Msn virus analyzed

[ayu]

So, my sister called me today and wanted help with her computer, and she told me that she could not enter any sites or msn or anything.

One day earlier I got a link from her husband on msn saying "foto! *link*" which was an obvious msn virus, so I assumed that was the problem. I got her to download a file from me on another computer and then place it on the infected one, that would try to reverse connect back to be, thus giving me full control, but that didn't work since she had been totally cut of.

Luckily, I saved the file that the site wanted me to download (the one he sent me on msn), so I fired up a virtual Windows XP system and started hacking away.

The first thing I noticed was that the virus was packed, thus showing me that it's most likely a skiddie virus since it was badly packed just to give it an jpeg icon, the original one was randomness.

Upon starting the virus, it started a progress called fxstaller.exe, and then created a file with a random name that could be something like , winIogin.exe, algs.exe, logon.exe ... and so on, and then placed it in the system32 folder, and ofc, added an entry to the run folder in the registry.

I'm almost done analysing it and have now created a fool proof anti virus for it using batch, that successfully removes all versions of the virus, including all keys.

Now, the funny part is, that I did some more checking and checked if it connected anywhere at all, and you know what?


Our friends over at uNkn0wn.ws has released a new skiddie virus builder ^^

* Looking up 72.10.169.26
* Connecting to 72.10.169.26 (72.10.169.26) port 6667...
* Connected. Now logging in...
* *** Looking up your hostname...
* *** Found your hostname
*
* M0dded by uNkn0wn Crew
*
* www.uNkn0wn.eu - iD@uNkn0wn.eu
*
*
*

Now, of course this can not simply slide away unpunished, so I'll figure something out. And personally? I'm growing tired of these script kiddies, since nothing they have done so far, have been anywhere near intelligent or good for the general public, all I see is skiddie skiddie and skiddie, they keep repeating their mistakes over and over again ... idiots >_>


Anyway, I saved all the IP's that the virus connects to, will look around some more.

[Still_Learning]

I like the idea you had about the anti-virus virus.. that is like a worm and goes on all the pc's deleteing malware and virii and such.. genius

im sure i could help with popping it into a couple of very popular torrents

[InSaneGame]

That's a terrific find, the VIP section on unkn0wn was talking about their new "ddos" project about a month ago. I have no doubt that this is the bot/net that has been causing 1000's of megs of traffic on my servers. We have been hunting down their net for 5 days now. Please keep posting all that you find out, server ips, channels ect... so that we may eliminate this bot, report the irc servers, and stop all attacks.

An upload to rapid share would be very much appreciated, as a bot is needed befor an irc server can be added to the c&c list and become globally blacklisted.
Thanks.

[ayu]

Welcome to Suck-o insane game, take a moment to introduce yourself in our "introduce yourself" thread (it's in the general discussion I believe).

Any more analysing then this will not be done, and the bot will not be uploaded due to spread risk (don't want any kids to be trying it out).

The thing that makes this bot of weak design, is that it blocks access to the net, so that only the bot can connect to the servers that it's connecting to. And that is not very discrete, making the life span of the virus shorter, since people will notice the problem with the computer, and try to fix it.

[bad_brain]

great job cats, and yes: post all the IPs you can find, additionally I suggest to report this to http://www.whitestar.linuxbox.org/mailm ... fo/botnets and maybe also to MSN.

InSaneGame, please post the list of the IPs you blacklisted already too, if they match the ones cats found/will find you would have enough material to involve a lawyer and file a lawsuit....just make sure you keep the access_log(s) of the attack.

[ayu]

There, I finished my analysis. The IP's will be supplied, but the bot will not due to spread risk. The domain from which the virus seems to come from, has been closed down.

Report

***Basic analysis***

*The virus was first received from a relative of mine over msn with the text and link:

foto!

http://hi5-image.net/image.php?=mail@domain.com

(mail@domain.com being my address)

I removed the mail from the link as a precaution, and downloaded the file. I then contacted my relative and fixed their problem, then I contacted Yahoo about the domain since it was hosted under them, and then I started to analyse the file. The domain has now been taken down and the file will have more problems to spread now.

*The file is packed, either to be more "stealthy" or to get the jpeg icon, which suggests that it's a skiddie virus made with a virus builder tool. When clicked it gives you the message "Microsoft Windows Viewer: Picture can not be displayed"

*Creates the following files

It chooses from one of these

"C:\sinh.exe"
"C:\dmari.exe"

it chooses from one of these, creates, they do something, and then they remove themselves

"C:\ntfs.exe"
"C:\nope.exe"

And always creates this one and runs it

"C:\WINDOWS\fxstaller.exe" protected hidden

It chooses one of the following (array with names perhaps, with a touch of rand())

"C:\WINDOWS\system32\logon.exe" hidden
"C:\WINDOWS\system32\winIogon.exe" hidden
"C:\WINDOWS\system32\spooIsv.exe" hidden
"C:\WINDOWS\system32\explorer.exe" hidden
"C:\WINDOWS\system32\algs.exe" hidden
"C:\WINDOWS\system32\iexplore.exe" hidden
"C:\WINDOWS\system32\Isass.exe" hidden
"C:\WINDOWS\system32\csrs.exe" hidden
"C:\WINDOWS\system32\spoolsvc.exe" hidden
"C:\WINDOWS\system32\lssas.exe" hidden
"C:\WINDOWS\system32\firewall.exe" hidden
"C:\WINDOWS\system32\winamp.exe" hidden

*It then adds the created files to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry.

