SV: Strange servicepack.exe file (not service.exe) found.

From: Peter Kruse (kruse_at_krusesecurity.dk)
Date: 12/17/03

  • Next message: Eric Chien: "Re: Strange servicepack.exe file (not service.exe) found." 
    To: "'Chip Mefford'" <cmefford@avwashington.com>, <incidents@securityfocus.com>
Date: Wed, 17 Dec 2003 01:07:28 +0100

    Hi Chip,

    Just took a quick look at the sample and it seems to be a new variant of
    "Istbar". A family of backdoors that downloads several applications
    (porndialers and stuff like that).

    The code is written in Microsoft Visual C++ and packed with UPX.

    When executed, the malware will drop copies of itself on the local
    harddisk and modify registry in order to restart after reboot:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<Random
    Entry>="C:\Program Files\<Random Folder>\<malware.exe>

    Next it will contact several websites from where it will download other
    components:

    http://cnt.rapidblaster.com/(**)run?
    http://devcnt.rapidblaster.com/(***)run?
    http://cnt.rapidblaster.com/(***).run

    A search on google will bring up several hits for other variants of
    Istbar.

    Kind regards
    Peter Kruse
    http://www.krusesecurity.dk

    > -----Oprindelig meddelelse-----
    > Fra: Chip Mefford [mailto:cmefford@avwashington.com]
    > Sendt: 16. december 2003 19:29
    > Til: incidents@securityfocus.com
    > Emne: Strange servicepack.exe file (not service.exe) found.
    >
    >
    > Running in the task manager on a windows 98 box on
    > our lan. The machine was misbehaving badly yesterday
    > morning. IE 5.5 was broken, will not browse anything,
    > even a local file. Mozilla 1.5 works fine. The machine
    > has been flattened and is being reloaded with Win2K.
    >
    > This machine was screwed down as tight as we could make
    > it and still have it be useful. It was used by staff
    > that had no dedicated workstations to access our webmail
    > and such things.
    >
    > I know nothing about reverse engineering binary executables.
    > Strings output showed some concerning lines.
    >
    > I've posted the file "servicepack.exe" in zipped and
    > tarred formats both at this url.
    >
    http://www.eruditium.org/cmefford/securityfocus/

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Eric Chien: "Re: Strange servicepack.exe file (not service.exe) found."

    Relevant Pages

    • Re: AVG7.5 update 06/09/2007 (269.13.7/992
      ... Added detection of new variant of Win32/Cekar, Worm/Agobot, ... new variant of trojan Downloader.Banload. ... These downloads are getting quicker and quicker for me but I sit here ...
      (uk.people.silversurfers)
    • Re: AVG7.5 update 06/09/2007 (269.13.7/992
      ... Added detection of new variant of Win32/Cekar, Worm/Agobot, ... new variant of trojan Downloader.Banload. ... These downloads are getting quicker and quicker for me but I sit here an age ...
      (uk.people.silversurfers)
    • Re: Another Nimda attack??
      ... >of Nimda which I find it rather strange because it downloads cool.dll and ... It is .e, and, no, it's not a new variant. ...
      (Incidents)
    • Re: [Full-Disclosure] Authorities eye MSBlaster suspect
      ... > variant that takes over your machine via the DCOM exploit and goes ... > out the windowsupdate.com and downloads the fix. ... This worm (which isn't a variant of the original one) is causing most ...
      (Full-Disclosure)