|
|
Clearing the dust off an incident from who knows how long ago, here are the objectives to this one:
This isn't anything really special, except for maybe the most infected PC ever. It should belong in a museum of some sort. There is just so much going on with this machine, it isn't worth trying to figure out how it started (though likely via ByteVerify, as many others). For that matter, this is going to be less of show and tell and more of just show. At the very least, it will get indexed by search engines and help others correlate suspicious files they find on their own systems. View the unique detects by Symantec in the month of May 2004 here. Unfortunately, May 5 is the farthest back we have Activity logs, but according to the Quarantine log, ByteVerify has been exploiting the system since at least mid March. On April 22, Norton quarantined winlogon.exe out of C:\Documents and Settings\All Users\Start Menu\Programs\Startup as having Trojan.StartPage. We'll look at this later. View the Norton quarantine log here. The main.chm file decompresses to main.html, which contains some jibberish that is translated well with the Script Decoder by Virtual Conspiracy. It uses the Adodb.stream method to fetch and execute msits.exe; also regestering an ActiveX component by the CLSD of: 10000000-1000-0000-10000-000000000001 Like I said, nothing new here. However, we were able to restore Notepad.exe and Winlogon.exe from the quarantine. According to Stud_PE, Notepad.exe is packed with PECompact by Jeremy Collake, which makes it hard to examine. Norman Sandbox says it creates a file named wnnwlln.exe when executed, which is later determined to be randomly generated. Here is what Notepad.exe did when run on our own machine:
Once wpnchvhk.exe was active on the system, it pretty much flooded the network with horribly throttled connection attempts to 206.58.237.248, .249, and .252. In about 245 seconds the process initiated just below 3500 connection attempts, which is about 14 per second. It raised the CPU to 100% and rapidly brought the system to a sqealing hault. If this is what the author intended to do, then good for him, but anything this noisy is bound to be detected quickly. Before killing the process, LordPE was used to dump a copy of wpnchvhk.exe as it existed in RAM to a file on disk. The dumped.exe matched up pretty nicely with wpnchvhk.exe. This is a good method for restoring a memory-resident virus/worm or one that isn't able to be recovered from disk. Interestingly enough, wpnchvhk.exe is still packed, this time with LCC Win32 by Jacob Navia, according to Stud_PE. Routing the IP addresses mentioned earlier to a Linux box with httpd listening shows that it sends a GET request for /update?vid=1.154.100.135 with a User Agent string of "PB@INET." To me, the use of this User Agent is careless by the attacker because it singles him out and leads right back to TROJ_SMALL.AN on Trend Micro's site. Winlogon.exe isn't as exciting, despite it's name. It's packed with UPX, which is easy to reverse, but we should send it through Norman anyway (see below). Back to it's name, there is another reason beyond the obvious why an author would name his program Winlogon.exe. The first thing that came to mind was so it would blend in with legitimate system processes. It was just then when I tried to terminate it through the built in Windows Task Manager utility and got the error "This is a critical system process. Task Manager cannot terminate this process." Winlogon.exe can be terminated with SysInternal's Process Explorer, but for most users with only Task Manager, they have no option but to leave it running. Gotta give the authors a point for that one. Report created: 01.05.2005 23:04:03 Automatic Sandbox analysis of unknown malware (W32/Malware) [ General information ] * File length: 11776 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\FREE