Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Virus?

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 06 Dec 2003 13:06:17 +1300
"Michael Bemmerl" <security () astrobox net> wrote:


Today I got an ICQ-Message from an user called "Monica" (Just search on ICQ:
http://people.icq.com/whitepages/search_results/1,,,00.html?FirstName=Moniqu
e&LastName=&NickName=Monica&Country=49). In her details is an URL:
http://www.rsngermany.com/my_foto.htm This is a fake 404-Error-Page, because
in the <head>-tags is a link to http://www.rsngermany.com/dn2.hta :

<<snip .HTA details>>

The .hta creates a file named q.vbs. That creates and runs x.exe. Notice the


These filenames are possibly suggestive of the RAT Zinx:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.zinx.html


unset parameter szURL in q.vbs (I asume that you can specify where to
download the next files - empty could mean that the files are loaded from
the coded location: http://rsngermany.com). The x.exe is FSG-packed; you can
upack it with Un-FSG! (just google for it). The file will download another
exe-File, tarned as jpg: http://www.rsngermany.com/3.jpg


But the variant described at the URL above then downloads "q.exe" so 
perhaps a new variant?

That said, filenames alone are seldom good diagnostics -- it could be 
something entirely different that has been distributed via the same 
basic dropper code...


I tested this exe with wine, it creates two files in the windows-dir.:
msreg.exe and fghy.exe (again packed with FSG) and two in system32:
svchostc.exe and svchosts.exe. Maybe it creates some run-entries in the
registry, but i couldn't test this. And it sends request to various domains:

All requests end in 404-Errors, except two (see end of list)
(replace * with d and f)

comdat.de/kreta/yif.php
www.dataforcecg.com/webvision/yi*.php
www.eurostretch.ru/yi*.php
www.hhc-online.de/home/links/pics/yi*.php
www.courie.ru/style/yi*.php
mucuc.h10.ru/forum/yi*.php
www.gran-pri.ru/yi*.php
www.mir-auto.ru/yi*.php
artesproduction.com/yif.php

comdat.de/kreta/yid.php  --> 301, redirection to comcat.de/kreta/zid.php
comdat.de/kreta/zid.php --> 200, just prints out your ip. Maybe the author
logs infected PC's
artesproduction.com/yid.php --> 200, again prints out the ip


Hmmmm -- that is somewhat suggestive of the Jermy family...


The svchosts.exe has some HTTP-response-message for Error 400, 502 and 503

I tested the files with NAV2003, latest def., no infection.

Some ideas what it could be?


Send it to Symantec and ask them.  You also may wish to send samples to 
several other AV developers.  Here is a list of the suspicious file 
submission addresses of several well-known AV developers -- send the 
.HTA and the .EXEs to those you consider trustworthy:

   Command Software             <virus () commandcom com>
   Computer Associates (US)     <virus () ca com>
   Computer Associates (Vet/EZ) <ipevirus () vet com au>
   DialogueScience (Dr. Web)    <Antivir () dials ru>
   Eset (NOD32)                 <sample () nod32 com>
   F-Secure Corp.               <samples () f-secure com>
   Frisk Software (F-PROT)      <viruslab () f-prot com>
   Grisoft (AVG)                <virus () grisoft cz>
   H+BEDV (AntiVir):            <virus () antivir de>
   Kaspersky Labs               <newvirus () kaspersky com>
   Network Associates (McAfee)  <virus_research () nai com>
   Norman (NVC)                 <analysis () norman no>
   Sophos Plc.                  <support () sophos com>
   Symantec (Norton)            <avsubmit () symantec com>
   Trend Micro (PC-cillin)      <virus_doctor () trendmicro com>
     (Trend may only accept files from users of its products)

Finally, the URLs you supplied in full all seem to be truly dead now, 
but whatever it is could be being spread through multiple vectors and 
multiple sites, so getting samples to those who can distribute 
detection as far and fast as possible shold always be a priority with 
such things, rather than something you think about after exhasusting 
your own investigations...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: