While checking my personal spam emails received yesterday, I got interested on a certain email asking the user to view adult pictures by clicking on the following picture:
Once you click on the picture, it is linked to hxxp://{BLOCKED}-carvalhal.pt/tits.exe, a malicious file detected as TROJ_SHEUR.HD (the link, however, is no longer available since yesterday afternoon).
Once I got hold of this file, I was curious to know what could be on the main page of this web site. So I just typed hxxp://{BLOCKED}-carvalhal.pt on my browser’s address bar. Now I got really infected by a succession of malware loading in memory, reminding me of a 404 toolkit which at this end of its infection installs a rogue anti-virus product named winifixer in the system:
I decided to take a look closer at the main page’s source code, revealed to contain 2 scripts redirecting to 2 different URLs:
Once these scripts are executed, access to your computer becomes near impossible, as it becomes too busy loading iFrames, scripts and malware.
Let’s now take hxxp://{BLOCKED}hosting.net/404.php which redirects us to:
And hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20 redirects us to:
The downloaded file t.php is an encoded script which also redirects us to another location to acquire malware.
Another 2 files are being loaded, an HTM file and a file named svchost.t__ which downloads the following files:
- FR
- |429–hxxp://{BLOCKED}.65.239.42/msc61/u_f1_v34_78.exe
- |406–hxxp://{BLOCKED}.65.239.42/msc61/inst250.exe
- |428–hxxp://{BLOCKED}.65.239.42/msc61/krab.exe
- |251–hxxp://{BLOCKED}.54.89.222/loader.exe
- |230–hxxp://{BLOCKED}.65.239.42/msc61/ldig002.exe
- |437–hxxp://{BLOCKED}.65.239.42/msc61/terasole.exe
- |374–hxxp://{BLOCKED}.65.239.42/msc61/2302.exe
- |
To summarize the Web site architecture on how all of this happens, here is a short picture:
hxxp://{BLOCKED}-carvalhal.pt JS_CLICKER.ZU
|
|
|link
---> hxxp://{BLOCKED}hosting.net/404.php
|
|
|script
---> hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20
|
|
|iframe
---> hxxp://{BLOCKED}nhex.org/t.php
Here are all the URLs called in this threat:
- hxxp://{BLOCKED}-carvalhal.pt/tits.exe
- hxxp://{BLOCKED}-carvalhal.pt/
- hxxp://{BLOCKED}forama.com/tds/in.cgi
- hxxp://{BLOCKED}hosting.net/404.php
- hxxp://{BLOCKED}ogle-analystic.com/in.cgi?20
- hxxp://{BLOCKED}nhex.org/t.php
- hxxp://{BLOCKED}8.72.168.176/e-n0303vt/index.php
- hxxp://{BLOCKED}5.93.219.206/gr/index.php
- hxxp://{BLOCKED}landdreams.com/check/versionl.php?t=577
- hxxp://{BLOCKED}landdreams.com/check/n14041.htm
- hxxp://{BLOCKED}landdreams.com/check/n14042.htm
The following ones are not called, but knowing the 404 rootkit, I assumed they were existing. I tried to retrieve them and found them to be all working:
- hxxp://{BLOCKED}landdreams.com/check/n14043.htm
- hxxp://{BLOCKED}landdreams.com/check/n14044.htm
- hxxp://{BLOCKED}landdreams.com/check/n14045.htm
- hxxp://{BLOCKED}landdreams.com/check/n14046.htm
- hxxp://{BLOCKED}landdreams.com/check/n14047.htm
- hxxp://{BLOCKED}landdreams.com/check/n14048.htm
- hxxp://{BLOCKED}landdreams.com/check/n14049.htm
By decrypting some code within some of the HTM files above, I found the following links to be malicious:
- http://{BLOCKED}earscontract.com/check/vers195.php?q=3
- http://{BLOCKED}earscontract.com/check/vers195.php
- http://{BLOCKED}.93.219.206/gr/ – fake apache error, due to Winifixer installation
- http://{BLOCKED}.93.219.206/gr/loader.exe
- http://{BLOCKED}.93.219.206/1stat/get_exa.php
- http://{BLOCKED}.93.219.206/1stat/get_exb.php
- http://{BLOCKED}.93.219.206/1stat/get_exc.php
- http://{BLOCKED}.93.21 .206/1stat/get_exd.php
- http://{BLOCKED}.93.219.206/1files/mix/file1.exe
- http://{BLOCKED}.93.219.206/1files/mix/file2.exe
- http://{BLOCKED}.93.219.206/1files/mix/file3.exe
- http://{BLOCKED}.93.219.206/1files/mix/file4.exe
Since yesterday, the malicious script on hxxp://{BLOCKED}-carvalhal.pt/ has been already modified. Trend Micro detects the script as HTML_IFRAME.GQ.
All files gathered have been already submitted as well as the malicious URLs.
An ethereal capture and a video (25Mb) of the whole infection are available on demand.
Here is a short list of all malware detected:
- ctfmona.exe -> TROJ_DLOADER.JG
- Fsd9mk4g.dll -> TROJ_DLOADER.DUF
- inst250.exe -> TROJ_DROPPER.DRL
- Jfs9jg.dll -> TROJ_SMALL.BKJ
- krab.exe -> TROJ_AGENT.WNQ
- ldig002.exe ->TROJ_DLOADER.ENR
- msgk429.exe -> TROJ_DNSCHANGE.Y
- symavc32.sys -> TROJ_ROOTKIT.EZ
- u_f1_v34_78.exe ->TROJ_DNSCHANGE.Y
- winlogan.exe -> TROJ_DLOADER.DJH
- Wmgq44.sys -> TROJ_ROOTKIT.EZ
- ieupdr2.exe -> TROJ_DLOADER.LSI
- ie_updates3r.exe -> TROJ_DLOADER.LSI
- jf-carvalhal[1].txt -> JS_CLICKER.ZU
- loader.exe -> TROJ_CUTWAIL.AR
- msgk251.exe -> TROJ_CUTWAIL.AR
- nwan.dat -> TROJ_PROXY.TO
- terasole.exe -> BKDR_MOMIBOT.B
- tits.exe -> TROJ_SHEUR.HD
- WinIFixer.exe -> TROJ_WINFIXER.FD
- winlugan.exe -> TROJ_DLOADER.LSI
- WLCtrl32.dll TROJ_AGENT.ANX
