Friday, August 29, 2008

Journalists shot in Georgia - Georgia.zip

Around 19 August 2008, numerous security researchers and vendors reported the proliferation of malspam emails related to the Russia/Georgia conflict. The emails had the subject “Journalists shot in Georgia” and the password protected attachment Georgia.zip. The email body contained a message concerning the Russia/Georgia conflict and the password for the zip file. The following is a sample message:

Turkish television has released video of four journalists on assignment in Georgia being shot at.
The crew from NTV were in an area of Georgian-Russian fighting between the Georgian town of Gori and South Ossetia.

Real photo in the attachment

attach password: 123

The Georgia.zip file contains joined.exe. When executed, the malware creates %Temp%\LOADER.19B099.EXE and uses the BITS (Background Intelligent Transfer Service) to download filebyaka.exe and exe.php from the Chinese hosted site reddii.org (220.196.42.217). The exe.php page returns a 404 error.

http[:]//reddii.org//traffic/all/files/filebyaka.exe
http[:]//reddii.org/traffic/ft08/exe.php


filebyaka.exe
The malware filebyaka.exe copies itself as %system%\lphcavej0e7bp.exe and creates the following files

%system%\phcavej0e7bp.bmp
%system%\blphcavej0e7bp.scr
%temp%\.tt2.tmp
%temp%\.tt2.tmp.vbs
%temp%\.tt3.tmp
%temp%\.tt4.tmp
%temp%\.tt5.tmp
%temp%\.tt6.tmp

The following registry keys set phcavej0e7bp.bmp and blphcavej0e7bp.scr as the Windows desktop background and screensaver respectively.

HKEY_CURRENT_USER\Control Panel\Desktop
"ConvertedWallpaper" = C:\WINDOWS\System32\phcavej0e7bp.bmp
"SCRNSAVE.EXE" = C:\WINDOWS\System32\blphcavej0e7bp.scr
"WallpaperStyle" = 0
"ScreenSaveActive" = 1
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
"EulaAccepted" = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier
"InstallID" = Data: dfc9f3e6-e26c-4c13-bbb8-0bda4ea03ccd
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"NoDispBackgroundPage" = 1
"NoDispScrSavPage" = 1


A registry key launches the malware lphcavej0e7bp.exe at startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"lphcavej0e7bp" = Data: C:\WINDOWS\System32\lphcavej0e7bp.exe


The file .tt2.tmp.vbs is used to prevent installation restore points in System Restore.

The malware lphcavej0e7bp.exe retrieves graphics from the following domains and performs unresolved DNS requests for variable_string.chr.santa-inbox.com.

avxp-2008.net (78.159. 96.17)
stat-avxp-2008.net (78.159. 96.16)
www[.]avxp-2008.net (78.159. 96.16)

DNS Sample:
404562.1.ea1791ca31f623f9821f379c529dc3f5.chr.santa-inbox.com

.tt5.tmp:1288
The file .tt5.tmp:1288, originally created by filebyaka.exe, creates several temp files and a persistent window that attempts to force a victim into installing the rogue antispyware program Antivirus XP 2008.

%Temp%\nsn7.tmp
%Temp%\nsn8.tmp
%Temp%\nsn9.tmp
%Temp%\nsd9.tmp\MachineKey.dll
%Temp%\nsd9.tmp\Mutex.dll
%Temp%\nsd9.tmp\System.dll
%Temp%\.tt5.tmp.exe
%Temp%\nsd9.tmp\md5dll.dll
%Temp%\nsd9.tmp\rc4hex.dll
%Temp%\nsd9.tmp\euladlg.dll

Clicking on the persistent Antivirus XP 2008 window causes the file .tt5.tmp:1288 to create the Program Files folder rhcevej0e7bp and several Antivirus XP 2008 installation files.

C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
C:\Program Files\rhcevej0e7bp\database.dat
C:\Program Files\rhcevej0e7bp\msvcp71.dll
C:\Program Files\rhcevej0e7bp\MFC71.dll
C:\Program Files\rhcevej0e7bp\MFC71ENU.DLL
C:\Program Files\rhcevej0e7bp\msvcr71.dll
C:\Program Files\rhcevej0e7bp\license.txt
C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe.local
C:\Program Files\rhcevej0e7bp\Uninstall.exe

The file rhcevej0e7bp.exe creates %system%\pphcavej0e7bp.exe

The following registry keys launch rhcevej0e7bp.exe (Antivirus XP 2008) at startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
"rhcevej0e7bp" = CA, 1E, B7, 48
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
"AntivirXP08" = AntivirXP08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"SMrhcevej0e7bp" = C:\Program Files\rhcevej0e7bp\rhcevej0e7bp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcevej0e7bp "DisplayName" = AntivirXP08
"UninstallString" = "C:\Program Files\rhcevej0e7bp\uninstall.exe" HKEY_LOCAL_MACHINE\SOFTWARE\rhcevej0e7bp
"(Default)" = C:\Program Files\rhcevej0e7bp
"ADVid" = ea1791ca31f623f9821f379c529dc3f5
"AutomaticallyUpdates" = 1
"BackgroundScan" = 1
"BackgroundScanTimeout" = 1
"BuyDiscUrl" = HEX
"BuyUrl" = HEX
"DatabaseVersion" = 2.1
"DaysInterval" = 7
"domain" = HEX
"EngineVersion" = 2.1
"GuiVersion" = 2.1
"InstallDir" = C:\Program Files\rhcevej0e7bp
"LastTimeStamp" = 0C, 01, 00, 00
"MinimizeOnStart" = 0
"ProgramVersion" = 2.1
"ProxyName"
"ProxyPort" = 0
"ScanDepth" = 2
"ScanPriority" = 1
"ScanSystemOnStartup" = 1
"SoftID" = AntivirXP08


The rogue antispyware program Antivirus XP 2008 displays fake alerts in order to persuade users into buying the rogue antispyware program. The malware is detected as Trojan.Blusod (Symantec).

The following files were collected during malware analysis.

Filename, MD5 Size, (Bytes)
.tt2.tmp.vbs, 9df700c8f6fd43fac0a89aef04214bbd, 1002
.tt5.tmp.exe, 94d00b0ea3c0fc69c52f761efcb49c0c, 1613465
blphcavej0e7bp.scr, b10a43b9044b488dc8c7d33b250cfebb, 118784
filebyaka.exe, fc85dab5849416f8796b799fc209395a, 199168
Georgia.zip, b1698f9c3109c9fa723e68cad124eb60, 5915
joined.exe, 607af96b03addadf28cf9280701df191, 7680
license.bmp, 7003a7e6f2421213a24456724071e9d3, 2359350
lphcavej0e7bp.exe, fc85dab5849416f8796b799fc209395a, 199168
pphcavej0e7bp.exe, f18a4aa83fa2dc238536103731337759, 106496
database.dat, c19b001e6fe6c082e5069e4490898ccc, 1701
license.txt, b9df16a4c49ce4fe979d8f27d89a8106, 19598
MFC71.dll, f35a584e947a5b401feb0fe01db4a0d7, 1060864
MFC71ENU.DLL, baf751e7061ff626aa60f56d1d5d1fdc, 57344
msvcp71.dll, 561fa2abb31dfa8fab762145f81667c2, 499712
msvcr71.dll, 86f1895ae8c5e8b17d99ece768a70732, 348160
rhcevej0e7bp.exe, 02eb58055afb8b81a05ea623882a9034, 831488
Uninstall.exe, 423c6bcad6e91fb6e81a40689d1640e4, 110562

No comments: