Re: maoqmwgn.exe

[Nick FitzGerald <nick () virus-l demon co uk>]

"George M. Garner Jr." <gmgarner () erols com> wrote:

> I am looking for information on a small program entitled maoqmwgn.exe
> (http://users.erols.com/gmgarner/malware/maoqmwgn.zip).  The program, which
> opens UDP 1030, was found on a computer that was infected with certain
> spyware.  The creation time also correlates with the spyware.  ...

Aside from opening that port, it appears that this is a downloader that 
pulls files down from another site and installs them.  It has a 
hardcoded reference to a data file on www.slotch.com and currently that 
file contains references to two .EXE file -- setup_integrated_s2.exe 
and uninstall.exe (the first on a machine in the ouyks.com domain and 
the second in the same folder as the .PHP file at slotch.com).  Until 
you have determined what all is happening on this machine, it would be 
advisable to block all traffic to any machines in either of domains if 
possible (and better still to log all attempted connections to machines 
in those domains).

Eyeballing the decompressed .EXE suggests that the following filenames 
and directories _may_ be found on the victim machine if this .EXE was 
run (many may simply be temporary files created during download and 
installation then removed):

   uinst_cp.exe
   casino.exe
   C:\casino\Golden Palace Casino\casino.exe
   config.dat
   win.dat
   html.dat
   setup_updater.exe
   updaterinstall.dat
   c:\Setup.exe
   text.dat
   defaulttxt.dat
   addremove.dat

Also, keys or values may have been added or modified at or under any 
registry locations that include these strings:

   SOFTWARE\Microsoft\Windows\CurrentVersion
   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

The odds are good that the maoqmwgn.exe file is on the machine because 
the user "accepted" it as an ActiveX control (or it was downloaded as 
the result of them accepting some other control) or by clicking on a 
"download me" link in spam, a banner ad or a popup.  It may also have 
been pushed to the machine as part of the payload of the spyware.  Can 
you obtain any further evidence of how it came to be on the machine?  
This is important, as several AV companies will not add detection for 
the downloader unless it can be proved that some form of deception is 
used in getting the user to accept it, or otherwise that some form of 
malice or ill-intent is involved in getting the .EXE onto "victim" 
machines (i.e. many AV developers do not see it as their job to protect 
your users from the easily avoidable stupidity of accepting a 
"commercial offer", no matter how obviously "dodgy" or "fishy" said 
offer is to a normal, sane person).

Is this a "corporate PC" or a SOHO machine?  If the former, why is IE's 
"only allow administrator approved controls" policy not in force?

Analysis of the .EXEs this downloads will proceed later today -- I have 
other work to do first and am on a slow-ish link so the 3.9MB installer 
is still downloading...

> ...  I don't see
> it referenced anywhere.

Well, by and large, filenames alone are all but useless diagnostically. 
If you rename this thing to foobar.exe and run it, do you really expect 
that it will not work?


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


---------------------------------------------------------------------------
----------------------------------------------------------------------------