Security Incidents mailing list archives
Re: maoqmwgn.exe
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 16 Apr 2004 10:13:27 +1200
"George M. Garner Jr." <gmgarner () erols com> wrote:
I am looking for information on a small program entitled maoqmwgn.exe (http://users.erols.com/gmgarner/malware/maoqmwgn.zip). The program, which opens UDP 1030, was found on a computer that was infected with certain spyware. The creation time also correlates with the spyware. ...
Aside from opening that port, it appears that this is a downloader that pulls files down from another site and installs them. It has a hardcoded reference to a data file on www.slotch.com and currently that file contains references to two .EXE file -- setup_integrated_s2.exe and uninstall.exe (the first on a machine in the ouyks.com domain and the second in the same folder as the .PHP file at slotch.com). Until you have determined what all is happening on this machine, it would be advisable to block all traffic to any machines in either of domains if possible (and better still to log all attempted connections to machines in those domains). Eyeballing the decompressed .EXE suggests that the following filenames and directories _may_ be found on the victim machine if this .EXE was run (many may simply be temporary files created during download and installation then removed): uinst_cp.exe casino.exe C:\casino\Golden Palace Casino\casino.exe config.dat win.dat html.dat setup_updater.exe updaterinstall.dat c:\Setup.exe text.dat defaulttxt.dat addremove.dat Also, keys or values may have been added or modified at or under any registry locations that include these strings: SOFTWARE\Microsoft\Windows\CurrentVersion SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ The odds are good that the maoqmwgn.exe file is on the machine because the user "accepted" it as an ActiveX control (or it was downloaded as the result of them accepting some other control) or by clicking on a "download me" link in spam, a banner ad or a popup. It may also have been pushed to the machine as part of the payload of the spyware. Can you obtain any further evidence of how it came to be on the machine? This is important, as several AV companies will not add detection for the downloader unless it can be proved that some form of deception is used in getting the user to accept it, or otherwise that some form of malice or ill-intent is involved in getting the .EXE onto "victim" machines (i.e. many AV developers do not see it as their job to protect your users from the easily avoidable stupidity of accepting a "commercial offer", no matter how obviously "dodgy" or "fishy" said offer is to a normal, sane person). Is this a "corporate PC" or a SOHO machine? If the former, why is IE's "only allow administrator approved controls" policy not in force? Analysis of the .EXEs this downloads will proceed later today -- I have other work to do first and am on a slow-ish link so the 3.9MB installer is still downloading...
... I don't see it referenced anywhere.
Well, by and large, filenames alone are all but useless diagnostically. If you rename this thing to foobar.exe and run it, do you really expect that it will not work? -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- maoqmwgn.exe George M. Garner Jr. (Apr 15)
- Re: maoqmwgn.exe Mike (Apr 15)
- Re: maoqmwgn.exe Nick FitzGerald (Apr 16)
- <Possible follow-ups>
- Fw: maoqmwgn.exe Bob (Apr 15)
- Re: maoqmwgn.exe Matthew Closson (Apr 16)