Friday, August 8, 2008

Fake "CNN.com Daily Top 10" Video

Recently many news about CNN.com Daily Top 10, this is a fake CNN videos, it contains a malware, please be careful.

The following is fake CNN.com Daily Top 10's email:



After clicked the links in mail, it will display as below:



Google Search finds nothing as below:



McAfee SiteAdvisor finds nothing as below:



Trend Micro WRS can find it as below:



finjan URL analysis finds nothing as below:



Dr.Web URL analysis finds nothing as below:



Exploit Prevention Labs's LinkScanner finds nothing as below:



After executed, the desktop's theme will become as below:



After executed, this malware has the following behaviors:

[Added process]
C:\WINDOWS\System32\CbEvtSvc.exe
C:\WINDOWS\system32\lphcl76j0eg03.exe

[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt1.tmp.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\get_flash_update[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\index2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\master[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\dnd[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\metai[1].htm
C:\Documents and Settings\Administrator\wXtwRzv.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\04scan[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\install[1].exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\4e0f5644.sys (Rootkit Behavior)
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\Temp\.ttC9.tmp
C:\WINDOWS\Temp\.ttC9.tmp.vbs
C:\WINDOWS\Temp\.ttD0.tmp
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data= C:\WINDOWS\system32\lphcl76j0eg03.exe

Until now (Aug 7, 2008 @ 16:07), the following AVs can detect these mlawares (for reference only):

get_flash_update[1].exe (maybe other av can detect it too):
[ Trend ], “TROJ_TIBS.CSZ”
index2[1].htm (maybe other av can detect it too):
[ Trend ], “HTML_DLOADER.PCS”
install[1].exe (maybe other av can detect it too):
[ Trend ], “TROJ_MUTANT.EW”
lphcl76j0eg03.exe (maybe other av can detect it too):
[ Trend ], “ADW_XPANTIVIR”
wXtwRzv.exe (maybe other av can detect it too):
[ Trend ], “TROJ_TIBS.CSZ”
1[1].htm (maybe other av can detect it too):
[ Trend ], “HTML_ADODB.HB”
04scan[1].exe (maybe other av can detect it too):
[ Trend ], “ADW_XPANTIVIR”
blphcl76j0eg03.scr (maybe other av can detect it too):
[ Trend ], “JOKE_BLUESCREEN”
CbEvtSvc.exe (maybe other av can detect it too):
[ Trend ], “TROJ_TIBS.CSZ”
master[1].js:
[ Grisoft ], “Trojan horse Downloader.Generic_c.AAN”
[ WebWasher ], “Script.Dldr.Agent.PV”
[ bitdefender ], “Trojan.FakeAlert.WO”
metai[1].htm:
[ WebWasher ], “BlockReason.46 (suspicious)”
phcl76j0eg03.bmp:
[ Symantec ], “Trojan.Blusod”
[ Nod32 ], “Win32/TrojanDownloader.FakeAlert.DJ trojan”
[ Grisoft ], “Trojan horse Generic_c.OYJ”
[ bitdefender ], “Trojan.FakeAlert.UM”
ttC9.tmp.vbs:
[ Alwil ], “VBS:Malware-gen”
[ HBEDV ], “VBS/Agent.1002″
[ Ikarus ], “Win32.SuspectCrc”
[ WebWasher ], “Script.Agent.1002″

Related News:

New Trojan Bait: CNN Videos (TrendLabs Malware Blog)

Fake CNN headlines (Sunbelt Blog)

2 comments:

Anonymous said...

A relative of mine got this virus, it dropped a file kdoxt.exe in the system32 folder along with the lphcl... file. Although you could never see the file. From memory it also added a file or text to a file called wininit.ini or more or less.

Even when you delete entries of kdoxt.exe in registry, they just came back within seconds.

It also changed links in search engines to go elsewhere. After running various programs and Mcafee only Combofix would get rid of kdoxt.exe

Roger Chiu said...

I guess this malware has a new version in the wild.