HIDDEN CAMS WORLD.url. * Creates file C:\WINDOWS\FREE SPY CAM.url. * Creates file C:\WINDOWS\FREE WEB CAMS CHATS.url. * Creates file C:\WINDOWS\GET THIS 4 FREE.url. [ Changes to registry ] * Modifies value "Start Page"="http://mypoiskovik.com/index.htm" in key "HKCU \ Software\Microsoft\Internet Explorer\Main". * Sets value "Use Search Asst"="no" in key "HKCU\Software\Microsoft\Internet \ Explorer\Main". * Sets value "Search Page"="http://mypoiskovik.com/index.htm" in key "HKCU\Software \ Microsoft\Internet Explorer\Main". * Sets value "Search Bar"="http://mypoiskovik.com/sp.htm" in key "HKCU\Software \ Microsoft\Internet Explorer\Main". * Creates key "HKCU\Software\Microsoft\Internet Explorer\SearchURL". * Sets value "default"="http://mypoiskovik.com/index.htm" in key "HKCU\Software \ Microsoft\Internet Explorer\SearchURL". * Sets value "provider"="gog" in key "HKCU\Software\Microsoft\Internet Explorer \ SearchURL". * Creates key "HKLM\Software\Microsoft\Internet Explorer\Search". * Sets value "SearchAssistant"="http://mypoiskovik.com/sp.htm" in key "HKLM\Software \ Microsoft\Internet Explorer\Search". According to this output, the Symantec identification of Trojan.StartPage seems reasonable. The unpacked version of Winlogon.exe shows some tell-tale signs of these facts, along with other domains it's associated with (see the context of .url files in Norman's log): http://mypoiskovik.com/index.htm http://mypoiskovik.com/sp.htm Software\Microsoft\Internet Explorer\Main\Start Page Software\Microsoft\Internet Explorer\Main\Use Search Asst Software\Microsoft\Internet Explorer\Main\Search Page Software\Microsoft\Internet Explorer\Main\Search Bar Software\Microsoft\Internet Explorer\SearchURL\ Software\Microsoft\Internet Explorer\SearchURL\provider SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant http://free.hcworld.com/?mypoiskovik.com http://free-spy-cam.net/?mypoiskovik.com http://web-cams-chat.com/?mypoiskovik.com http://getthis4free.com/ The *.url files are added to IE Favorites menu. Also, since Winlogon.exe resides in All Users' startup menu, it runs once every time the computer is rebooted or any user logs on. For giggles, view the list of suspicious files on this system as detected by AdAware here. This is a comparison of the VirusTotal and Jotti's Malware Scanner: VirusTotal Scan results File: wpnchvhk.exe Date: 05/02/2005 02:48:41 (CET) ---- AntiVir 6.30.0.7/20050501 found [TR/Drop.Small.GS.2] AVG 718/20050429 found [Downloader.Small.5.X] BitDefender 7.0/20050501 found [Trojan.Nadoc.A] ClamAV devel-20050307/20050430 found [Trojan.Downloader.Agent.AM] DrWeb 4.32b/20050501 found [Trojan.Nadoc] eTrust-Iris 7.1.194.0/20050501 found [Win32/Gloogle.48506!Trojan] eTrust-Vet 11.7.0.0/20050429 found [Win32.SillyDl.CN] Fortinet 2.51/20050501 found [W32/Small.IJ-tr] F-Prot 3.16b/20050428 found [security risk named W32/Ofilt.A@dl] Ikarus 2.32/20050501 found [Trojan-Downloader.Win32.Small.IJ] Kaspersky 4.0.2.24/20050502 found [Trojan-Downloader.Win32.Small.ij] McAfee 4480/20050429 found [Downloader-JU] NOD32v2 1.1085/20050501 found [Win32/TrojanDownloader.Small.IJ] Norman 5.70.10/20050429 found nothing Panda 8.02.00/20050501 found [Trj/Downloader.AJC] Sybari 7.5.1314/20050502 found [Downloader-JU] Symantec 8.0/20050501 found [Trojan.Adwaheck] VBA32 3.10.3/20050429 found [Trojan-Downloader.Win32.Small.ij] Jotti's Malware Scanner AntiVir Found TR/Drop.Small.GS.2 Avast Found Win32:Trojano-495 AVG Antivirus Found Downloader.Small.5.X BitDefender Found Trojan.Nadoc.A ClamAV Found Trojan.Downloader.Agent.AM Dr.Web Found Trojan.Nadoc F-Prot Antivirus Found W32/Ofilt.A@dl Fortinet Found W32/Small.IJ-tr Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.ij mks_vir Found Trojan.Downloader.Small.Ij NOD32 Found Win32/TrojanDownloader.Small.IJ Norman Virus Control Found nothing VBA32 Found Trojan-Downloader.Win32.Small.ij |
|