Wednesday, January 02, 2008

And on January 1st EVERYBODY SPAM!

Its been a while since I've looked at a virus with a date-triggered behavior change, but that seems to be the case with the one I'm currently looking into.

I spent most of the day yesterday playing with a new spamming virus which "triggered" on January 1st to begin spamming "VPXL" male organ enlargement pills, after being dormant on a machine for almost two weeks.

I would very much appreciate any reports (which will be kept anonymous) regarding how wide-spread this virus may be, or whether anyone can identify the original point of infection.

This is currently the most widely spread spam campaign being observed by our Spam Data Mine at UAB. Its the same group that has been previously using the brands "King Replica" for counterfeit watches and "EliteHerbal" for pills.

The machine I was studying became infected on December 17th, after a "drive-by infection" sent it to the website "www.injectpanel.com" where it hit a file called "/us/ret.php", which caused it to download "index[1].exe". (We are working to get this site shutdown already).

Infected machines will be easily identified (now that Jan 1 has passed), by an enormous number of outbound SMTP connections.

Infected machines will probably have a large number of files in their root directory ending in ".tmp". Some of these files may be 42,496 bytes in size, which are copies of the .exe, while others will be 0 bytes in size.

Infected machines ARE rootkitted, with a couple files of true interest:
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll

(I found these with "RootKit Revealer", a Most Useful Tool!)

Infected machines will contact on each boot "www.injectpanel.com", and may also connect on each boot "www.botsys.net".

AV vendor PREVX had received 11 copies of this virus since December 18th, most commonly called "index[1].exe".

VirusTotal received its first copy on December 30th, and had a 43% detection. It was NOT detected by ClamAV, F-Prot, McAfee, NOD, Sunbelt, or Symantec. As of Jan 1, it showed 53% detection. (17 of 32 AV products could detect the virus.)

The copy I was dealing with had the MD5:

b7f085411871026218cc30b4a6c0363e

Other secondary infections have been seen being "dropped" from injectpanel.com. Including "Nurech" (AKA "Chepvil"), which also showed only a 13 of 32 detection rate on Jan 1.

Nurech places a large number of files in the Windows\System32 directory.
Some example names were:
imapi.exe
mnmsrvc.exe
msdtc.exe
netdde.exe
alg.exe.tmp
cisvc.exe.tmp

These will be copied to a "numbered" temp file, such as:

124671.exe
147359.exe

which can be found in memory and in the C:\Windows\Temp\ directory.

The file size of these files is "8,704".

MD5 for Nurech = 337915d40c893b64ef57fe3866dadb8f

If anyone else is experiencing these viruses, I'd love to learn any more details you might be able to share, but most importantly I'm trying to gage how widespread the infection is.

Windows XP Machines infected with Nurech may demonstrate the characteristic of "falling off" networks, getting stuck in an "acquiring network device" state. (Which may be an overwhelmed TCP stack from the many many copies of "svchost" that are trying to drive TCP connections.)

Thanks for any help!

Gary Warner
Director of Research in Computer Forensics
http://www.cis.uab.edu/forensics/

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.