Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    We received several escalations earlier this month about some users experiencing a number of print jobs being sent to printers and print servers. This caused delays on deliveries because each printer is printing an average of about 300 pages. But what is it printing?

    The pages being printed, like the one below, are actually lines of code that we believe to be of another malware intended to be installed on the target machine. The machines executing the printing routine were found infected with either TROJ_AGENT.BCPC or TROJ_PONMOCOP variants.

    We noticed that randomly-named binaries were seen in the following locations of the infected system:

    TROJ_AGENT.BCPC

    • %System%{random 10 letters}.exe
    • %System%SPOOLPRINTERSFP{5 digit numbers}.SPL – This file is what we believe caused the printouts.
    • %System%SPOOLPRINTERS{random file}.tmp

    TROJ_PONMOCOP variants

    • %System%{random file}.dll
    • Users{user name}AppdataRoaming{random file}.dll
    • Documents and Settings{user name}Application Data{random file}.dll
    • Program Files{random folder}{random file}.dll
    • %Windows%SysWOW64{random file}.dll

    Where is it coming from?

    Based on the analysis done, we’ve identified two entry points used by the malware. We’ve seen malware related to this attack being downloaded as a .zip file. The downloads are from certain forums possibly hosting other malicious files:

    We’ve also seen this malware arrive in affected systems as a downloaded file by clicking on certain Google search results:

    Notable routines

    Systems affected with TROJ_AGENT.BCPC connect to http://storage5.static.{BLOCKED}s.ru/i/12/0601/h_1338571059_9957469_b48b167953.jpeg, where it downloads ADW_EOREZO. Users might experience incessant pop-up ads due to the presence of the said adware on the system. Ads displayed are from http://ads.{BLOCKED}1.com/cgi-bin/advert/getads?did=1077.

    In addition, the presence of TROJ_PONMOCOP makes the attack difficult to analyze. TROJ_PONMOCOP code contains an encrypted portion which is loaded and decrypted into memory. When decrypted, it becomes a new binary file that is UPX-packed, and will take over the routines from then on.

    This new binary also contains encrypted code, which requires decryption keys from parameters found in the infected system i.e. ftCreationTime & ftLastAccessTime of %Windows%system32 and System Volume Information folder, as well as the serial number of the hard drive in order to decrypt itself.

    If the decrypted code is a valid binary file, it again transfers the control to this newly-created binary. If not, then the routine of the malware will not proceed. This simply means that the binary may be unique for each of infected system. Note that all these steps are done in memory, which means there are no dropped files.

    Then, the following registry keys are being checked by the malware to decrypt additional binaries in memory. These registry keys are dependent on the infected machine’s processor/operating system:

    32-bit systems:

    • HKLMSoftware{random}
    • HKCUSoftware{random}

    64-bit systems:

    • HKLMSoftwareWow6432Node{random}
    • HKCUSoftwareWow6432Node{random}

    These registry entries contain encrypted data, which are then decrypted into three binary files. The first binary file has a capability to monitor and disable the services named “wscsvc”, “WinDefend”, and “MsMpSvc”. It also deletes the following registry entries related to security applications:

    • HKLMSoftwareMicrosoftWindowsCurrentVersionRun “Windows Defender”
    • HKLMSoftwareMicrosoftWindowsCurrentVersionRun “msse”

    The second binary file has a routine that posts information about “Http Status”, “Time slots”, and “Statistics” to a remote server. Details of the information and where these are being sent to are being investigated. The said binary file also checks for the following additional registry entries:

    • HKLMsoftwareMicrosoftWindowsCurrentVersionInternet Settings
    • HKCUsoftwareMicrosoftWindowsCurrentVersionInternet Settings
    • HKLMsoftwareMicrosoftMultimedia
    • HKCUsoftwareMicrosoftMultimedia
    • HKLMSystemCurrentControlSet

    Once it finds these entries, the second binary decrypts the data contained from one of the values. The decrypted data contains numerical values and URLs which the malware may either try to hijack or visit.

    Additionally, the following new registry entries are created by the second binary which contains additional encrypted data:

    • HKCUSoftwareMicrosoftInternet ExplorerLowRegistryStats{random}
    • HKCUSoftwareMicrosoftInternet ExplorerLowRegistryStats{random}{random}

    The routines of the last binary file is still under investigation.

    Trend Micro Protection

    Trend Micro users are protected in two ways. All of the files listed above are already detected as malicious. In addition, we also block all the URLs involved to prevent any new variants from being downloaded onto user systems. This combination provides better protection for users than a conventional response focusing on either the malicious files or sites in isolation.

    Note that we are continuously investigating this attack. We will update this entry as more pieces of this “printer virus” become clearer.

    With additional analysis from Lenart Bermejo, Brian Cayanan, and Allan Sepillo

    Update as of 7:42 AM July 3 2012, PST Time

    The routines on the forum download entry point has been updated.

    Update as of 12:55 PM July 18 2012, PST Time

    In the TROJ_PONMOCOP variant we investigated, the last binary file checks and gathers system information such as computer name, installed drivers and programs, running processes, and system registry information. The said routine is done to ensure that it is not being debugged or monitored. It also attempts to connect to two IPs that are inaccessible as of this writing.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice