chackraview.net

Today, I was sitting in a dark room  self-evaluating about some things I did in past couple of months. And I realized my JOB is making me a lazy ass. It’s been a long time since I analyzed any malicious binary. So  I decided to  pick up a random old malware sample from my 320 GB Western Digital HDD and analyze it.
I remember one of my colleagues had un-intentionally uploaded an infected binary file on sourceforge.net a few days back. When we downloaded the infected binary for test, our Avast antivirus  alerted and deleted the file.

That binary file was uploaded to sourceforge from my colleague’s infected desktop. We immediately removed all the files; created new binaries on antivirus protected computer and then uploaded again in our project files directory.

Thank God we decided to test files before announcing the release on mailing lists.

When I tested infected binary file on one of my test machines, I was shocked to see the infection capacity of 24 KB virus. This malware is capable of infecting every single executable on the system. It has the capacity to spread via flash drives and making infected system so called bots. I must say it’s one of those virus species which needs complete reformatting of infected hard drive to recover.

I decided to analyze same infected binary and write a blog post about its analysis.

Let’s get started by booting up my windows XP SP3 sandbox under VMWare. This sandbox is victim machine installed with all the tools required for analysis.
Ok! I have Avast Antivirus installed on my sandbox but as it detect the malware and clean it by deletion, I stopped it. I have copied the malware tar ball under c:\malware directory and extracted it.
Malware author has transformed or changed the default executable icon to an icon of a folder. It’s a simple trick to make end user double click the binary and launch itself in memory.

I checked the properties of binary file to gather some information. Adjacent screenshot shows some information about the binary.

Before doing its behavior analysis; I thought of collecting readable strings from the binary. As most of the time malwares are packed, it’s difficult to get actual strings from the binary. Many times we ended up getting harvested string from the malware. As expected, output did not reveal any secrets about the malware.
Now, is the time to run malware and note down its behavior. I launched Regmon, Filemon, process explorer and wireshark and launched the malware by double clicking it.
As soon as the Malware got in the memory, following changes were noticed:

• Spawned 3 different processes

1. fun.exe
   

   Avast Antivirus getting killed

2. SVIQ.exe
3. dc.exe

• Killed Avast antivirus and disabled its update and notification services
• Disabled Windows Firewall and its notifications.
• Killed FileMon and corrupted process explorer.
• Created 7 copies of itself in various locations under Windows directory with folder icon.

1. c:\Windows\dc.exe
2. c:\Window\SVIQ.exe
3. c:\Windows\help\Other.exe
4. c:\Windows\inf\Other.exe
5. c:\Windows\system\fun.exe
6. c:\windows\system32\WinSit.exe
7. c:\Windows\system32\config\Win.exe

• Added itself in authorized application list under windows firewall configuration.
• Added itself to load whenever windows starts

HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: "C:\WINDOWS\inf\Other.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe C:\WINDOWS\system32\WinSit.exe"
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows NT\CurrentVersion\Windows\run: "C:\WINDOWS\system32\config\Win.exe"
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5: "C:\WINDOWS\SVIQ.EXE"
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run\Fun: "C:\WINDOWS\system\Fun.exe"
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Run\dc: "C:\WINDOWS\dc.exe"

• Disabled Windows TaskManager and Registry editor

HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001
HKU\S-1-5-21-220523388-1935655697-1177238915-500\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools: 0x00000001

• Disabled Antivirus notifications and Firewall file tracing options.

HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify: 0x00000001
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000

• Bypass the firewall by creating following registry entry

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\[infected file path]: "[infected file path]:*:Enabled:ipsec"

• The worm added the following string in the %Windir%\wininit.ini file

NUL=C:\WINDOWS\Help\Other.exe

• Malware also had a buddy system in place.  It means that when I tried to kill the parent process, child process restarted the parent process and vice-versa. This way, both were  watching each other’s back.

As malware gets unpacked in memory; strings from memory become valuable assets. I saved the copy of strings from the malware running in memory and started looking for something interesting.  Following are some of the interesting strings.

      Olalala, may tinh cua ban da dinh Worm DungCoi...........
      yahoobuddymain
      yalertclass
      button
      Open
      ymsgr:sendIM?
      yiminputwindow

From above strings, it looks like Malware send “Olalala, may tinh cua ban da dinh Worm DungCoi………..” IM message using yahoo messenger.

Presence of following strings also gives clue of Malware which is packing its payload using UPX packer.

      !This program cannot be run in DOS mode.
      Richm
      UPX0
      UPX1
      UPX2
      UPX!

These strings can also be decoyed by harvested strings to fool malware analyzers. But let’s not ignore them. I installed yahoo messenger to confirm my findings. I killed the process tree of the Malware; installed yahoo messenger did login with a dummy account, reinstalled process explorer and restarted the malware.

This time other than spawning 3 processes, I found Malware had spawned another process called winbafcra.exe. I located the image path and made a copy of it for further analysis.

While I was copying the binary, all of a sudden I got an empty yahoo messenger pop up from user “dungcoi_vb”. Following screen shot shows the yahoo messenger pop up.

Though I did not get any message in the IM Chat box, screenshot proved my first assumption. This was definitely another variant of Dungcoi virus as it was carrying another virus payload inside it. Now let’s analyze Winbafcra.exe.

Analysis of Winbafcra.exe:

Lets first find out if this binary is packed using packer detectors. As expected, PEiD

and RDG both detected binary packed with UPX packer. Following screenshot shows PEiD and RDG detected UPX packer. I unpacked the binary using UPX tool as shown in following screenshot.

Following are the details of the findings.

• Malware is packed with UPX Packer. Once Unpacked and launched, it creates a mutex with name “S_SERV_v0.66_Beta_erf”.

• Made outbound connection to hxxp://parkinglot.information.com

• Opened TCP Port 25 (SMTP) and 2007
  

  Socket Connections

Tried to access following host names

mailin-01.mx.aol.com
mailin-02.mx.aol.com
mailin-03.mx.aol.com
mailin-04.mx.aol.com
mxs.mail.ru
mx1.yandex.ru
mx2.yandex.ru
imx1.rambler.ru
c.mx.mail.yahoo.com
d.mx.mail.yahoo.com
maila.microsoft.com
bl.spamcop.net
cbl.abuseat.org
list.dsbl.org
sbl-xbl.spamhaus.org
zen.spamhaus.org
combined.njabl.org
multihop.dsbl.org
blackholes.uceb.org
bl.csma.biz
db.wpbl.info
dnsbl.njabl.org

• Following files were requested from the remote web server.

http://hgfdujt.info/?%x

http://hgfdujt.info/i.php

http://hgfdujt.info/myh.php

http://hgfdujt.info/?4bf55

http://195.24.77.223/utest/?jutr=%d&oo=%d&%x=%x&ra=%d

http://hgfdujt.info/?4f682

http://hgfdujt.info/?50641

http://hgfdujt.info/?53b1c

http://hgfdujt.info/?59cf3

http://hgfdujt.info/?61b6a

Malware tried to setup a mail relaying server on the infected box and also tried to download another set of malicious files from internet.

One of the contacted domains was “mattfoll.eu.interia.pl”. Malware downloaded index.html file from this domain. This html file was obfuscated with JavaScript code.
Following screenshots shows the series of decoded JavaScript code which were trying to download another whole set of new malwares.

As all the requested file locations were no longer valid, malware was not able to download requested files, hence the analysis was interrupted.

A simple whois query showed that malware was trying to contact some Russian webserver and as malicious files were removed from the domain, it was not under Blacklisted domain list.

Removal of Fun.exe and Winbafcra.exe

1. Kill process tree started by fun.exe
2. Delete all 7 binaries created by malware from their locations.
3. Delete the added registry locations using third party registry editors like Registry Workshop.
4. If disabled, enable the Antivirus or install antivirus and scan whole system for traces of malware.
5. AVG Antivirus has provided a standalone utility to clean the infected system.  You can download the utility here and remove the infection.

Safety Measures:

• Do not use internet explorer for browsing the internet.
• Do not click on links within the emails or IM received from untrusted sender.
• Update your antivirus everyday and scan your system periodically to stay safe.

Download Analysis:

I have taken many screen shots and stored output of various tools while analyzing this malware. Posting all these material would have made post long hence giving analysis tarball for download.

Tarball contains:

• Outbound connection of the worm in wireshark packet capture.
• Regmon output
• Strings from the memory
• Some screen shot taken while analysis.
• File Size: 616 KB
• MD5 Hash:3e23d63c7642d6eb1f1c47de2a73870b