MWBLOG.ORG

Virus -Win32 – Saburex - a

1. Summary:

Virus.Win32.Saburex.a is Windows executable file infector with victim tracks ability.

Aliase names: BitDefender: Win32.Fidcop.A
eSafe: Virus.Win32.Saburex
F-Secure: Saburex.A
Kaspersky: Virus.Win32.Saburex.a
NOD32: Win32/Saburex.A
Panda: W32/Rex.A
VirusBuster: Win32.Saburex.A

File size: increase infected file by approx 13 kB and drop 17,920 bytes length from DLL library.

2. Detailed description:

When the virus launches the first time, it drops following dll libraries into the Windows SYSTEM directory:
ole16.dll
shell32.dll

After the libraries were successfully dropped, they are executed by rundll32.

Modifies values in following registry keys:
[HKCR\CLSID\{00021401-0000-0000-C000-000000000046\InProcServer32] @ = "ole16.dll"
ThreadingModel = "both"

[HKCR\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32] @ = shell32.dll
@ = ole16.dll

[HKLM\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32] @ = "ole16.dll"
ThreadingModel = "both"

This virus drops a file into the temporary directory with temporary name and size of 7,168 bytes. With this file it is capable to track all opened windows and make screenshots of them. Captured screenshots from victim's machine are encrypted and published on the internet.

Only one instance of virus DLL component can be loaded in memory at a time, and this exclusivity is ensure by checking event names to „~DF“ string.

Infication other executable files:
This virus is looking for files with *.exe extension on fixed drives, and infects founded executables. It avoids files and directories contains following strings:
_restore
documents and
music
program files
win

The files smaller than 524,288 bytes (0x80000 hex) are ignored as well and the virus will not infect them.

Virus overwrites block in the first section in found executable file by virus body. The origin contained in the overwritten block gets packed into CAB archive and appended to the end of the file. CAB archive will be appended to last section of file - it hides before eyes. Then, modify entry point in file header to virus body.

When the infected file is launched, the virus unpacks the origin (rewritten) block from CAB archive, removes virus body from infected file and launches origin file code.

Because virus is enctrypted, no visible texts are allowed.

3. How to disinfect victim computer:
We do not recommend manually disinfecting this virus. You could damage your Windows system and your computer could become unusable! To clean this infiltration you must use antivirus software.

0 writebacks [03/09/2007 10:10] [] permanent link

Virus Win32 Plut

1. Summary:

Plut is a prepending virus infecting all executables (*.exe) found on local disks.

Aliases:

Kaspersky: Virus.Win32.Plut.a
Norman: W32/Plut.A

2. Detailed description:

Virus Plut after it's execution creates following files:

C:\Documents and Settings\%USERPROFILE%\Desktop\Baca.txt
C:\Documents and Settings\%USERPROFILE%\Desktop\Hik.txt
C:\Documents and Settings\%USERPROFILE%\Desktop\My Computer.exe
C:\Setup.exe
C:\%WINDOWS%\robe.exe
C:\%WINDOWS%\system32\funny3.bmp
C:\%WINDOWS%\system32\syskg.exe
C:\%WINDOWS%\xplorer.exe

and runs the created “syskg.exe” file. This file runs in the background (the user does not notice it) and searches the local drives for executable files. Found files are infected afterwards.

The “funny3.bmp“ file is set as a background wallpaper.

It modifies the registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\HideDesktopIcons]

[HKCU\Software\Policies\Microsoft\Windows\System]
"DisableCMD" = "1"

It also creates a registry key that is probably author's signature:

[HKCU\Software\KageMukashi]

3. Cleaning:

- Reboot the PC into the safe mode.
- Remove these registry keys:

[HKCU\Software\KageMukashi]
[HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\HideDesktopIcons]

- Fix the value of the registry key „DisableCMD“ to „0“:

[HKCU\Software\Policies\Microsoft\Windows\System]
"DisableCMD" = "1"

set to:

"DisableCMD" = "0"

- Delete following files:

C:\Documents and Settings\%USERPROFILE%\Desktop\Hik.txt
C:\Documents and Settings\%USERPROFILE%\Desktop\Baca.txt
C:\Documents and Settings\%USERPROFILE%\Desktop\My Computer.exe
C:\Setup.exe
C:\%WINDOWS%\robe.exe
C:\%WINDOWS%\system32\funny3.bmp
C:\%WINDOWS%\system32\syskg.exe
C:\%WINDOWS%\xplorer.exe
- Reboot the computer back into the normal mode.
- Run a complete antivirus test which will remove the prepended body of the worm from the infected executables.

