New Virus (Dec 9)

Discussion in 'Anti-Virus' started by Virus Guy, Dec 10, 2011.

  1. Virus Guy

    Virus Guy Guest

    I've seen a handful more of the same malware today spawned from similar
    spams that I saw yesterday.

    The link for today's package is here:

    http://www.fileden.com/files/2008/7/19/2010382/DEC-9.ZIP

    Password is "a" (no quotes). There's 2 subdirectories, one for each of
    2 examples that are pretty much the same thing.

    Most of these domains have been taken down a few hours ago, but I have
    their matching IP address here:

    ==============
    Spam 1:

    Root url:
    hxxp://probstgroup.com/15cd0f/index.html

    Browser re-directed to:
    hxxp://wonderfulwrench.com/main.php?page=977334ca118fcb8c

    Pdf downloaded from:
    hxxp://wonderfulwrench.com/content/fdp1.php?f=49

    probstgroup.com -> 69.163.177.13
    wonderfulwrench.com -> 46.45.137.205

    lkco.in -> 72.52.252.82
    musicdelight.info -> 72.167.183.47
    www.lesposedimary.it -> 216.12.217.50
    anartistbooks.com -> 216.27.95.23

    ========================
    Spam 2:

    hxxp://megamllc.com/dbc8d0/index.html megamllc.com -> 74.208.87.228
    hxxp://onurdogaltas.com/ajaxam.js onurdogaltas.com -> 94.73.145.10
    hxxp://organy.art.pl/ajaxam.js organy.art.pl -> 193.239.136.57
    hxxp://servispro.cz/ajaxam.js servispro.cz -> 217.198.115.145
    hxxp://www.laudarte.com/jscounter.js laudarte.com -> 87.118.86.164

    Here's an example of the spam:

    =================
    Return-Path: <>
    Received: from SEFRMUZ ([58.185.231.214])
    Date: Thu, 8 Dec 2011 22:07:33 -0500
    From: "The Electronic Payments Association" <>
    Subject: ACH transfer report

    The ACH transfer (ID: 1006781299236), recently initiated from your
    checking account (by you or any other person), was rejected by the
    Electronic Payments Association.

    Rejected transfer
    Transaction ID: 1006781292346
    Rejection Reason See details in the report below
    Transaction Report
    report_1006781234236.doc (Microsoft Word Document)

    (doc file is hyper-linked to hxxp://probstgroup.com/15cd0f/index.html)

    13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
    © 2011 NACHA - The Electronic Payments Association
    =========================

    probstgroup.com -> 69.163.177.13

    Second similar e-mail came in at Fri, 9 Dec 2011 06:00:44. Subject was
    slightly different (ACH rejection notice). Content was exactly the same
    except for the hyperlink:

    hxxp://megamllc.com/dbc8d0/index.html
    megamllc.com -> 74.208.87.228

    ============================================

    Notes / Observations

    I notices that regsvr32 transiently ran during the malware episode on my
    win-98 system. I substituted the real "regsvr32.exe" for a custom -
    compiled "dummy" that logged the argument passed to it. Here's an
    example of the output of that log file:

    regsvr32 -s 0.634405514320961.exe

    So regsvr32 was invoked in silent mode to execute the malare (but cctask
    did not actually show me that the .exe file was ever "running" - maybe
    it failed to quickly to be seen).

    This raises an important question: Can (or should) regsvr32.exe be
    removed (or moved) on any given win32 system as an anti-malware tactic?

    I understand that it's probably a good idea to have a
    properly-functioning regsvr32 when you want to install new software -
    but is it needed at other times?

    Other question:

    Does this particular malware perform changes to prefs.js that should be
    un-done?
     
    Virus Guy, Dec 10, 2011
    #1
    1. Advertisements

  2. 0.634405514320961.exe is both a DLL and an EXE.

    Leave REGSVR32 alone!

    Were both of these "NACHA spam" that I hinted to on 12/8 ?
     
    David H. Lipman, Dec 10, 2011
    #2
    1. Advertisements

  3. Virus Guy

    Virus Guy Guest

    I was expecting a more reasoned or thoughtful answer on the idea of
    regsvr32 as an unnecessary malware exploit vector.

    The idea being to remove it (by re-naming it) - and re-instate it
    temporarily when needed (perhaps easier to do on a win-9x/me system vs
    NT-based system).

    I will replace it on my win-98 systems with a "dummy" version that does
    not actually perform any of the functions of the real regsvr32, but
    instead will write to a log file the argument used to invoke it.
    Yes. If you give my post a second read, you'll see that I include an
    example of the spam. I got at least 2 such spams today, with the same
    "nacha" content in the message body, but with a slightly different
    Subject line.

    Other question:

    Does this malware perform changes to prefs.js that should be un-done?
     
    Virus Guy, Dec 10, 2011
    #3
  4. No mods to "prefs.js".

    I wasn't sure if the example was for one spam or both.
     
    David H. Lipman, Dec 10, 2011
    #4
  5. Virus Guy

    Virus Guy Guest

    But still nothing to say about regsvr32 as a system vulnerability that
    is easily remediated by re-naming or moving it when its use is not
    anticipated?
     
    Virus Guy, Dec 10, 2011
    #5
  6. It isn't a vulnerability and mucking with the OCX and DLL Registration Service is not a
    good idea nor the way to go.
     
    David H. Lipman, Dec 10, 2011
    #6
  7. Virus Guy

    Virus Guy Guest

    Clearly it is when malware uses it to run code.
    How often is regsvr32 used in the normal course of operating a win32
    computer?

    Is it used in other circumstances beyond the installation of software?

    Or the updating (patching) of software?

    Is it not possible to alter regsvr32 such that it can recognize when
    it's invoked from a browser-based process - and render itself inoperable
    (ie - to not carry out the request to execute the DLL's
    DllRegisterServer code) ?

    I think I'll look into this. Create a pre-process handler for regsvr32
    (call it regsvr32.exe) that can determine what process is invoking it,
    and based on rules - to pass (or not pass) the request to the real
    regsvr32.exe (renamed to something else - maybe realregsvr32.exe).

    This handler would also log all usage of regsvr32 for diagnostic /
    forensic or curiosity purposes.
     
    Virus Guy, Dec 10, 2011
    #7
  8. That's the beaviour I have seen. You get the payload as an exe and DLL.
     
    David H. Lipman, Dec 10, 2011
    #8
  9. Try this black hole exploit site

    yw320n<dot>com/news

    That is where I got that behaviour

    cck.exe and wpbt0.dll were the same sized files but had a different MD5.
     
    David H. Lipman, Dec 11, 2011
    #9
  10. I saw the code for this in the "zoom.class" file. 'regsvr' is slightly
    obfuscated but someone who knows Java could probably see what's
    happening when the variable 'ew' gets used.

    [...]
     
    FromTheRafters, Dec 11, 2011
    #10
  11. Yepper.
     
    David H. Lipman, Dec 11, 2011
    #11

  12. I sent a report to your "freenetname" address.
     
    David H. Lipman, Dec 11, 2011
    #12
  13. That must be the part with the 'exec' string, but I don't understand the
    syntax of Java source yet.

    I didn't see the rest of this thread the last time I posted, Eternal-
    September had been hiccuping.
     
    FromTheRafters, Dec 11, 2011
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.