Friday, August 22, 2008

Weekly Top News Spam

Recently we received many spams related to "Weekly Top News", they contain many different malicious links, but almost do the same things.

The following screens will be displayed when clicked the link inside email:









Wireshark captures files downloaded as below:



==The following focus on Web Reputation Service Testing==

Google Search CANNOT find it as below:



McAfee SiteAdvisor CANNOT find it as below:



Trend Micro WRS CANNOT find it as below:



finjan URL analysis CAN find it as below:



Dr.Web URL analysis CANNOT find it (error) as below:



Exploit Prevention Labs's LinkScanner CAN find it as below:



Symantec Safe Web CANNOT find it as below:



==The following focus on AV Scanners Testing==

File installer.exe received on 08.20.2008 17:33:27 (CET)

Result: 26/35 (74.29%)

Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - W32/Downldr2.DIHF
Avast - - Win32:Trojan-gen {Other}
AVG - - I-Worm/Nuwar.W
BitDefender - - Trojan.Peed.JRU
CAT-QuickHeal - - TrojanDownloader.Exchanger.oz
ClamAV - - -
DrWeb - - Trojan.Packed.606
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/Downldr2.DIHF
F-Secure - - Trojan-Downloader.Win32.Exchanger.oz
Fortinet - - PossibleThreat
GData - - Trojan-Downloader.Win32.Exchanger.oz
Ikarus - - Trojan-Dropper.Win32.Nuwar.ldt
K7AntiVirus - - -
Kaspersky - - Trojan-Downloader.Win32.Exchanger.oz
McAfee - - -
Microsoft - - TrojanDownloader:Win32/Cbeplay.E
NOD32v2 - - Win32/Agent.ETH
Norman - - W32/DLoader.IZTO
Panda - - -
PCTools - - Trojan.Erotpics!sd6
Prevx1 - - Malicious Software
Rising - - -
Sophos - - Mal/EncPk-DA
Sunbelt - - Trojan-Downloader.Exchanger.Gen
TheHacker - - -
TrendMicro - - TROJ_NUWAR.GXZ
VBA32 - - Trojan-Downloader.Win32.Pupupitu
ViRobot - - I-Worm.Win32.Jolie.74752
VirusBuster - - Trojan.DL.Exchanger.DA
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen

Additional information
MD5: 10105674cc0b639b313a3db9e18d9444
SHA1: 436848261cbbc6c265b30ed8107ef17743f39ecd
SHA256: 38e6b08f83dad2162e74ea56d0bf5a92a5756e40dc5994f21ada916f02e6a033

After executed, it has the following behaviors:

[Added process]
C:\Documents and Settings\LocalService\Application Data\633509642.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\WINDOWS\System32\CbEvtSvc.exe
C:\WINDOWS\system32\pphcl76j0eg03.exe

[DLL injection]
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\rhcg76j0eg03\msvcp71.dll

[Added service]
NAME: CbEvtSvc
DISPLAY: CbEvtSvc
FILE: C:\WINDOWS\System32\CbEvtSvc.exe -k netsvcs

[Added file]
C:\Documents and Settings\Administrator\Desktop\installer.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\fileslis[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\metai[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\index2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\progress[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\antivir[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\counter[1].js
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\LocalService\Application Data\658087141.exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\BJW6A44R\install[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MMFL79XH\ftpgd[1].exe
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WDWHWPH6\20scan1[1].exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\rhcg76j0eg03\database.dat
C:\Program Files\rhcg76j0eg03\license.txt
C:\Program Files\rhcg76j0eg03\MFC71.dll
C:\Program Files\rhcg76j0eg03\MFC71ENU.DLL
C:\Program Files\rhcg76j0eg03\msvcp71.dll
C:\Program Files\rhcg76j0eg03\msvcr71.dll
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe
C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe.local
C:\Program Files\rhcg76j0eg03\Uninstall.exe
C:\WINDOWS\system32\blphcl76j0eg03.scr
C:\WINDOWS\system32\CbEvtSvc.exe
C:\WINDOWS\system32\drivers\b9329734.sys (Rootkit Behavior)
C:\WINDOWS\system32\lphcl76j0eg03.exe
C:\WINDOWS\system32\phcl76j0eg03.bmp
C:\WINDOWS\system32\pphcl76j0eg03.exe
C:\WINDOWS\system32\Restore\MachineGuid.txt
C:\WINDOWS\Temp\.ttAC.tmp
C:\WINDOWS\Temp\.ttAC.tmp.vbs
C:\WINDOWS\Temp\37D8BF6785C63DB6.tmp
C:\WINDOWS\Temp\4AECE6A407384DE3.tmp
C:\WINDOWS\Temp\92618DBC42FD0246.tmp
C:\WINDOWS\Temp\AB.tmp
C:\WINDOWS\Temp\ACBF1B06A8F8098A.tmp

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=lphcl76j0eg03
Data=C:\WINDOWS\system32\lphcl76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=SMrhcg76j0eg03
Data=C:\Program Files\rhcg76j0eg03\rhcg76j0eg03.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=DisplayName
Data=AntivirXP08

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03
Value=UninstallString
Data=”C:\Program Files\rhcg76j0eg03\uninstall.exe”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcg76j0eg03

2 comments:

hanum said...

nice info sharing. Thank's for informatif posting ^_^

Indian Social Affairs said...

very informative post...