Sunday, August 26, 2007

ecard worm turns to YouTube

Ecard worm has changed its social engineering tactics again. Now, links in mails appear as a link to YouTube video. But, they actually point to infected systems. Here are some screenshots showing an example of such mail, and the fake website:


Also, the filename's changed from ecard.exe to sony.exe and/or video.exe.

Saturday, August 25, 2007

Vivacodec - Zlob's new fake codec

Zlob gang has modified their fake codec malware once again! Now, it's vivacodec, hosted at www.vivacodec.com (do NOT visit that website). Similar to the old ones, this new fake codec drops a rootkit. This rootkit uses Winlogon\System subkey to load itself during system startup. Here are the screenshots of rootkit's Registry entry, and hidden file as detected by RootkitRevealer:


Anti-Rootkit tools like F-Secure BlackLight or AVG Anti-Rootkit can be used to automatically remove the rootkit.

Friday, August 24, 2007

Windows system file patching by ecard rootkit

As we know, the (in)famous ecard worm drops a rootkit which hides the presence of its files. This rootkit comprises of two files spooldr.exe and spooldr.sys. The dropper - ecard.exe - patches genuine system files to load its driver.

One of the variant of ecard worm patches tcpip.sys file and adds code to load spooldr.sys, when tcpip.sys is loaded. Here's a screenshot, which shows ecard.exe patching tcpip.sys:

Here's a screenshot showing hexview of patched tcpip.sys. It can be observed that there is a reference to rootkit driver spooldr.sys:

Instead of using traditional approach to load driver (i.e. registering spooldr.sys as a driver and have Windows to load it during startup), this rootkit makes use of Windows system files to load itself! However, this patched driver can be detected by sigverif tool, and moreover most of the AVs detect patched drivers as a malicious file.

Thursday, August 23, 2007

ecard changes its appearance and rootkit, again!

The ecard malware, also known as W32/Zhelatin worm, has changed its tactics again. Now, the mails are different from the old ones. These new mails come as a "membership confirmation mail" from web services like MP3 World or Dog Lovers club. An example is shown in below screenshot. It can be noticed that IP address is no longer visible in the mail:

And, as usual few malicious files will be dropped when that site is visited. However, the contents of the site is changed again. Here's the new one:

Another major change is in the rootkit that is dropped by the malware. This rootkit modifies the disk image of Null.sys file, which is a file required by Windows operating system. However, Windows File Protection (WPF) system catches this change as soon as the file is modified by rootkit, and pops up a warning:

And, this can also be verified by the sigverif tool bundled in Windows XP. Here's the scan result of sigverif tool:

Apart from these changes, the rootkit also hooks NtQueryDirectoryFile API's SSDT entry, in order to hide its files. More information about this rootkit can be found in this previous post.
If you are getting mails like the one given above, delete them and do NOT visit the links given in the mails!

Saturday, August 18, 2007

Fake MP3 download sites pushing Zlob malware

This time Zlob gang is using the "free MP3 downloads" gimmick as a means to infect PCs. A simple Google search yields a lot of junk sites offering "free" MP3 downloads. Here are the screenshots of fake MP3 sites as they appear in Google search results:


All these sites look same. Here's a screenshot of one of the site:

And, to download MP3s from these sites you need to install a plugin. And, this plugin is nothing but a variant of Zlob malware. Here's a screenshot of one of the fake site asking user to download a plugin in order to prevent leeching:

The plugin, fast-ticket2006.exe, is a Zlob/DNSChanger variant and is hosted at www.fast-ticket.net. However, this installer is a fairly old variant of Zlob and most of the AVs detect it. It installs a rootkit which hooks APIs in Ntdll.dll. Here's a screenshot of rooted file and some of the APIs hooked by the rootkit:


This malware redirects browsers to rogue sites, and generates popups that urge users to install rogue security applications like ContraVirus, AdvancedCleaner etc.

Most of these sites resolve to IP addresses 70.85.246.49 and 70.85.246.49 . Here's a Whois lookup, from SamSpade, for some of the sites:

1freemp3s.cn = [ 70.85.246.48 ]
(Asked whois.cnnic.net.cn:43 about 1freemp3s.cn)
Domain Name: 1freemp3s.cn
ROID: 20070720s10001s27391265-cn
Domain Status: ok
Registrant Organization: SAVIHA SHENYI
Registrant Name: Hotis Navashit
Administrative Email: sto@gartwa.ch
Sponsoring Registrar:
Name Server: ns1.pro-mp3.cn
Name Server: ns2.pro-mp3.cn
Registration Date: 2007-07-20 20: 21
Expiration Date: 2008-07-20 20: 21

mp3mania.cn = [ 70.85.246.49 ]
(Asked whois.cnnic.net.cn:43 about mp3mania.cn)
Domain Name: mp3mania.cn
ROID: 20070720s10001s27538514-cn
Domain Status: ok
Registrant Organization: SAVIHA SHENYI
Registrant Name: Hotis Navashit
Administrative Email: sto@gartwa.ch
Sponsoring Registrar:
Name Server: ns1.pro-mp3.cn
Name Server: ns2.pro-mp3.cn
Registration Date: 2007-07-20 23: 47
Expiration Date: 2008-07-20 23: 47


Finally, here's a list of these fake sites. But there could be more than the ones covered below! (Do NOT visit links given below):

mp3record.cn
hardmp3.cn
music4me.cn
supermp3s.cn
mp3stars.cn
mp3djs.cn
livemp3s.cn
freedlmusic.cn
freshmp3s.cn
listmp3.cn
musicforfun.cn
take4freemp3.cn
load4freemp3.cn
musicdreams.cn
mp3sfan.cn
soundwishes.cn
mp3library.cn
nocreditmp3.cn
zoneofmp3.cn
mp3for3.cn
mp3client.cn
musicstream.cn
musicstream.cn
freedlmusic.cn
mp3daily.cn
total-music.cn
filesmp3.cn
1freemp3s.cn
homemp3s.cn
mp3portal.cn
sound-online.cn
freesoundclub.cn
music-center.cn
freemp3lib.cn
muchmp3.cn
livemp3s.cn
directmp3.cn
mp3complete.cn
mp3mania.cn
allmp3s.cn
hotmp3ology.cn
mp3-downloads.cn
mp3area.cn
bestmp3s.cn
for3mp3.cn
soundwishes.cn
mp3archiv.cn
freshmp3.cn
mp3gifts.cn
mp3spider.cn
pro-mp3.cn

Labels: , ,

Wednesday, August 15, 2007

ecard.exe now becomes msdataaccess.exe

Most of you might have got fake greeting card spam mails, with a link to download ecard. On clicking this link, you will be presented with few trojans and also advised to download and install ecard.exe to view the ecard. But now, the gang behind this malware have changed their trojan dropper's name to msdataaccess.exe from ecard.exe! Similar to the old ecard.exe variant, this new one installs malware such as Tibs rootkit etc.

Here's a screnshot of rooted files related to Tibs rootkit:

And, here's the screenshot of SSDT hook installed by the rootkit:


And lastly, I came across this ecard spam mail (Do NOT visit the link given below!):

"Partner() has created Holiday ecard for you
at bristos.com.

To see your custom Holiday ecard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

http://81.71.5.34/?4ee8af5c23933166b19e3393b5ca09ff74e82d

Send a FREE greeting card from bristos.com whenever you want by visiting us at:
http://bristos.com/
This service is provided and hosted by bristos.com.
"


And, that link opens up this page:

Yes! We are waiting for the contents to be uploaded by the Admins ;)

Sunday, August 12, 2007

XP Entertainments - New AV Killer Trojan

XP Entertainments is probably a new variant of AvKiller trojan. As of now, only few AV's detect the malicious files.
The dropper - named U.exe - drops following files/folders:
\windows\system32\head.exe
\windows\system32\XPEntertainmentsUninstall.exe
\windows\system32\SoUI.dll
\program files\SoftPortal


Registry entries created by the trojan:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4748B0B3-B964-41C3-AE0A-F1345E0AC3C9}\InprocServer32]
@="C:\\WINDOWS\\system32\\\\SoUI.dll"

[HKEY_CURRENT_USER\Software\SoftPortal]
"BasePath"="C:\\Program Files\\SoftPortal\\"


Above-mentioned files contain references to following malicious websites (Do NOT visit these sites):
http://xpsite.org/head/?wmid=3&pid=1
http://api.automaticavupdate.com/UI/v1.1/Soft/
http://api.automaticavupdate.com/UI/v1.1/

Last two links listed above redirect to www.expertantivirus.com, which is the home of rogue software - ExpertAntivirus.

The trojan also adds an Add/Remove Programs entry called XP Entertainments, as shown in below screen shot:


Following screen shot shows that SoUI.dll is injected into Explorer.exe's address space:


This trojan does not allow various AntiVirus and Firewall software - like ZoneAlarm, Outpost, Microsoft AntiSpyware - to run properly. These programs crash as soon as they are started! Following screen shot shows the fate of ZoneAlarm firewall:


More information about this trojan can be found here.

Saturday, August 04, 2007

Navipromo reloaded!

Came across a new variant of Navipromo rootkit, which is almost undetected. Only CAT-QuickHeal was able to flag the file, that too heuristically. Navipromo hooks APIs in Ntdll.dll to hide its presence. More information about this new variant can be found here. However, Navilog1 tool can remove this infection.