphcavej0e7bp.scr, b10a43b9044b488dc8c7d33b250cfebb, 118784
filebyaka.exe, fc85dab5849416f8796b799fc209395a, 199168
Georgia.zip, b1698f9c3109c9fa723e68cad124eb60, 5915
joined.exe, 607af96b03addadf28cf9280701df191, 7680
license.bmp, 7003a7e6f2421213a24456724071e9d3, 2359350
lphcavej0e7bp.exe, fc85dab5849416f8796b799fc209395a, 199168
pphcavej0e7bp.exe, f18a4aa83fa2dc238536103731337759, 106496
database.dat, c19b001e6fe6c082e5069e4490898ccc, 1701
license.txt, b9df16a4c49ce4fe979d8f27d89a8106, 19598
MFC71.dll, f35a584e947a5b401feb0fe01db4a0d7, 1060864
MFC71ENU.DLL, baf751e7061ff626aa60f56d1d5d1fdc, 57344
msvcp71.dll, 561fa2abb31dfa8fab762145f81667c2, 499712
msvcr71.dll, 86f1895ae8c5e8b17d99ece768a70732, 348160
rhcevej0e7bp.exe, 02eb58055afb8b81a05ea623882a9034, 831488
Uninstall.exe, 423c6bcad6e91fb6e81a40689d1640e4, 110562