Last night we received a fun email. It looks like this ->
The email explains that Google and Symantec want you to continue enjoying your safe computing experience.
As a "free gift," they are offering you free Symantec Norton Anti-Virus for a year. All you have to do is download Laura.exe from a .ro site. We assure you, it's NOT Symantec Norton Anti-Virus you're downloading.
Below is our quick 15 minute look at this piece of malware.
Laura.exe
MD5 80f1628552756ccada451279090bbaa9
SHA1 845937ded1c0c0512403f03deade14c8682288c9
$file Laura.exe
Laura.exe: PE executable for MS Windows (GUI) Intel 80386 32-bit, UPX compressed, RAR self-extracting archive
$unrar x Laura.exe .
...
$ls
aliases.ini download icon.ini Laura.exe mirc.ico mircs popups.txt remote.ini servers.ini sup.bat svchost.exe control.ini fullname.txt ident.txt logs mirc.ini nicks.txt poza.txt script.ini sounds sup.reg users.ini
$file *
aliases.ini: ASCII text, with CRLF line terminators
control.ini: ASCII text, with CRLF line terminators
download: directory
fullname.txt: data
icon.ini: ASCII text, with CRLF line terminators
ident.txt: data
Laura.exe: PE executable for MS Windows (GUI) Intel 80386 32-bit, UPX compressed, RAR self-extracting archive
logs: directory
mirc.ico: MPEG sequence
mirc.ini: ASCII text, with CRLF line terminators
mircs: ASCII text, with CRLF line terminators
nicks.txt: data
popups.txt: data
poza.txt: ASCII text, with CRLF line terminators
remote.ini: ASCII text, with CRLF line terminators
script.ini: data
servers.ini: ASCII text, with CRLF line terminators
sounds: directory
sup.bat: ASCII text, with CRLF line terminators
sup.reg: ASCII text, with CRLF line terminators
svchost.exe: PE executable for MS Windows (GUI) Intel 80386 32-bit
users.ini: ASCII text, with CRLF line terminators
$md5sum svchost.exe
bd094b93a93928edd417ef7ad6fee321 svchost.exe
$cat aliases.ini
[aliases]
n0=.away -= bY cineva :)) =-
$cat poza.txt
[users]
n0=*!*@PisuleMeu.users.undernet.org
n1=*!*@Koch.users.undernet.org
n0=*!*@PisuleMeu.users.undernet.org
n1=*!*@Koch.users.undernet.org
Interesting entries in mirc.ini
$cat mirc.ini
...
userid=speed
system=UNIX
port=31337
ServiceName=psyBNC
user=luigi
nick=dr0nex
anick=xty0e_
email=Robert18
...
And to make sure it runs again...
$cat sup.reg
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"GNP Generic Host Process"="C:\\WINDOWS\\system\\svchost.exe"
$cat sup.bat
@regedit /s sup.reg
@exit
Ahh I think the answer has become quite clear. It's an IRC bot (surprise!). The files nicks.txt, fullname.txt, and ident.txt all contain a huge list of names/nicknames. The executable svchost.exe is in actuality MIRC version 6.0. This can be figured out by simply running strings on the svchost.exe binary and grepping for Mirc.
In the end this malware is not very interesting from an analysis standpoint. But it is yet another attempt at taking advantage of security-conscious victims. It's unfortunate that many people will install this malware thinking they are doing the right thing to stop viruses. Unbenownst to them, they've just added another bot to the collection.
The analysis was done on Ubuntu Linux. I fired up my Windows virtual machine but only needed it for a brief moment to run svchost.exe, but only to confirm my initial thoughts, that it was indeed MIRC.
0 comments:
Post a Comment