0 writebacks [03/07/2007 09:50] [] permanent link

Virus Win32 HLLP Philis fv

1. Summary:

Philis.fv is a virus infecting executable (*.exe) files found on the local computer. It also drops a dynamic library (DLL), that downloads a trojan horse from the Internet that's intented to gather user passwords(so called „password stealer“).

Aliases:

Kaspersky: Worm.Win32.Viking.gp
Symantec: W32.Looked.BK
Trend Micro: PE_LOOKED.TE-O

2. Detailed description:

Philis.fv is a Win32 virus written in Borland Delphi, that infects executables found on the local computer. It infects the files by first reading the original content of the file. Afterwards the virus writes it's 91kB long body at the beginning of the file and includes the original content of the file right after. This technique is called “prepending virus”. This assures that by the execution of the file the virus gets launched first and it then hands the flow back to the original code.

Philis.fv copies itself after execution into location like:

%WINDOWS%\uninstall\rundl132.exe (the second “l” character is replaced by the number 1).

It then drops following file in the %WINDOWS% directory:

%WINDOWS%\RichDll.dll

This library is supposed to inject the process named Explorer.exe. This way (as explorer.exe) it can download the trojan horse without the user noticing any suspicious activity.

The trojan horse is stored in the TEMP directory under the name:

%USERPROFILE%\Local Settings\Temp\nuj9.dll

To better protect itself it also creates a .sys file -
%USERPROFILE%\Local Settings\Temp\[Random Name].sys

This sys file hooks itself into the „System Service Description Table“ (SSDT) and it redirects towards itself the calls to the functions „NtEnumerateKey“, „NtEnumerateValueKey“ and „NtOpenProcess“. This way it gains a full control over process creation and registry manipulation. By doing this it hides it's processes and registry keys.

It searches through the running processes and if it finds one of these names it terminates them immediately:

EGHOST.EXE
IPARMOR.EXE
KAVPFW.EXE
MAILMON.EXE
mcshield.exe
Ravmond.EXE
regsvc.exe
and it stops the service „Kingsoft AntiVirus“.

These keys get added into the registry by the virus:

[HKLM\SOFTWARE\Microsoft\DownloadManager]
[HKLM\SOFTWARE\Soft\DownloadWWW]
"auto" = "1"

3. Spreading:

Virus Philis.jv also tries to get spread through the local network. It searches the whole subnet for active computers. It does this by sending an ICMP ping with a “Hello, World” payload and waits for a reply. If there is a reply the virus tries to access the ADMIN$, IPC$ and other shares that are probable to exist on the remote computer. It infects all the executables found on these shares.

It marks the infection of the share by creating a “_desktop.ini” file in the root directory of the share.

4. Cleaning:

Manual cleaning is not possible. I recommend using an antivirus for a complete and safe removal if this infiltration.

Advice:

If you want to prevent the infection, create the „Desktop_.ini“ file in the root directory of all your shares. This way the virus will think it has already infected the share.

0 writebacks [03/05/2007 11:08] [] permanent link

Virus – Win32 – Fujacks - e

1. Summary:

Fujack is a virus which infects all executables (*.exe) which can be found on the local hard drives. It also infects all the executables found within the shared folders.

Alias names: F-Secure: Fujack.K
NOD32: Win32/Fujacks
Symantec: W32.Fujacks.E

2. Detailed description:

After first execution, the Fujacks creates in the %SYSTEM%\Drivers\ folder a copy of itself named „spoclsv.exe“ and ensures it's execution by writing an entry into the „run“ registry key.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "svcshare" = "%System%\Drivers\spoclsv.exe"

%SYSTEM% variable points to the system directory of windows. It's location depends on installed windows version. On WindowsXP \WINDOWS\SYSTEM32\, on Windows 2000 \WINNT\SYSTEM32\.

Fujacks searches for entries in the run registry key and removes them if they include following strings: kav
KAVPersonal50
KvMonXP
McAfeeUpdaterUI
Network Associates Error Reporting Service
RavTask
ShStatEXE
yassistse
YLive.exe

This ensures that the programs won't get executed after the computer starts.

It also modifies the key „CheckedValue“ inthe key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden\Shawall] "CheckedValue" = "0"

Virus actively defends itself and terminates all the windows including following strings:
Symantec AntiVirus
System Safety Monitor
System Repair Engineer
VirusScan
Winsock Expert
Wrapped gift Killer

It also terminates numerous processes which could pose some difficulties for it. Some of the include:
CCenter.exe
KVSrvXP.exe
Msconfig.exe
Ravmon.exe
Regedit.exe
Rundl132.exe
scan32.exe
taskmgr.exe
TBMon.exe

This is not all it does. It also stops several security related services:
AVP
kavsvc
KPfwSvc
KVSrvXP
McAfeeFramework
McShield
navapsvc
RsCCenter
RsRavMon
Symantec Core LC

Fujacks searches all the hard and removable drives connected to the local computer for files with .gho extension and removes them. These files are „Ghost Disk“ images.

Executables which get infected are:
*.com
*.exe
*.pif
*.scr

To ensure it's not going to infect an already infected file ,it creates a „Desktop_.ini“ mark file within every folder it has already infected.

If Fujacks finds a shared folder, it copies it's body under the name „GameSetup.exe“. If the share is password protected , Fujacks tries to guess the password. It tries only a short subset of easy and frequently used passwords:
123
root
administrator
admin
abcd
qwerty
love
owner

Fujacks is also capable of downloading a file from the internet and execute it. This widens the capabilities of the virus immensely, because the downloaded file can be named and capable of doing anything.

3. Cleaning:

Fujacks is a infector which infects all the executables. Therefor it is not possible to do a manual cleaning. I recommend using antivirus to remove the infection.
If you do not own an antivirus, you can use the kaspersky online virus scanner

If your computer has not yet been infected, you can prevent the infection by creating the „Desktop_.ini“ file in every folder you wish to protect. This causes the virus to think it has already infected all the files within the folder.

0 writebacks [03/04/2007 09:11] [] permanent link

Trojan Horse – Win32 – Fuclip

1. Summary:

Fuclip is a 30kB sized trojan horse which get spread using infected emails. It serves as a backdoor with abilities to delete any file on the hard drive, any registry keys and stop a process or a service.

Aliase names:
Kaspersky: Email-Worm.Win32.Bagle.gt
McAfee: W32/Bagle.gen
NOD32: Win32/Fuclip
Symantec: Trojan.Tooso!gen

2. Detailed description:

After execution the trojan horse creates following files in the system directory (%SYSTEM%):
peers.ini
wincom32.sys

and registers itself as a service under the name “wincom32”.

Alternative for the system directory under different versions of windows are: WindowsXP \WINDOWS\SYSTEM32\
Windows 2000 \WINNT\SYSTEM32\

It is possible to remotely control the trojan horse. It can even download and run a file from the Internet.

For the masking purposes it uses a „rootkit“ technique. This means that it throughoutly hides within the system and can avoid detection even by a professional.

3. Email messages:

There are several variants of the email message.
The subject of the message is chose from following names:

230 dead as storm batters Europe
British Muslims Genocide
Fidel Castro dead.
Hugo Chavez dead
Radical Muslim drinking enemies' blood
Sadam Hussein alive!.
Sadam Hussein safe and sound!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Infected email has a executable attached, which contains the body of the trojan horse. The attachement name can be one of the:

Full Clip.exe
Full Story.exe
Full Video.exe
Postcard.exe
Greeting Card.exe
Greeting Postcard.exe
Read More.exe
Video.exe

4. Cleaning:

stop the „wincom32“ service using service manager (START-> Settings -> Control Panel -> Administrative Tools -> Services)

Erase the file „wincom32.sys“ from the system directory (%SYSTEM%)
Erase the file „peers.ini“ from the system directory (%SYSTEM%).

If you are unsure if „something evil“ is running on your computer which hides itself,I recommend to use the utility „Rootkit Revealer“, which will show even the hidden processes (mentioned „rootkit technique“).
You can download it from:http://download.sysinternals.com/Files/RootkitRevealer.zip

0 writebacks [03/04/2007 09:11] [] permanent link

Virus - Win32 - Darksnow

1. Summary

Virus Darksnow is 33kB long and spreads through infected MS Word documents.

