There, I finished my analysis. The IP's will be supplied, but the bot will not due to spread risk. The domain from which the virus seems to come from, has been closed down.
Report
***Basic analysis***
*The virus was first received from a relative of mine over msn with the text and link:
(
mail@domain.com being my address)
I removed the mail from the link as a precaution, and downloaded the file. I then contacted my relative and fixed their problem, then I contacted Yahoo about the domain since it was hosted under them, and then I started to analyse the file. The domain has now been taken down and the file will have more problems to spread now.
*The file is packed, either to be more "stealthy" or to get the jpeg icon, which suggests that it's a skiddie virus made with a virus builder tool. When clicked it gives you the message "Microsoft Windows Viewer: Picture can not be displayed"
*Creates the following files
It chooses from one of these
"C:\sinh.exe"
"C:\dmari.exe"
it chooses from one of these, creates, they do something, and then they remove themselves
"C:\ntfs.exe"
"C:\nope.exe"
And always creates this one and runs it
"C:\WINDOWS\fxstaller.exe" protected hidden
It chooses one of the following (array with names perhaps, with a touch of rand())
"C:\WINDOWS\system32\logon.exe" hidden
"C:\WINDOWS\system32\winIogon.exe" hidden
"C:\WINDOWS\system32\spooIsv.exe" hidden
"C:\WINDOWS\system32\explorer.exe" hidden
"C:\WINDOWS\system32\algs.exe" hidden
"C:\WINDOWS\system32\iexplore.exe" hidden
"C:\WINDOWS\system32\Isass.exe" hidden
"C:\WINDOWS\system32\csrs.exe" hidden
"C:\WINDOWS\system32\spoolsvc.exe" hidden
"C:\WINDOWS\system32\lssas.exe" hidden
"C:\WINDOWS\system32\firewall.exe" hidden
"C:\WINDOWS\system32\winamp.exe" hidden
*It then adds the created files to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry.
*The malware also blocks all access to the net, except to addresses that it needs to connect to. It seems as if fxstaller.exe is not responsible for this, it seems to be the "random" named files.
*I don't have any messenger service on this computer, but I assume one of the files will try to spread the virus at some point.
***Packet and connection analysis***
From the looks of it, it's port scanning localhost one time (don't know the exact reason). A HTTP packet suggests that it downloads "
http://72.10.169.26/russian.exe", which from the looks of it, seems to be the exact same virus, except that this one removes it self when started. A DNS packet suggests that it's trying to connect to "russia.blacktiehsbdcs.com", although this does not seem to exist.
fxstaller.exe connects to some sort of IRC server (72.10.169.26:4244) which doesn't seem to have any commands that I can use, so it's hard to see if there are any other "users" in there. fxstaller.exe connects to the HTTP port of the same IP (suggesting that it downloads russian.exe at this point)
the spawned "random" named file, the opens a bunch of connections to localhost, suggesting that it is portscanning it, it then seems to scan a range of addresses in the same area as me, doesn't look like the same subnet, so it's just a random range scan. It keeps an open connection to a small number of them (also infected computers, or possible way way of spreading?). The random named file establishes a connection to 72.10.172.218:9283 (might be another IRC server, although. I was unable to establish a connection to it from another computer). The random file was also caught establishing a connection to the same IP, but this time to the port 8492, same result there, no connection with IRC.
***NMAP Scan***
***72.10.172.218***
Windows Server 2k3 x64
Host 72.10.172.218 appears to be up ... good.
Interesting ports on 72.10.172.218:
Not shown: 1012 filtered ports, 701 closed ports
PORT STATE SERVICE VERSION
1025/tcp open msrpc Microsoft Windows RPC
3389/tcp open microsoft-rdp Microsoft Terminal Service
Service Info: OS: Windows
***72.10.169.26***
Host 72.10.169.26 appears to be up ... good.
Interesting ports on 72.10.169.26:
Not shown: 1700 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp NcFTPd
22/tcp open ssh OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2)
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1029/tcp filtered ms-lsa
1369/tcp filtered gv-us
1434/tcp filtered ms-sql-m
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
7000/tcp open irc ircu ircd
Service Info: Host: MySQL; OSs: Unix, FreeBSD
***Fix***
I created a small fix that removes it effectively
AV.bat
Code: Select all
@echo off
echo ***********************
echo Shuting down processes
echo ***********************
taskkill /F /IM winIogon.exe
taskkill /F /IM fxstaller.exe
taskkill /F /IM spooIsv.exe
taskkill /F /IM logon.exe
taskkill /F /IM explorer.exe
taskkill /F /IM iexplore.exe
taskkill /F /IM dmari.exe
taskkill /F /IM algs.exe
taskkill /F /IM sinh.exe
taskkill /F /IM ntfs.exe
taskkill /F /IM Isass.exe
taskkill /F /IM YOUGOT~1.EXE
taskkill /F /IM csrs.exe
taskkill /F /IM spoolsvc.exe
taskkill /F /IM lssas.exe
taskkill /F /IM firewall.exe
taskkill /F /IM winamp.exe
taskkill /F /IM nope.exe
echo **********************
echo Removing registry keys
echo **********************
regedit /s 1.reg
echo ************************
echo Removing malicious files
echo ************************
DEL /F /Q "C:\nope.exe"
DEL /F /Q "C:\sinh.exe"
DEL /F /Q "C:\dmari.exe"
DEL /F /Q "C:\ntfs.exe"
DEL /F /Q /A:H "C:\WINDOWS\fxstaller.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\logon.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\winIogon.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\spooIsv.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\algs.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\explorer.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\iexplore.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\Isass.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\csrs.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\spoolsvc.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\lssas.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\firewall.exe"
DEL /F /Q /A:H "C:\WINDOWS\system32\winamp.exe"
echo *******************
echo Restarting explorer
echo *******************
"C:\Windows\explorer.exe"
echo "Your computer should be clean now, update your Anti Virus and run a full scan"
PAUSE
1.reg
Code: Select all
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows UDP Control Center"=-
"Windows Logon Application"=-
"Spooler SubSystem App"=-
"Windows Explorer"=-
"Application Layer Gateway Service"=-
"Microsoft Internet Explorer"=-
"Local Security Authority Service"=-
"Advanced DHTML Enable"=-
"Client Server Runtime Process"=-
"Winamp Agent"=-
"Windows Network Firewall"=-
As you might have guessed, this is a very simplistic virus, not very thought through ^^