*The malware also blocks all access to the net, except to addresses that it needs to connect to. It seems as if fxstaller.exe is not responsible for this, it seems to be the "random" named files.

*I don't have any messenger service on this computer, but I assume one of the files will try to spread the virus at some point.

***Packet and connection analysis***

From the looks of it, it's port scanning localhost one time (don't know the exact reason). A HTTP packet suggests that it downloads "http://72.10.169.26/russian.exe", which from the looks of it, seems to be the exact same virus, except that this one removes it self when started. A DNS packet suggests that it's trying to connect to "russia.blacktiehsbdcs.com", although this does not seem to exist.

fxstaller.exe connects to some sort of IRC server (72.10.169.26:4244) which doesn't seem to have any commands that I can use, so it's hard to see if there are any other "users" in there. fxstaller.exe connects to the HTTP port of the same IP (suggesting that it downloads russian.exe at this point)

the spawned "random" named file, the opens a bunch of connections to localhost, suggesting that it is portscanning it, it then seems to scan a range of addresses in the same area as me, doesn't look like the same subnet, so it's just a random range scan. It keeps an open connection to a small number of them (also infected computers, or possible way way of spreading?). The random named file establishes a connection to 72.10.172.218:9283 (might be another IRC server, although. I was unable to establish a connection to it from another computer). The random file was also caught establishing a connection to the same IP, but this time to the port 8492, same result there, no connection with IRC.

***NMAP Scan***

***72.10.172.218***

Windows Server 2k3 x64

Host 72.10.172.218 appears to be up ... good.
Interesting ports on 72.10.172.218:
Not shown: 1012 filtered ports, 701 closed ports
PORT STATE SERVICE VERSION
1025/tcp open msrpc Microsoft Windows RPC
3389/tcp open microsoft-rdp Microsoft Terminal Service

Service Info: OS: Windows


***72.10.169.26***

Host 72.10.169.26 appears to be up ... good.
Interesting ports on 72.10.169.26:
Not shown: 1700 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp NcFTPd
22/tcp open ssh OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2)
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1029/tcp filtered ms-lsa
1369/tcp filtered gv-us
1434/tcp filtered ms-sql-m
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
7000/tcp open irc ircu ircd
Service Info: Host: MySQL; OSs: Unix, FreeBSD


***Fix***

I created a small fix that removes it effectively

AV.bat

Code: Select all

@echo off

echo ***********************
echo Shuting down processes
echo ***********************

taskkill /F /IM winIogon.exe
taskkill /F /IM fxstaller.exe
taskkill /F /IM spooIsv.exe
taskkill /F /IM logon.exe
taskkill /F /IM explorer.exe
taskkill /F /IM iexplore.exe
taskkill /F /IM dmari.exe
taskkill /F /IM algs.exe 
taskkill /F /IM sinh.exe
taskkill /F /IM ntfs.exe
taskkill /F /IM Isass.exe
taskkill /F /IM YOUGOT~1.EXE
taskkill /F /IM csrs.exe
taskkill /F /IM spoolsvc.exe
taskkill /F /IM lssas.exe
taskkill /F /IM firewall.exe
taskkill /F /IM winamp.exe
taskkill /F /IM nope.exe

echo **********************
echo Removing registry keys
echo **********************

regedit /s 1.reg

echo ************************
echo Removing malicious files
echo ************************

DEL /F /Q "C:\nope.exe"
DEL /F /Q "C:\sinh.exe"
DEL /F /Q "C:\dmari.exe"
DEL /F /Q "C:\ntfs.exe"
DEL /F /Q /A:H "C:\WINDOWS\fxstaller.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\logon.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\winIogon.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\spooIsv.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\algs.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\explorer.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\iexplore.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\Isass.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\csrs.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\spoolsvc.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\lssas.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\firewall.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\winamp.exe"

echo *******************
echo Restarting explorer
echo *******************

"C:\Windows\explorer.exe"

echo "Your computer should be clean now, update your Anti Virus and run a full scan"

PAUSE

1.reg

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows UDP Control Center"=-
"Windows Logon Application"=-
"Spooler SubSystem App"=-
"Windows Explorer"=-
"Application Layer Gateway Service"=-
"Microsoft Internet Explorer"=-
"Local Security Authority Service"=-
"Advanced DHTML Enable"=-
"Client Server Runtime Process"=-
"Winamp Agent"=-
"Windows Network Firewall"=-

As you might have guessed, this is a very simplistic virus, not very thought through ^^

[computathug]

Hey welcome to the site insanegame , Yeah good work to both you guys and i hope the force is strong enough to blow this bot-net out the sky.

Nothing better than 'poetry in motion'

[rhysh]

hahahha ints isanegame from hy

haha dude lol welcome

[ph0bYx]

One of the enjoyable threads. Virus capturing, analyzing, making a cure.
Thanks cats!