Friday, August 29, 2008

Journalists shot in Georgia -

Around 19 August 2008, numerous security researchers and vendors reported the proliferation of malspam emails related to the Russia/Georgia conflict. The emails had the subject “Journalists shot in Georgia” and the password protected attachment The email body contained a message concerning the Russia/Georgia conflict and the password for the zip file. The following is a sample message:

Turkish television has released video of four journalists on assignment in Georgia being shot at.
The crew from NTV were in an area of Georgian-Russian fighting between the Georgian town of Gori and South Ossetia.

Real photo in the attachment

attach password: 123

The file contains joined.exe. When executed, the malware creates %Temp%\LOADER.19B099.EXE and uses the BITS (Background Intelligent Transfer Service) to download filebyaka.exe and exe.php from the Chinese hosted site ( The exe.php page returns a 404 error.


The malware filebyaka.exe copies itself as %system%\lphcavej0e7bp.exe and creates the following files


The following registry keys set phcavej0e7bp.bmp and blphcavej0e7bp.scr as the Windows desktop background and screensaver respectively.

HKEY_CURRENT_USER\Control Panel\Desktop
"ConvertedWallpaper" = C:\WINDOWS\System32\phcavej0e7bp.bmp
"SCRNSAVE.EXE" = C:\WINDOWS\System32\blphcavej0e7bp.scr
"WallpaperStyle" = 0
"ScreenSaveActive" = 1
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
"EulaAccepted" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
"InstallID" = Data: dfc9f3e6-e26c-4c13-bbb8-0bda4ea03ccd
"NoDispBackgroundPage" = 1
"NoDispScrSavPage" = 1

A registry key launches the malware lphcavej0e7bp.exe at startup.

"lphcavej0e7bp" = Data: C:\WINDOWS\System32\lphcavej0e7bp.exe

The file .tt2.tmp.vbs is used to prevent installation restore points in System Restore.

The malware lphcavej0e7bp.exe retrieves graphics from the following domains and performs unresolved DNS requests for (78.159. 96.17) (78.159. 96.16)
www[.] (78.159. 96.16)

DNS Sample:

The file .tt5.tmp:1288, originally created by filebyaka.exe, creates several temp files and a persistent window that attempts to force a victim into installing the rogue antispyware program Antivirus XP 2008.


Clicking on the persistent Antivirus XP 2008 window causes the file .tt5.tmp:1288 to create the Program Files folder rhcevej0e7bp and several Antivirus XP 2008 installation files.

C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
C:\Program Files\rhcevej0e7bp\database.dat
C:\Program Files\rhcevej0e7bp\msvcp71.dll
C:\Program Files\rhcevej0e7bp\MFC71.dll
C:\Program Files\rhcevej0e7bp\MFC71ENU.DLL
C:\Program Files\rhcevej0e7bp\msvcr71.dll
C:\Program Files\rhcevej0e7bp\license.txt
C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe.local
C:\Program Files\rhcevej0e7bp\Uninstall.exe

The file rhcevej0e7bp.exe creates %system%\pphcavej0e7bp.exe

The following registry keys launch rhcevej0e7bp.exe (Antivirus XP 2008) at startup.

"rhcevej0e7bp" = CA, 1E, B7, 48
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
"AntivirXP08" = AntivirXP08
"SMrhcevej0e7bp" = C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcevej0e7bp "DisplayName" = AntivirXP08
"UninstallString" = "C:\Program Files\rhcevej0e7bp\uninstall.exe" HKEY_LOCAL_MACHINE\SOFTWARE\rhcevej0e7bp
"(Default)" = C:\Program Files\rhcevej0e7bp
"ADVid" = ea1791ca31f623f9821f379c529dc3f5
"AutomaticallyUpdates" = 1
"BackgroundScan" = 1
"BackgroundScanTimeout" = 1
"BuyDiscUrl" = HEX
"BuyUrl" = HEX
"DatabaseVersion" = 2.1
"DaysInterval" = 7
"domain" = HEX
"EngineVersion" = 2.1
"GuiVersion" = 2.1
"InstallDir" = C:\Program Files\rhcevej0e7bp
"LastTimeStamp" = 0C, 01, 00, 00
"MinimizeOnStart" = 0
"ProgramVersion" = 2.1
"ProxyPort" = 0
"ScanDepth" = 2
"ScanPriority" = 1
"ScanSystemOnStartup" = 1
"SoftID" = AntivirXP08

The rogue antispyware program Antivirus XP 2008 displays fake alerts in order to persuade users into buying the rogue antispyware program. The malware is detected as Trojan.Blusod (Symantec).

The following files were collected during malware analysis.

Filename, MD5 Size, (Bytes)
.tt2.tmp.vbs, 9df700c8f6fd43fac0a89aef04214bbd, 1002
.tt5.tmp.exe, 94d00b0ea3c0fc69c52f761efcb49c0c, 1613465
blphcavej0e7bp.scr, b10a43b9044b488dc8c7d33b250cfebb, 118784
filebyaka.exe, fc85dab5849416f8796b799fc209395a, 199168, b1698f9c3109c9fa723e68cad124eb60, 5915
joined.exe, 607af96b03addadf28cf9280701df191, 7680
license.bmp, 7003a7e6f2421213a24456724071e9d3, 2359350
lphcavej0e7bp.exe, fc85dab5849416f8796b799fc209395a, 199168
pphcavej0e7bp.exe, f18a4aa83fa2dc238536103731337759, 106496
database.dat, c19b001e6fe6c082e5069e4490898ccc, 1701
license.txt, b9df16a4c49ce4fe979d8f27d89a8106, 19598
MFC71.dll, f35a584e947a5b401feb0fe01db4a0d7, 1060864
MFC71ENU.DLL, baf751e7061ff626aa60f56d1d5d1fdc, 57344
msvcp71.dll, 561fa2abb31dfa8fab762145f81667c2, 499712
msvcr71.dll, 86f1895ae8c5e8b17d99ece768a70732, 348160
rhcevej0e7bp.exe, 02eb58055afb8b81a05ea623882a9034, 831488
Uninstall.exe, 423c6bcad6e91fb6e81a40689d1640e4, 110562

No comments: