Malware-Test Lab

Thursday, September 11, 2008

MEDTECS Taiwan Web Site is inserted malicious links

MEDTECS Taiwan Web Site is inserted malicious links, the malware name is Trojan.Asprox.

The home page of MEDTECS Taiwan Web Site as below:

The above home page contains malicious link as below:

The malicious scripts as below:

==The following focus on Web Reputation Service Testing==

Google Search CAN detect it as below:

Armorize HackAlert CAN detect it as below:

McAfee SiteAdvisor CANNOT detect it as below:

Trend Micro WRS CANNOT detect it as below:

finjan URL analysis CANNOT detect it as below:

Dr.Web URL analysis CANNOT detect it as below:

Exploit Prevention Labs's LinkScanner CANNOT detect it as below:

Symantec Safe Web CAN detect it as below:

After executed, it has the following behaviors:

[Added process]
C:\WINDOWS\system32\aspimgr.exe

[Added service]
NAME: aspimgr
DISPLAY: Microsoft ASPI Manager
FILE: C:\WINDOWS\system32\aspimgr.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\_check32.bat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1].htm
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\ws386.ini

==The following focus on AV Scanners Testing==

File script.js-malscript received on 09.11.2008 11:46:44 (CET)

Result: 4/36 (11.11%)

Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.11 -
AntiVir 7.8.1.28 2008.09.11 -
Authentium 5.1.0.4 2008.09.11 HTML/Iframe.A!Camelot
Avast 4.8.1195.0 2008.09.10 -
AVG 8.0.0.161 2008.09.10 -
BitDefender 7.2 2008.09.11 -
CAT-QuickHeal 9.50 2008.09.11 -
ClamAV 0.93.1 2008.09.11 -
DrWeb 4.44.0.09170 2008.09.11 -
eSafe 7.0.17.0 2008.09.10 -
eTrust-Vet 31.6.6084 2008.09.11 -
Ewido 4.0 2008.09.10 -
F-Prot 4.4.4.56 2008.09.10 -
F-Secure 8.0.14332.0 2008.09.11 HTML/Exploit!IFrame.G
Fortinet 3.113.0.0 2008.09.11 -
GData 19 2008.09.11 -
Ikarus T3.1.1.34.0 2008.09.11 -
K7AntiVirus 7.10.450 2008.09.10 -
Kaspersky 7.0.0.125 2008.09.11 -
McAfee 5381 2008.09.10 -
Microsoft 1.3903 2008.09.11 Trojan:JS/Redirector.N
NOD32v2 3429 2008.09.09 -
Norman 5.80.02 2008.09.11 HTML/Exploit!IFrame.G
Panda 9.0.0.4 2008.09.10 -
PCTools 4.4.2.0 2008.09.10 -
Prevx1 V2 2008.09.11 -
Rising 20.61.32.00 2008.09.11 -
Sophos 4.33.0 2008.09.11 -
Sunbelt 3.1.1624.1 2008.09.11 -
Symantec 10 2008.09.11 -
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.11 -
VBA32 3.12.8.5 2008.09.10 -
ViRobot 2008.9.11.1373 2008.09.11 -
VirusBuster 4.5.11.0 2008.09.10 -
Webwasher-Gateway 6.6.2 2008.09.11 -

Additional information
File size: 167 bytes
MD5…: 4247a10cd92d62d2a42daf9ea0441996
SHA1..: 320b19ade7d54cd610b3be788f6657ac91ee0d0e
SHA256: c3efcfc683c5777e4702ab443136c8f780cd78638030851616afb460c35b6b32
SHA512: 33df9bfb9825b689195a60459aa15889902f55308a9e2d7059884de393e7e2ba
f21b1bd8915095dcfd496f3e2f782c90d521c79784734a82ff713af1ec98446d
PEiD..: -
TrID..: File type identification
file seems to be plain text/ASCII (0.0%)
PEInfo: -

File aspimgr.exe received on 09.10.2008 18:34:58 (CET)

Result: 18/36 (50.00%)

Antivirus Version Last Update Result
AhnLab-V3 2008.9.6.0 2008.09.10 -
AntiVir 7.8.1.28 2008.09.10 -
Authentium 5.1.0.4 2008.09.10 W32/NewMalware-Rootkit-I-based!Maximus
Avast 4.8.1195.0 2008.09.10 Win32:Agent-GPS
AVG 8.0.0.161 2008.09.10 BackDoor.Small.54.I
BitDefender 7.2 2008.09.10 Backdoor.Agent.1
CAT-QuickHeal 9.50 2008.09.10 -
ClamAV 0.93.1 2008.09.10 -
DrWeb 4.44.0.09170 2008.09.10 -
eSafe 7.0.17.0 2008.09.10 -
eTrust-Vet 31.6.6082 2008.09.10 Win32/Danmec!generic
Ewido 4.0 2008.09.10 -
F-Prot 4.4.4.56 2008.09.09 W32/NewMalware-Rootkit-I-based!Maximus
F-Secure 8.0.14332.0 2008.09.10 Backdoor.Win32.Agent.rfz
Fortinet 3.112.0.0 2008.09.10 -
GData 19 2008.09.10 Backdoor.Win32.Agent.rfz
Ikarus T3.1.1.34.0 2008.09.10 Virus.Win32.Agent.GPS
K7AntiVirus 7.10.450 2008.09.10 -
Kaspersky 7.0.0.125 2008.09.10 Backdoor.Win32.Agent.rfz
McAfee 5380 2008.09.09 Proxy-Agent.af.gen
Microsoft 1.3903 2008.09.10 Backdoor:Win32/Agent.ACG
NOD32v2 3429 2008.09.09 probably a variant of Win32/Agent.NEQ
Norman 5.80.02 2008.09.10 -
Panda 9.0.0.4 2008.09.09 -
PCTools 4.4.2.0 2008.09.10 Trojan.Damnec.Gen
Prevx1 V2 2008.09.10 -
Rising 20.61.22.00 2008.09.10 -
Sophos 4.33.0 2008.09.10 -
Sunbelt 3.1.1616.1 2008.09.09 -
Symantec 10 2008.09.10 Trojan.Asprox
TheHacker 6.3.0.9.077 2008.09.10 -
TrendMicro 8.700.0.1004 2008.09.10 Mal_Asprox
VBA32 3.12.8.5 2008.09.10 suspected of Trojan-PSW.Pinch.10 (paranoid heuristics)
ViRobot 2008.9.10.1371 2008.09.10 -
VirusBuster 4.5.11.0 2008.09.10 Trojan.Damnec.Gen
Webwasher-Gateway 6.6.2 2008.09.10 -

Additional information
File size: 86016 bytes
MD5…: 3f9f89d46a837b98cce7b111b77a4bd0
SHA1..: fd6ceeb472a85ebb63d3388eea73d817c211743d
SHA256: 1d9dac4e247a79f6395c52f88c1b4216b06115468786a0dc2fad52a0c3e0cb7d
SHA512: e63a3b6ab7b43b7fd9a8700def0a1d638a810af0bc8c47485c2114e90993b9e8
14f8f45e556b8918aae35e5f3d7c706d08ba530465b896a02afd537ba30b17ce
PEiD..: Armadillo v1.71
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×40d5a6
timedatestamp…..: 0×48c4c985 (Mon Sep 08 06:43:17 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0xc6e4 0xd000 6.36 0338632724a92a1815238090c4369794
.rdata 0xe000 0×66e 0×1000 2.39 063ae8b57dd1310e48bd9aa7cc45e386
.data 0xf000 0×4ee84 0×5000 5.79 5dd472b5b7732f62724237fee4f8bb23
.rsrc 0×5e000 0×408 0×1000 1.10 770474c641b722d2a41d098dbd5bb7d6

( 3 imports )
> KERNEL32.dll: lstrcpynA, lstrlenA, lstrcpyA, lstrcatA, Sleep, GetLastError, HeapFree, GetProcessHeap, HeapAlloc, GetProcAddress, LoadLibraryA, GetModuleHandleA, LeaveCriticalSection, EnterCriticalSection, lstrcmpA, lstrcmpiA, FreeLibrary, GlobalFree, GlobalAlloc
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, __p___initenv, exit, _XcptFilter, _exit, atol, _strlwr, _itoa, strcpy, _beginthread, _endthread, sscanf, strstr, memset, atoi, memcpy, free, malloc, fclose, fwrite, fopen, strncmp, memmove, strlen, isspace, strchr

( 0 exports )

Thursday, September 4, 2008

The Analysis of a Malicious Link

The analysis of the following is related to a malicious link in some Taiwan web site.

(Above picture is a malicious web site)

(Above picture is the web page's source code of the malicious link)

==The following focus on Web Reputation Service Testing==

Armorize HackAlert CAN find it as below:

McAfee SiteAdvisor CANNOT find it as below:

Trend Micro WRS CANNOT find it as below:

finjan URL analysis CAN find it as below:

Dr.Web URL analysis CANNOT find it as below:

Exploit Prevention Labs's LinkScanner CANNOT find it as below:

Symantec Safe Web CANNOT find it as below:

Wireshark captures files downloaded as below:

==The following focus on AV Scanners Testing==

File index.htm_ received on 09.02.2008 15:18:50 (CET)

Result: 2/36 (5.56%)

Antivirus Version Last Update Result
AhnLab-V3 2008.9.3.0 2008.09.02 -
AntiVir 7.8.1.23 2008.09.02 HEUR/HTML.Malware
Authentium 5.1.0.4 2008.09.02 -
Avast 4.8.1195.0 2008.09.01 -
AVG 8.0.0.161 2008.09.02 -
BitDefender 7.2 2008.09.02 -
CAT-QuickHeal 9.50 2008.08.29 -
ClamAV 0.93.1 2008.09.02 -
DrWeb 4.44.0.09170 2008.09.02 -
eSafe 7.0.17.0 2008.09.01 -
eTrust-Vet 31.6.6064 2008.09.02 -
Ewido 4.0 2008.09.02 -
F-Prot 4.4.4.56 2008.09.02 -
F-Secure 8.0.14332.0 2008.09.02 -
Fortinet 3.14.0.0 2008.09.02 -
GData 19 2008.09.02 -
Ikarus T3.1.1.34.0 2008.09.02 -
K7AntiVirus 7.10.437 2008.09.02 -
Kaspersky 7.0.0.125 2008.09.02 -
McAfee 5374 2008.09.01 -
Microsoft 1.3807 2008.09.02 -
NOD32v2 3407 2008.09.02 -
Norman 5.80.02 2008.09.02 -
Panda 9.0.0.4 2008.09.02 -
PCTools 4.4.2.0 2008.09.01 -
Prevx1 V2 2008.09.02 -
Rising 20.60.11.00 2008.09.02 -
Sophos 4.33.0 2008.09.02 -
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.09.02 -
TheHacker 6.3.0.8.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.02 -
VBA32 3.12.8.4 2008.09.02 -
ViRobot 2008.9.2.1361 2008.09.02 -
VirusBuster 4.5.11.0 2008.09.01 -
Webwasher-Gateway 6.6.2 2008.09.02 Heuristic.HTML.Malware

Additional information
File size: 1426 bytes
MD5…: 9c0247737546316b5dd8e4a4a491888e
SHA1..: bb20aeea0bd2e0f5b90aa4a54643e6439cd4bfc9
SHA256: 233d1d9d450b34d3ade2101dcf999a7bcf7685620c6b2864775095b896e55b67
SHA512: 6f92636d043226aa3f14aa3596ec4bd17ac840d956fe6ae67ff36461672ea5c2
50ea5c75acc0921753636b990a5c82ab25baa676e267bf243b23071997232275
PEiD..: -
TrID..: File type identification
HyperText Markup Language (100.0%)
PEInfo: -

File sytes_1_.exe-1 (the original file name is sytes.exe) received on 09.02.2008 22:33:10 (CET)

Result: 19/36 (52.78%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Spy.Gen
Authentium - - W32/Heuristic-KPP!Eldorado
Avast - - -
AVG - - Generic11.POT
BitDefender - - Generic.Malware.Fdldg.F895E7CB
CAT-QuickHeal - - Trojan.SystemHijack.gen
ClamAV - - -
DrWeb - - Trojan.DownLoad.4228
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Heuristic-KPP!Eldorado
F-Secure - - Trojan-Downloader.Win32.Agent.aevv
Fortinet - - -
GData - - Trojan-Downloader.Win32.Agent.aevv
Ikarus - - Virus.Win32.Agent.UWD
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Agent.aevv
McAfee - - -
Microsoft - - Trojan:Win32/SystemHijack.gen
NOD32v2 - - probably a variant of Win32/Genetik
Norman - - -
Panda - - Suspicious file
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - Mal/Heuri-D
Sunbelt - - -
Symantec - - Downloader
TheHacker - - -
TrendMicro - - PAK_Generic.001
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Spy.Gen

Additional information
MD5: c09cf4992d2d578e27814bc030c1ecf1
SHA1: 9f31efd2842b8460a3ad848761aedc4b7ea8f4a2
SHA256: d1c2cb0da0e2e7b8fc07ce9c2feb5e709380b5a610fe9b4009d4afa57767ead0
SHA512: 9a55e9143c433872a665606102274df67bcb4fc91f8ad37ba73eab05a367e9c5e6bd8807e406bc99aeeed21cdd7ae61674c5edde7b63071219f2aa77a013dff0

After executed, it has the following behaviors:

[Added service]
NAME: TopDriver
DISPLAY: DeskDrivers
FILE: C:\WINDOWS\system32\explsore.exe

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\bd[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\of[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\uc[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\uu[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\14[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\click[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\reg[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\sytes[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ie[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\stat[1].htm
C:\WINDOWS\system32\explsore.exe

Thursday, August 28, 2008

Free Update Windows XP, Vista Spam

We received many spams related to "Official Update 2008!", the content describes free update Windows XP and Vista.

The following screens will be displayed when clicked the link inside email:

==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:

McAfee SiteAdvisor CANNOT find it as below:

Trend Micro WRS CAN find it as below:

finjan URL analysis CANNOT find it as below:

Dr.Web URL analysis CAN find it as below:

Exploit Prevention Labs's LinkScanner CANNOT find it as below:

Symantec Safe Web CAN find it as below:

==The following focus on AV Scanners Testing==

File install.exe received on 08.28.2008 04:20:46 (CET)

Result: 14/36 (38.89%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.28 W32/FakeAV2008.AT
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 Downloader.FraudLoad.N
BitDefender 7.2 2008.08.28 Trojan.FakeAlert.ACE
CAT-QuickHeal 9.50 2008.08.26 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.28 -
DrWeb 4.44.0.09170 2008.08.27 Trojan.Packed.619
eSafe 7.0.17.0 2008.08.27 Suspicious File
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.28 W32/FakeAV2008.AT
F-Secure 7.60.13501.0 2008.08.27 -
Fortinet 3.14.0.0 2008.08.27 -
GData 19 2008.08.28 Backdoor.Win32.Frauder.bi
Ikarus T3.1.1.34.0 2008.08.28 Trojan-Downloader.Win32.Renos.AS
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.28 Backdoor.Win32.Frauder.bi
McAfee 5371 2008.08.27 Downloader-ASH.gen.b
Microsoft 1.3807 2008.08.25 -
NOD32v2 3394 2008.08.27 a variant of Win32/Kryptik.E
Norman 5.80.02 2008.08.27 W32/Tibs.gen225
Panda 9.0.0.4 2008.08.27 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.28 Malicious Software
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.28 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.28 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -

Additional information
File size: 203776 bytes
MD5...: 0f44ed00c0b67d9e5062b8e2c3574345
SHA1..: 4d9b42bbd950ea0c253a483ea2db3f888055c1c6
SHA256: e5885411c5ab7dbf2846b3b0606f6b294bbc9203ec8065d13560470ceab07c07
SHA512: b1b437a2df0023e1af019e6a06c31d298063f156819ea5b1de4047ad5766c6f8
00db13161056c7db223737cfc8fe00ce58d7756ebe33e4042627d6c9fbee8a6f
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40a064
timedatestamp.....: 0x48a5befd (Fri Aug 15 17:38:05 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xec3c 0x9800 7.99 173f4b069cad8234c767f5babf94449f
.rdata 0x10000 0x3f24 0x1a00 7.97 f38fb4bec5a8839e5c0bf8002d2251be
.data 0x14000 0xb6736 0x23600 8.00 b45b61b4c432446d3586a20be0fd245f
.rsrc 0xcb000 0xf000 0x3000 6.61 bbb4f98ddad8c83b4433986df95b248c

( 4 imports )
> wsock32.dll: bind, WSAStartup, listen
> kernel32.dll: CreatePipe, TerminateProcess, VirtualProtect
> gdi32.dll: SetRelAbs, StretchBlt, SetICMMode, ResetDCW, UpdateColors, SaveDC, TextOutW, SetDIBColorTable
> shell32.dll: SHAppBarMessage, StrRChrIA, StrStrIA

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=0f44ed00c0b67d9e5062b8e2c3574345
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=5764A358008210271CBA03774D18AA00F10D311C

After executed, it has the following behaviors:

[Added process]
C:\Documents and Settings\Administrator\Desktop\install.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

[DLL injection]
C:\Program Files\rhcg76j0eg03\msvcr71.dll

[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA6.tmp.vbs
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\13833935xv3[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\install[1].exe
C:\Documents and Settings\Administrator\Recent\install.exe.txt.lnk
C:\Documents and Settings\Administrator\Recent\wireshark.cap.lnk
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data="C:\Program Files\rhcg76j0eg03\uninstall.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03

C:\Doc

Greeting eCard Spam

We received many spams related to "You've received a greeting ecard", some are pharmaceutical ads, some contains malicious links.

The following screens will be displayed when clicked the link inside email:

Friday, August 22, 2008

Weekly Top News Spam

Recently we received many spams related to "Weekly Top News", they contain many different malicious links, but almost do the same things.

The following screens will be displayed when clicked the link inside email:

Wireshark captures files downloaded as below:

==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:

McAfee SiteAdvisor CANNOT find it as below:

Trend Micro WRS CANNOT find it as below:

finjan URL analysis CAN find it as below:

Dr.Web URL analysis CANNOT find it (error) as below:

Exploit Prevention Labs's LinkScanner CAN find it as below:

Symantec Safe Web CANNOT find it as below:

==The following focus on AV Scanners Testing==

File installer.exe received on 08.20.2008 17:33:27 (CET)

Result: 26/35 (74.29%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - W32/Downldr2.DIHF
Avast - - Win32:Trojan-gen {Other}
AVG - - I-Worm/Nuwar.W
BitDefender - - Trojan.Peed.JRU
CAT-QuickHeal - - TrojanDownloader.Exchanger.oz
ClamAV - - -
DrWeb - - Trojan.Packed.606
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Downldr2.DIHF
F-Secure - - Trojan-Downloader.Win32.Exchanger.oz
Fortinet - - PossibleThreat
GData - - Trojan-Downloader.Win32.Exchanger.oz
Ikarus - - Trojan-Dropper.Win32.Nuwar.ldt
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Exchanger.oz
McAfee - - -
Microsoft - - TrojanDownloader:Win32/Cbeplay.E
NOD32v2 - - Win32/Agent.ETH
Norman - - W32/DLoader.IZTO
Panda - - -
PCTools - - Trojan.Erotpics!sd6
Prevx1 - - Malicious Software
Rising - - -
Sophos - - Mal/EncPk-DA
Sunbelt - - Trojan-Downloader.Exchanger.Gen
TheHacker - - -
TrendMicro - - TROJ_NUWAR.GXZ
VBA32 - - Trojan-Downloader.Win32.Pupupitu
ViRobot - - I-Worm.Win32.Jolie.74752
VirusBuster - - Trojan.DL.Exchanger.DA
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen

Additional information
MD5: 10105674cc0b639b313a3db9e18d9444
SHA1: 436848261cbbc6c265b30ed8107ef17743f39ecd
SHA256: 38e6b08f83dad2162e74ea56d0bf5a92a5756e40dc5994f21ada916f02e6a033

After executed, it has the following behaviors:

[Added process]
C:\Documents and Settings\LocalService\Application Data\633509642.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe

[DLL injection]
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\rhcg76j0eg03\msvcp71.dll

[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Desktop\installer.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\fileslis[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\metai[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\index2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\progress[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\antivir[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\counter[1].js
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\LocalService\Application Data\658087141.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\install[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\ftpgd[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WDWHWPH6\20scan1[1].exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\b9329734.sys (Rootkit Behavior)
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt
C:\WINDOWS\Temp\.ttAC.tmp
C:\WINDOWS\Temp\.ttAC.tmp.vbs
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\AB.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data=”C:\Program Files\rhcg76j0eg03\uninstall.exe”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03

Thursday, August 21, 2008

Paris Hilton Nuke Video Spam

Recently we received many spams related to "Paris Hilton Nuke Video". Of course, the content contains a malicious link, when clicked, it will download "video-paris-hilton.avi.exe", some antivirus scanner detects it as "Trojan-Downloader.Win32.Renos.AQ".

The following screens will be displayed when clicked the link in this email:

Wireshark captures files downloaded as below:

==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:

McAfee SiteAdvisor CANNOT find it as below:

Trend Micro WRS CAN find it as below:

finjan URL analysis CAN find it as below:

Dr.Web URL analysis CANNOT find it (error) as below:

Exploit Prevention Labs's LinkScanner CANNOT find it as below:

Symantec Safe Web CANNOT find it as below:

==The following focus on AV Scanners Testing==

File video-paris-hilton.avi.exe received on 08.20.2008 07:59:43 (CET)

Result: 8/36 (22.22%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.19.0 2008.08.20 -
AntiVir 7.8.1.23 2008.08.19 -
Authentium 5.1.0.4 2008.08.20 -
Avast 4.8.1195.0 2008.08.19 -
AVG 8.0.0.161 2008.08.20 -
BitDefender 7.2 2008.08.20 MemScan:Trojan.FakeAlert.AAF
CAT-QuickHeal 9.50 2008.08.19 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.19 -
DrWeb 4.44.0.09170 2008.08.20 -
eSafe 7.0.17.0 2008.08.19 Suspicious File
eTrust-Vet 31.6.6036 2008.08.19 -
Ewido 4.0 2008.08.19 -
F-Prot 4.4.4.56 2008.08.19 -
F-Secure 7.60.13501.0 2008.08.20 -
Fortinet 3.14.0.0 2008.08.20 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.20 Trojan-Downloader.Win32.Renos.AQ
K7AntiVirus 7.10.421 2008.08.19 -
Kaspersky 7.0.0.125 2008.08.20 -
McAfee 5364 2008.08.19 -
Microsoft 1.3807 2008.08.20 TrojanDownloader:Win32/Renos.gen!AQ
NOD32v2 3369 2008.08.19 -
Norman 5.80.02 2008.08.19 AntiVirus2008.gen2
Panda 9.0.0.4 2008.08.19 -
PCTools 4.4.2.0 2008.08.19 -
Prevx1 V2 2008.08.20 Malicious Software
Rising 20.58.20.00 2008.08.20 -
Sophos 4.32.0 2008.08.20 Troj/FakeAle-FT
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.20 -
TheHacker 6.3.0.5.054 2008.08.19 -
TrendMicro 8.700.0.1004 2008.08.20 -
VBA32 3.12.8.3 2008.08.19 -
ViRobot 2008.8.19.1341 2008.08.20 -
VirusBuster 4.5.11.0 2008.08.19 -
Webwasher-Gateway 6.6.2 2008.08.19 -

Additional information
File size: 183296 bytes
MD5...: 2d77a6d4fa2df29b094e290512b087a0
SHA1..: 0a1dd7596d435cf4a6249348a038c7457f94a678
SHA256: 590afe46bfa375cf000ad323a2744bdb108e3c27faa4b90080df0f64a0d94ab7
SHA512: 5308b467bd8ae5474aea385c5577f00fd899f7640b24c88d8105aabd5addf19e
f20493c3e4e55386eb1424b48286ee21b61034693a684b0076d540e0e4f72788
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401000
timedatestamp.....: 0x48ab195e (Tue Aug 19 19:05:02 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0xc6ab4 0x2600 6.41 a4d45d87b08f8d94277159e0fe8a9e15
DATA 0xc8000 0x296a4 0x29200 8.00 45367edbb00e3b6724877268637ddde8
.rsrc 0xf2000 0x1000 0xa00 2.38 8ec0154fb3c0c7811715af24c77b9e13
.idata 0xf3000 0x818 0x600 2.83 649de547ef6b5432da99091f5e2cb9b0
.pack32 0xf4000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 3 imports )
> kernel32.dll: OpenSemaphoreA
> user32.dll: TranslateAcceleratorA, OemToCharW, AttachThreadInput, CreateCaret, MessageBoxExA, UserClientDllInitialize, GetLastInputInfo, PeekMessageA, DdeGetLastError, DdeQueryConvInfo, LoadLocalFonts, DdeConnect
> gdi32.dll: Rectangle, CreateCompatibleBitmap, GetDeviceCaps, GdiIsPlayMetafileDC, GdiGetLocalFont, GetFontData, GdiCleanCacheDC, GdiEntry16, CreateMetaFileA, SetPaletteEntries, AddFontMemResourceEx, AbortDoc

After executed, it has the following behaviors:

[Added process]
C:\Documents and Settings\Administrator\Desktop\video-paris-hilton.avi.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

[DLL injection]
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll

[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA7.tmp.vbs
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data=”C:\Program Files\rhcg76j0eg03\uninstall.exe”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03

Monday, August 18, 2008

The Analysis of Mystery Web Attack Hijacks Your Clipboard

Recently, The Register reported "Mystery web attack hijacks your clipboard", what happened? The conclusion is attacker tries to lure users to install a fake antivirus software and most people guess attacker uses Adobe Flash's vulnerability.

When clicked link (first picture), it will display the following screens:

When clicked, wireshark captures files downloaded as below:

==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:

McAfee SiteAdvisor CANNOT find it as below:

Trend Micro WRS CANNOT find it as below:

finjan URL analysis CAN find it as below:

Dr.Web URL analysis CANNOT find it as below:

Exploit Prevention Labs's LinkScanner CANNOT find it as below:

Symantec Safe Web CANNOT find it as below:

==The following focus on AV Scanners Testing==

File AV2009Install_77011807.exe received on 08.17.2008 09:39:49 (CET)

Result: 8/36 (22.22%)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.15.0 2008.08.15 -
AntiVir 7.8.1.19 2008.08.16 -
Authentium 5.1.0.4 2008.08.16 -
Avast 4.8.1195.0 2008.08.15 -
AVG 8.0.0.161 2008.08.16 Downloader.FraudLoad.E
BitDefender 7.2 2008.08.17 Trojan.FakeAlert.Gen.1
CAT-QuickHeal 9.50 2008.08.16 -
ClamAV 0.93.1 2008.08.16 -
DrWeb 4.44.0.09170 2008.08.17 -
eSafe 7.0.17.0 2008.08.14 -
eTrust-Vet 31.6.6035 2008.08.15 -
Ewido 4.0 2008.08.16 -
F-Prot 4.4.4.56 2008.08.16 -
F-Secure 7.60.13501.0 2008.08.17 Trojan-Downloader.Win32.FraudLoad.vbef
Fortinet 3.14.0.0 2008.08.17 -
GData 2.0.7306.1023 2008.08.16 Trojan-Downloader.Win32.FraudLoad.vbef
Ikarus T3.1.1.34.0 2008.08.17 -
K7AntiVirus 7.10.417 2008.08.15 -
Kaspersky 7.0.0.125 2008.08.17 Trojan-Downloader.Win32.FraudLoad.vbef
McAfee 5362 2008.08.15 -
Microsoft 1.3807 2008.08.17 -
NOD32v2 3361 2008.08.16 a variant of Win32/Adware.XPAntivirus
Norman 5.80.02 2008.08.15 -
Panda 9.0.0.4 2008.08.16 -
PCTools 4.4.2.0 2008.08.16 -
Prevx1 V2 2008.08.17 Fraudulent Security Program
Rising 20.57.61.00 2008.08.17 -
Sophos 4.32.0 2008.08.17 -
Sunbelt 3.1.1546.1 2008.08.15 -
Symantec 10 2008.08.16 AntiVirus2009
TheHacker 6.3.0.3.046 2008.08.13 -
TrendMicro 8.700.0.1004 2008.08.16 -
VBA32 3.12.8.3 2008.08.15 -
ViRobot 2008.8.16.1338 2008.08.16 -
VirusBuster 4.5.11.0 2008.08.16 -
Webwasher-Gateway 6.6.2 2008.08.17 -

Additional information
File size: 123904 bytes
MD5…: 978e985fc9f6e206fe9622ba42dc3d56
SHA1..: a8b20d587d62e34865814053c8f87574e1ffe790
SHA256: a53458279fa483236a453d7abdc718de69c361198f09a74a9a1b44d259f573ad
SHA512: 392bd1b0fe6b93a7df153e0faf25e0dd0ac68b38bae642a8061e459b2942d26a
d168fcb8ddf6d5d3e09437d539f476aab5809a2745f617ff7b6ee30e23e22e4a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×401210
timedatestamp…..: 0×45beb2d0 (Tue Jan 30 02:52:00 2007)
machinetype…….: 0×14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×57af 0×5800 5.19 922e2eb51ad64e063aa3d5aa5876de09
.data 0×7000 0×11557 0×11600 7.59 49b48fe56d5a4dcb86a792659875b88a
.tls 0×19000 0xdd 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0×1a000 0×18 0×200 0.23 735b48446022cb7f0d9c4163b238a9be
.idata 0×1b000 0×5a0 0×600 3.29 97c93ffb47f18bb84d88652306581d5e
.rsrc 0×1c000 0xf4a3 0×6600 5.76 0d0781c1bba73476a7428d3a1667a138

( 2 imports )
> KERNEL32.DLL: CreateProcessA, GetCommandLineA, DeleteAtom, GetFileSize, GetCPInfo, GetComputerNameA, ReadConsoleA, Sleep, WriteFile, OpenFile, GlobalFree, GetFileTime, DeleteFileW, ExitThread, FindFirstFileA, GetConsoleMode, DeleteFileA, SetLastError, OpenFileMappingA, FindAtomA, ReadFile, GetLastError
> USER32.DLL: LoadCursorA, GetCursor, DrawIconEx, CreateIcon, GetFocus, DialogBoxParamW, CopyRect, InsertMenuA, GetWindowTextA, DrawIcon

After executed, it has the following behaviors:

[Added process]
C:\Program Files\AV9\av2009.exe

[Modified service]
NAME: srservice
DISPLAY: System Restore Service (Turn off system restore service)
STATUS: SERVICE_STOPPED
FILE: C:\WINDOWS\System32\svchost.exe-1 -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Desktop\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\_freescan[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\winsystem[2].dll
C:\Documents and Settings\Administrator\Start Menu\Antivirus 2009\Antivirus 2009.lnk
C:\Documents and Settings\Administrator\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
C:\Program Files\AV9\av2009.exe
C:\RECYCLER\S-1-5-21-515967899-583907252-839522115-500\Dc11.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\scui.cpl
C:\WINDOWS\system32\winsrc.dll

[Added COM/BHO]
{037C7B8A-151A-49E6-BAED-CC05FCB50328}-C:\WINDOWS\system32\winsrc.dll

[Added egistry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=67760428610125642112784689834240
Data=C:\Program Files\AV9\av2009.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value=ieupdate
Data=”C:\WINDOWS\system32\ieupdates.exe”

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=67760428610125642112784689834240
Data=C:\Program Files\AV9\av2009.exe

HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run
Value=ieupdate
Data=”C:\WINDOWS\system32\ieupdates.exe”

Wednesday, August 13, 2008

Bogus MSNBC News

Today I receive an email, the subject is "msnbc.com - BREAKING NEWS: Too much freedom will destroy America", the content contains a malicious link, after clicked, it appears the same screen as "Fake CNN Alerts: Breaking news", please be careful.

After clicked the links, it will display as below:

Fake CNN Alerts: Breaking news

Today I receive another fake CNN Alerts News, subject is "CNN Alerts: Breaking news", when clicked the link, it will download "adobe_flash.exe". In the following, I will test web reputation service (most are not live analysis) and AV scanners separately.

Fake "CNN Alerts: Breaking news" email and email source code as below:

After clicked the links, it will display as below:

==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:

McAfee SiteAdvisor CANNOT find it as below:

Trend Micro WRS CANNOT find it as below:

finjan URL analysis CANNOT find it as below:

Dr.Web URL analysis CANNOT find it as below:

Exploit Prevention Labs's LinkScanner CAN find it as below:

Symantec Safe Web CANNOT find it as below:

==The following focus on AV Scanners Testing==

The following test result is from VirusTotal (14/36 (38.89%)):

File adobe_flash.exe-1 received on 08.13.2008 00:18:58 (CET)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Dldr.Exchanger.DW
Authentium - - -
Avast - - -
AVG - - Downloader.Agent.AJFH
BitDefender - - Trojan.Downloader.Exchanger.Gen.2
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
DrWeb - - Trojan.DownLoad.3248
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - W32/PolyExchanger.A!tr
GData - - -
Ikarus - - Trojan-Downloader.Exchanger.Gen.2
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Exchanger.mn
McAfee - - -
Microsoft - - Trojan:Win32/Tibs.gen!K
NOD32v2 - - a variant of Win32/Agent.ETH
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - Malware Dropper
Rising - - -
Sophos - - Mal/EncPk-DA
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Dldr.Exchanger.DW
Additional information
MD5: 06bd0701d470475d32c6d98a0c685e4b
SHA1: 0e1a02834b931a5d34d684f7708c918e0c8fa187
SHA256: a629c6ea28327a467e666a2a7d5a5ccc3194858b2217f608431b98dff268c2d9
SHA512: cf15fc7e1a26ef63cf7a1483b4a50a52deaae00a3f2667acf3d3396985dfbf20ba2033a0081656d5463de640116fc7ec49019683f63123afd3dd0d23e790710f

The following test result is from VirusTotal (10/33 (30.30%)):

File update.htm-malscript received on 08.13.2008 04:26:00 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2008.8.13.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 HEUR/HTML.Malware
Authentium 5.1.0.4 2008.08.12 JS/Agent.FA
Avast 4.8.1195.0 2008.08.12 -
AVG 8.0.0.161 2008.08.12 Downloader.Zlob.HTML
BitDefender 7.2 2008.08.13 Trojan.HTML.Zlob.Y
CAT-QuickHeal 9.50 2008.08.12 HTM/Zlob.GEN.2
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 -
eSafe 7.0.17.0 2008.08.12 JS.Agent.ib.
eTrust-Vet 31.6.6029 2008.08.13 -
Ewido 4.0 2008.08.12 -
F-Prot 4.4.4.56 2008.08.12 JS/Agent.FA
Fortinet 3.14.0.0 2008.08.12 JS/Zlob!tr.dldr
GData 2.0.7306.1023 2008.08.13 -
Ikarus T3.1.1.34.0 2008.08.13 Trojan.HTML.Zlob.Y
K7AntiVirus 7.10.412 2008.08.12 -
Kaspersky 7.0.0.125 2008.08.13 -
McAfee 5359 2008.08.12 -
Microsoft 1.3807 2008.08.13 -
NOD32v2 3350 2008.08.12 -
Norman 5.80.02 2008.08.12 -
Panda 9.0.0.4 2008.08.12 -
PCTools 4.4.2.0 2008.08.12 -
Prevx1 V2 2008.08.13 -
Rising 20.57.12.00 2008.08.12 -
Sophos 4.32.0 2008.08.13 -
Sunbelt 3.1.1542.1 2008.08.13 -
TheHacker 6.3.0.3.046 2008.08.12 -
TrendMicro 8.700.0.1004 2008.08.12 -
ViRobot 2008.8.12.1333 2008.08.12 -
VirusBuster 4.5.11.0 2008.08.12 -
Webwasher-Gateway 6.6.2 2008.08.13 Heuristic.HTML.Malware
Additional information
File size: 20881 bytes
MD5...: f610dd6607641f7de0a0e504147534a1
SHA1..: 27c52ffd95c799a787c081f3a55cbf61a4b9e528
SHA256: 56086eb41f081f1b7faea2807082097a0b677858a45336edd30e6a756c69afae
SHA512: 78395acdb375c97692110fc0f263a07f5b173cc443e6c0d688af4dc9774927d3
7fcb3ea7eca617c42d14fe7001b9f68e5242594e60443fd5722894182de47fc7
PEiD..: -
PEInfo: -

After executed, this malware has the following behaviors:

[Added process]
C:\WINDOWS\System32\CbEvtSvc.exe

[DLL injection]
C:\Program Files\Internet Explorer\setupapi.dll

[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

[Added file]
C:\9ndb39.exe
C:\Documents and Settings\Administrator\Desktop\adobe_flash.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\bvp[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\metai[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\index[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\update[1].htm
C:\Documents and Settings\LocalService\Application Data\521632863.exe
C:\Documents and Settings\LocalService\Application Data\633968421.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\install[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\12scan2[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WDWHWPH6\fg[1].exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\5a92b36c.sys (Rootkit Behavior)
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\AB.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp

Sunday, August 10, 2008

Fake "CNN Alerts: My Custom Alert"

After fake "CNN.com Daily Top 10" Video, another fake "CNN Alerts: My Custom Alert" appears recently. When clicked the link, it will download "adobe_flash.exe" and it identifies as TR/Crypt.XPACK.Gen.

Fake "CNN Alerts: My Custom Alert" email as below:

Fake "CNN Alerts: My Custom Alert" email header as below:

After clicked the links in email, it will display as below:

The above link contains a malicious script as below:

==The following focus on Web Reputation Service Testing==

Google Search can find it as below:

McAfee SiteAdvisor finds nothing as below:

Trend Micro WRS finds nothing as below:

finjan URL analysis finds nothing as below (regard it as legitimate):

Dr.Web URL analysis finds nothing as below:

Symantec Safe Web finds nothing as below:

==The following focus on AV Scanners Testing==

The following test result is from VirusTotal (14/36 (38.89%)):

File adobe_flash.exe1109.safe received on 08.09.2008 17:23:24 (CET)

AhnLab-V3 2008.8.9.0 2008.08.08 -
AntiVir 7.8.1.19 2008.08.09 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.08.09 -
Avast 4.8.1195.0 2008.08.08 -
AVG 8.0.0.156 2008.08.08 I-Worm/Nuwar.V
BitDefender 7.2 2008.08.09 Trojan.Downloader.Exchanger.Gen.2
CAT-QuickHeal 9.50 2008.08.08 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.09 -
DrWeb 4.44.0.09170 2008.08.09 Trojan.DownLoad.3248
eSafe 7.0.17.0 2008.08.07 Suspicious File
eTrust-Vet 31.6.6021 2008.08.08 -
Ewido 4.0 2008.08.09 -
F-Prot 4.4.4.56 2008.08.08 -
F-Secure 7.60.13501.0 2008.08.09 -
Fortinet 3.14.0.0 2008.08.09 -
GData 2.0.7306.1023 2008.08.09 Trojan-Downloader.Win32.Exchanger.lj
Ikarus T3.1.1.34.0 2008.08.09 Win32.SuspectCrc
K7AntiVirus 7.10.408 2008.08.09 -
Kaspersky 7.0.0.125 2008.08.09 Trojan-Downloader.Win32.Exchanger.lj
McAfee 5357 2008.08.08 -
Microsoft 1.3807 2008.08.09 Trojan:Win32/Tibs.gen!K
NOD32v2 3341 2008.08.08 a variant of Win32/Agent.ETH
Norman 5.80.02 2008.08.08 -
Panda 9.0.0.4 2008.08.09 -
PCTools 4.4.2.0 2008.08.09 -
Prevx1 V2 2008.08.09 Malware Dropper
Rising 20.56.41.00 2008.08.08 -
Sophos 4.32.0 2008.08.09 Mal/EncPk-DA
Sunbelt 3.1.1538.1 2008.08.09 -
Symantec 10 2008.08.09 -
TheHacker 6.2.96.395 2008.08.08 -
TrendMicro 8.700.0.1004 2008.08.08 -
VBA32 3.12.8.3 2008.08.09 -
ViRobot 2008.8.8.1329 2008.08.08 -
VirusBuster 4.5.11.0 2008.08.09 -
Webwasher-Gateway 6.6.2 2008.08.09 Trojan.Crypt.XPACK.Gen

Additional information
File size: 78848 bytes
MD5...: 0e41b670cbccce9051fb8d1188aebd0a
SHA1..: d9a952ef59c5ee30e63b9d3dd781a7477911c866
SHA256: a5528757cd736d7a801443d0d4490b0d6d7c54a09e014afc240c62fd45ddadf6
SHA512: 1654e3b70376b817c9428007d26b34474f081e3082acdcbd3759b136d0dbe4f0
a04ba3c8da0d9ee1b84689d3b3f437f9595f3a4c763fed578d67ae201acc6cc4
PEiD..: -

After executed, this malware has the following behaviors:

[Added process]
C:\WINDOWS\System32\CbEvtSvc.exe

[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
STATUS: SERVICE_RUNNING
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Desktop\adobe_flash.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\cnncurrent[1].htm
C:\Documents and Settings\LocalService\Application Data\666410720.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\install[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\08scan[1].exe
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\91226516.sys (Rootkit Behavior)
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\A9.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp