Re: New Virus?

From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: 12/06/03

  • Next message: Michael Bemmerl: "New Virus?" 
    Date:         Sat, 6 Dec 2003 13:06:17 +1300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    "Michael Bemmerl" <security@astrobox.net> wrote:

    > Today I got an ICQ-Message from an user called "Monica" (Just search on ICQ:
    > http://people.icq.com/whitepages/search_results/1,,,00.html?FirstName=Moniqu
    > e&LastName=&NickName=Monica&Country=49). In her details is an URL:
    > http://www.rsngermany.com/my_foto.htm This is a fake 404-Error-Page, because
    > in the <head>-tags is a link to http://www.rsngermany.com/dn2.hta :
    <<snip .HTA details>>
    > The .hta creates a file named q.vbs. That creates and runs x.exe. Notice the

    These filenames are possibly suggestive of the RAT Zinx:

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.zinx.html

    > unset parameter szURL in q.vbs (I asume that you can specify where to
    > download the next files - empty could mean that the files are loaded from
    > the coded location: http://rsngermany.com). The x.exe is FSG-packed; you can
    > upack it with Un-FSG! (just google for it). The file will download another
    > exe-File, tarned as jpg: http://www.rsngermany.com/3.jpg

    But the variant described at the URL above then downloads "q.exe" so
    perhaps a new variant?

    That said, filenames alone are seldom good diagnostics -- it could be
    something entirely different that has been distributed via the same
    basic dropper code...

    > I tested this exe with wine, it creates two files in the windows-dir.:
    > msreg.exe and fghy.exe (again packed with FSG) and two in system32:
    > svchostc.exe and svchosts.exe. Maybe it creates some run-entries in the
    > registry, but i couldn't test this. And it sends request to various domains:
    >
    > All requests end in 404-Errors, except two (see end of list)
    > (replace * with d and f)
    >
    > comdat.de/kreta/yif.php
    > www.dataforcecg.com/webvision/yi*.php
    > www.eurostretch.ru/yi*.php
    > www.hhc-online.de/home/links/pics/yi*.php
    > www.courie.ru/style/yi*.php
    > mucuc.h10.ru/forum/yi*.php
    > www.gran-pri.ru/yi*.php
    > www.mir-auto.ru/yi*.php
    > artesproduction.com/yif.php
    >
    > comdat.de/kreta/yid.php --> 301, redirection to comcat.de/kreta/zid.php
    > comdat.de/kreta/zid.php --> 200, just prints out your ip. Maybe the author
    > logs infected PC's
    > artesproduction.com/yid.php --> 200, again prints out the ip

    Hmmmm -- that is somewhat suggestive of the Jermy family...

    > The svchosts.exe has some HTTP-response-message for Error 400, 502 and 503
    >
    > I tested the files with NAV2003, latest def., no infection.
    >
    > Some ideas what it could be?

    Send it to Symantec and ask them. You also may wish to send samples to
    several other AV developers. Here is a list of the suspicious file
    submission addresses of several well-known AV developers -- send the
    .HTA and the .EXEs to those you consider trustworthy:

       Command Software <virus@commandcom.com>
       Computer Associates (US) <virus@ca.com>
       Computer Associates (Vet/EZ) <ipevirus@vet.com.au>
       DialogueScience (Dr. Web) <Antivir@dials.ru>
       Eset (NOD32) <sample@nod32.com>
       F-Secure Corp. <samples@f-secure.com>
       Frisk Software (F-PROT) <viruslab@f-prot.com>
       Grisoft (AVG) <virus@grisoft.cz>
       H+BEDV (AntiVir): <virus@antivir.de>
       Kaspersky Labs <newvirus@kaspersky.com>
       Network Associates (McAfee) <virus_research@nai.com>
       Norman (NVC) <analysis@norman.no>
       Sophos Plc. <support@sophos.com>
       Symantec (Norton) <avsubmit@symantec.com>
       Trend Micro (PC-cillin) <virus_doctor@trendmicro.com>
         (Trend may only accept files from users of its products)

    Finally, the URLs you supplied in full all seem to be truly dead now,
    but whatever it is could be being spread through multiple vectors and
    multiple sites, so getting samples to those who can distribute
    detection as far and fast as possible shold always be a priority with
    such things, rather than something you think about after exhasusting
    your own investigations... 

    --
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, *** covering, and bureaucracy are threatening to derail any
chance of making progress.
-----
  • Next message: Michael Bemmerl: "New Virus?"