Aliases:

Sophos: W32/Blic-A
Symantec: W32.Darksnow

2. Detailes description:

Virus Darksnow creates following files in the system directory:

%SYSTEM%\blackice.ini
%SYSTEM%\blackice.exe
%SYSTEM%\kernel.dll
%USERPROFILE%\My Documents\resume.xlw

Afterwards it infects Word template (normal.dot) file. Hereby it gets executed every time the Word gets started and inffects all the user documents.

This file can be found in:
%USERPROFILE%\Application Data\Microsoft\Templates\Normal.dot

It also modyfies registry in order to run at the system startup:
[HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run" = "%System%blackice.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\blackice.exe"

In order to be able to infect Office XP documents, it modifies also these keys:

[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"AccessVBOM" = "01"

[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"Level" = "01"

[HKCU\Software\Microsoft\Office\11.0\Word\Security]
"AccessVBOM" = "01"

[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"Level" = "01"

Afterwards the virus “injects to” the Explorer process. This way it guards the “blackice.exe” process. If it does not run, the injected Explorer will run it.

3. Cleaning:

- Reboot the PC into the safe mode.
- Delete following registry keys:

[HKU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run" = "%System%blackice.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe %System%\blackice.exe"

- Change the following registry values from „01“ to „00“ value:

[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"AccessVBOM" = "01"

[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"Level" = "01"

[HKCU\Software\Microsoft\Office\11.0\Word\Security]
"AccessVBOM" = "01"

[HKCU\Software\Microsoft\Office\11.0\Excel\Security]
"Level" = "01"

- delete following files:

%SYSTEM%\blackice.ini
%SYSTEM%\blackice.exe
%SYSTEM%\kernel.dll
%USERPROFILE%\Application Data\Microsoft\Templates\Normal.dot %USERPROFILE%\My Documents\resume.xlw

- Reboot the PC back into the normal mode

0 writebacks [03/03/2007 08:10] [] permanent link

Trojan Win32 Mespam

1. Summary:

Mespam is a trojan horse that gets installed into the system as a LSP – “Layered Service Provider”. Through an IM (Instant Messenger) client it sends messages with an URL that includes the standalone body of the trojan.

2. Detailed description:

Mespam is 49kB long and it usually get wither downloaded by other trojan horse or infects the computer by user clicking on the infected messages in it's IM.

After it's execution, the Mespam drops following files into the system directory:

%SYSTEM%\rsvp32_2.dll
%SYSTEM%\sporder.dll

The file „rsvp32_2.dll“ registers as another LSP („Layered Service Provider“) provider. As a LSP it has a direct access to the local network and/or the Internet at a lower level. Some firewalls are also registered as a LSP.

Afterwards it modifies Winsock parameters through the registry:

[HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters]

It creates:

[HKLM\SOFTWARE\WinSock2\Buibert]

It writes some installation related information here.

. It creates following files:

%SYSTEM%\aosmx.dll
%SYSTEM%\aimsmx.dll
%SYSTEM%\ymsgsmx.dll
%SYSTEM%\gtalsmx.dll

these files are the storage of sent IM messages.

3. Spreading:

As mentioned before, Mespam spreads by sending an IM with a URL. After the victim visits this URL the body of the trojan gets executed. The text of the message is allways downloaded from the Internet and is pretty much unique.

It can send messages through these clients:

AOL Instant Messenger
Google Talk
Yahoo! Messenger

4. Cleaning:

- Reboot the PC into the safe mode.

- Remove this registry key:

[HKLM\SOFTWARE\WinSock2\Buibert]

Download the „LSP Fix“ program. Run it and remove the LSP provider named „rsvp32_2.dll“.

WARNING
By manipulating the LSP providers in an improper manner you may disable some network functionality. If this happends you will have to reinstall the TCP/IP protocol.

- Reboot the PC into the safe mode again.
- Delete these files:
%SYSTEM%\rsvp32_2.dll
%SYSTEM%\aosmx.dll
%SYSTEM%\aimsmx.dll
%SYSTEM%\ymsgsmx.dll
%SYSTEM%\gtalsmx.dll

- Reboot the PC into the normal mode.

0 writebacks [03/02/2007 12:23] [] permanent link