You Are Reading



ArryCode Tuesday, February 8, 2011 ,


Method of propagation: • Messenger

Side effects:
   • Downloads a malicious file
   • Drops files
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Opens website in web browser

Files It copies itself to the following location:• %WINDIR%\nvsvc32.exe

The following file is created:
– Non malicious file:• %WINDIR%\ntdll.dl

It tries to download a file:
– The location is the following:•**********
It is saved on the local hard drive under: %drive%\tcc.exe Further investigation pointed out that this file is malware, too.

It tries to execute the following files:
– Filename:• %SYSDIR%\net.exe

– Filename:• %SYSDIR%\netsh.exe
using the following command line arguments: firewall add allowedprogram 1.exe 1 ENABLE

– Filename:• %SYSDIR%\ntvdm.exe
using the following command line arguments: -f -i1

– Filename:• %SYSDIR%\ntvdm.exe
using the following command line arguments: -f -i2

– Filename:• %SYSDIR%\sc.exe
using the following command line arguments: config MsMpSvc start= disabled

– Filename:• %WINDIR%\explorer.exe
using the following command line arguments: http://browseusers.myspa**********.com/Browse/Browse.aspx 

The following registry keys are changed:
– [HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
   New value:
   • "(Default)"="oleacc.dll"

Lower security settings from Internet Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   New value:
   • "ProxyBypass"=dword:00000001
   • "IntranetName"=dword:00000001
   • "UNCAsIntranet"=dword:00000001

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "MigrateProxy"=dword:00000001
   • "ProxyEnable"=dword:00000000
   • "ProxyServer"=-
   • "ProxyOverride"=-

– [HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\
   Internet Settings]
   New value:
   • "ProxyEnable"=dword:00000000

It is spreading via Messenger. The characteristics are described below: 
– Yahoo Messenger
The sent message looks like the following:

   • .m.s|.m.e hahahah Foto :D http://www.biersit********************

At the time of analysis the file was not online anymore. 

To deliver system information and to provide remote control it connects to the following IRC Server:

Server: %IRC server%
Port: 1234
Server password: xxx
Channel: #!nn!
Nickname: NEW-[GBR|00|P|%random numbers%]
Password: test

– This malware has the ability to collect and send the following information:
    • Information about the Windows operating system

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Join IRC channel
    • Leave IRC channel 

It queries with the following names:
   • astro.ic.**********.uk
   • ale.pakibi**********.com
   • versat**********.com
   • journalofaccountan**********.com
   • transnationa**********.org
   • mas.0730**********.com
   • api.albertoshisto**********.info
   • stayonti**********.info
   • www.shearm**********.com
   • insidehigher**********.com
   • browseusers.myspa**********.com
   • www.facebo**********.com
   • www.myspa**********.com
   • x.myspace**********.com
   • ate.lacoctele**********.net
   • websitetraffics**********.com
   • qun.5**********.com
   • summer-uni-sw.**********.ch
   • shopsty**********.com
   • xxx.stopklat**********.pl
Accesses internet resources:
   • http://www.facebo**********.com/home.php
   • http://www.facebo**********.com/login.php
   • http://browseusers.myspa**********.com/Browse/Browse.aspx
   • http://www.myspa**********.com/browse/people
   • http://174.37.200.**********/config.php
   • http://rapidsha**********.com/files/446517426/tuc87
   • http://rs631dt.rapidsha**********.com/files/446517426/tuc87

File details
Programming language:
The malware program was written in MS Visual C++.

Compilation date:
Date: 01/02/2011
Time: 20:14:55


Copyright 2010 ArryCode_Blog