Anti Rootkit

summer2008.zip

We just received a new worm spreading via MSN from a friend. The file name is “summer2008.zip”. In the zip file, it contains a .scr file “summer2008.scr”. This worm also can send out different messages with multiple languages. It also adds the Chinese language pronunciation this time. Kaspersky detects it as Backdoor.Win32.IRCBot.acd (old name: IRC-Worm.Win32.Agent.a)

This worm sends out the following messages:

English version:

Look how wasted Paris Hilton is, after she got jailed
You and Me !!! …. look :p
Look at my photos hihi :p
Hey please accept my photos !!
A photo with me and my best friend :$ !!
This is me totaly naked please dont send to anyone else
Look what i found on the NET
Jessica Alba NUDE !!

Chinese version:

kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI
NI HE WO !!! …. QING KAN :p
KAN WO DE ZHAOPIAN :p
JIESHOU WO DE ZHAO PIAN !!
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
KAN WO DE ZHAOPIAN :p
ZHE SHI WO DE LUOZHAO QING BU YAO FA GEI BIEREN !!

Other version:

bak sana Paris Hilton ne hale gelmis hapiste
Sen ve Ben !!! …. BAK :p
Baksana benim fotograflara hihi :p
Hey benim fotolarimi kabul et !!
Iyi arkadasimla fotorafdayim :$ !!
benim bu ciplak fotoda ama baskasina yollama
bak ne buldum Jessica alba ciplak !!

Regarde comment Paris Hilton parait efondr?apr qu’elle ai ?jeter en prison
Toi et moi !!! …. regarde :p
Regarde mes photos :p
Hey s’il te plait accepte mes photos !!
Une photo de moi et mon meilleur ami :$ !!
C’est moi totalement nu
s’il te plait ne l’envoie a personne d’autre
Regarde ce que j’ai trouv?sur le net Jessica Alba NU !!

Kijk hoe erg Paris Hilton er aan toe is na gevangenschap
Jij en Ik !!!! …. kijk :p
Kijk eens naar mijn fotos hihi :p
HEY !! accepteer mn fotos dan !
met mijn beste vriend op de foto !! :$
Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
Kijk wat ik gevonden heb Jessica Alba naakt !!

guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist
du und ich !!! ….guck :p
siehe meine fotos hihi :p
hey bitte nimm meine fotos an !!
ein foto mit meinem besten freund und mir :$ !!
das bin ich total nackt bitte sende es niemand anderem
guck was ich im internet gefunden habe jessica Alba NACKT !!

Guarda come Paris Hilton sprecato ? dopo che era imprijonata
Tu ed io !!! …. guarda :p
Guardi le mie foto hihi :p
Mairee photos accept karo !!
Una foto con me ed il mio amico migliore :$ !!
Questa e me totaly nudo prego non trasmette a chiunque
Osservi che cosa ho trovato sul internet Jessica alba NUDA !!

Veja como Paris Hilton est?acabada depois de ter sido presa
Voc?e eu !!!! …. Veja :p
Veja as minhas fotos hehehe :p
Por favor aceite as minhas fotos !!
Uma foto com o meu melhor amigo e eu :$ !!
Esta sou eu totalmente nua por favor nmande isso pra ningu
Olha o que eu achei na NET Jessica Alba NUA !!

Kolla hur fstd Paris Hilton, efter att hon fgslades
Du och jag !! …. Kolla
Kolla p?min bilder, hihi :p
Hey, acceptera mina bilder, snla
En bild p?mig och min bta v :$ !!!
Detta jag HELT naken.. Skicka inte till non annan, snla…
Kolla vad jag hittade p?net Jessica Alba NAKEN !!

Mira co Paris Hilton es perdida despu de ser encarcelada
Usted e yo !!! …. Mira :p
Mira mis fotos jejeje :p
Ha aceptado mis fotos por favor !!
Una foto con mi mejor amigo e yo :$ !!
Esta soy yo totalmente desnuda
por favor no env para nadie Mira lo que encontr?en la WEB Jessica Alba DESNUDA !!

Lede hvor spild Paris Hilton er efter hun fik fgsel
Jer og Mig !!! … se :p
Se p?min fotos :p
Hej behage optage min foto !!
EN foto hos mig og min bedst ven :$ !!
denne er mig hele bar behage vage vendlig og sende den ikk til nogle
Lede hvad jeg fandt oven p?den net Jessica Alba bar !!

Upon execution, this worm drops random file name in the %WINDOWS% directory as the following:

images0XX.zip
photos0XX.zip
albumXX.zip
photoXX.zip
pictures0XX.zip
pictureXX.zip (XX is random digitals, such as album39.zip, images091.zip.)

The size is 120,832 bytes, packed with NTKrnl, MD5 hash is e1d1e9e2b1882f2c99c6a131341dea21.

How to remove this worm:

Step 1.
“Start”->”Run”, type “REGEDIT”, open the reistry editor.

Step 2.
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
delete “printers”=”{CLSID}” in right panel
( please copy the {CLSID} before deleting it )

Step 3.
Go to
HKEY_CLASSES_ROOT\CLSID

delete the {CLSID} in Step 2.

Step 4.
Restart your computer

Step 5.
Delete the following files:
%System%\notiffy.dll
%System%\printers.exe
%userprofile%\new.txt
%Windows%\{string1}{random number}.zip (file size:119KB)

{string1} is one of the following:
images0
photos0
album
photo
pictures0
picture

For example:
images047.zip (images047.scr)
photo92.zip (photo92.scr)

Alias:

W32.Mubla.B [Symantec]

We received some spams about a variant of Email-Worm.Win32.Sober today. It spreads via English and German spams. Everyone should be careful.

The English spams are as the following:

From: Webmaster@microsoft.com
Subject: Error in your eMail
Body:
Your eMail has occurred an unknown error on our Server. Please read your mail and check the text.

The full email is attached!

。auto mailerdaemon X.Path 4.2
。(c) by microsoft.com

Attachment: Mail_Data.zip

In the .zip file, there is a file “Winzipped_Data-Files.exe”. The size is 89,274 bytes, packed with UPX, Kaspersky detects it as Email-Worm.Win32.Sober.aa.
According to Symantec reports, these spams are as the following:

Subject:(One of the following)
Ihr Passwort wurde geaendert!
Fehlerhafte Mailzustellung
Ihr Account wurde eingerichtet!
Your Updated Password!
Error in your eMail

Body:(One of the following)

Ihr Passwort wurde erfolgreich geaendert.Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang!
Diese Nachricht wurde Automatisch generiert. - Ihre EMail konnte nicht empfangen oder gesendet werden.
Danke das Sie sich fuer uns entschieden haben.Um ihren neuen Account zu aktivieren, folgen sie der kurzen Anleitung im Anhang. Es sind nur 2 Schritte noetig!
You notified us that you have forgotten your password.We have changed your password to a random sequence of letters and digits! For more detailed information, see the attached password file …
Your eMail has occurred an unknown error on our Server.Please read your mail and check the text.The full email is attached!

Attachment:(One of the following)
Passw_Data[RANDOM DIGITS].zip
PDaten[RANDOM DIGITS].zip

Mail_Data[RANDOM DIGITS].zip
Anleitung[RANDOM DIGITS].zip

Alias:

Email-Worm:W32/Sober.AA [F-Secure], W32/Sober-AD [Sophos], WORM_SOBER.AX [Trend Micro], W32.Sober.AA@mm [Symantec]

We’ve received some reports that Warezov.mp(aka Stration) is now spreading via ICQ. We’ve got two domains about this variant, they are “auterfunmdasetion.com” and “buheradesunme.com”. We hope ICQ users can block these domains.

The variant sends out as the following link via ICQ:

http://133.buheradesunme.com//166/
http://2849.buheradesunme.com//166/
http://4047.auterfunmdasetion.com//3660/

When clicks these links, the file “flash.exe” or “pic.pif” will be downloaded.

The size of this variant is 88,919 bytes, packed with PE_Patch and UPack, MD5 hash is ae8256ab7f4ef8c70889bf4be86dd969, Kaspersky detects it as Email-Worm.Win32.Warezov.mp.

Sandbox result:

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\crypmapi.dll.
* Creates file C:\WINDOWS\System32\crypmapi.exe.
* Deletes file C:\WINDOWS\System32\crypmapi.exe.

[ Changes to registry ]
* Creates key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “DllName”=”C:\WINDOWS\SYSTEM32\crypmapi.dll” in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “Startup”=”WlxStartupEvent” in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “Shutdown”=”WlxShutdownEvent” in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “Impersonate”=”" in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.
* Sets value “Asynchronous”=”" in key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypmapi”.

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\crypmapi.dll (98,304 bytes) : no signature detection.

Half an hour ago,we received a new variant of Email-Worm.Win32.Warezov(aka Stration).Like the earlier variants,it will download another variant of Warezov from “madesunjinkdieonrunhasde.com”. We advise everyone should block this domain.

The email is also like the earlier:

Subject: Mail server report
Body:
Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Attachment: Update-KB6031-x86.zip

The size is 7,172 bytes, packed with PE_Patch and UPack, Kaspersky detects it as Email-Worm.Win32.Warezov.ls.

Upon execution, it will download another variant of Warezov from “madesunjinkdieonrunhasde.com”. The size is 78,631 bytes, also packed with PE_Patch and UPack, Kaspersky detects it as Email-Worm.Win32.Warezov.ls.

Since we received first Email-Worm.Win32.Zhelatin.h on Jan.28,we have received many variants of Email-Worm.Win32.Zhelatin.h these two days.The author of this worm updates the worm frequently to prevent itself to be detected by AV vendors.We advise everyone should keep your antivirus database to the latest.

As the time of writing,we have received eight different MD5 hashes samples:

adf5fb96b97d8e822e22abe0cbcac0e8
475dc6856f7cf9f2f3ff8bdbed422ee9
272d76a5c8d3a389eef9d8b08ee17dc2
4029a8a3578e6b89f4b558ebb653f8d3
3d61373eb65719e693fae9e8eff8074d
58f790b4eb55dfdb50ca2046d88520e3
cc47d58edfd4004259e34e36355df5b5
6ba2b09befde2a20a5e0212e76d8e2ed

Size: 50,634 bytes
MD5: 4c4625ce1dc7853e1fe7e25f0dcc13bb
Kaspersky: Email-Worm.Win32.Zhelatin.h

Since last Friday,a new worm(aka trojan spam) began spreading all over the world. Most of AV vendors had declared an alert for this worm. And lots of variants of this worm have been found this week.

Today we receive a new variant of this worm.It also spread as the attachment via email.The size of new variant is 51,310 bytes.Kaspersky detected it as Email-Worm.Win32.Zhelatin.d.

We hope everyone should be careful of the following name:

Flash Postcard.exe
Greeting Postcard.exe
Greeting Card.exe
Postcard.exe
flash postcard.exe
greeting card.exe
greeting postcard.exe
postcard.exe

As the time of writing,we notice that a new email worm is now spreading in the wild.This is a new variant of Email-Worm.Win32.Banwarum(aka WORM_NUWAR).The subjects used in the e-mails are like the storm worm very much,we warn everyone should be careful of this new worm.

We have received four different MD5 hashes samples:


bd9c3c57373f84e3e114238682f50a9a
05dfbd4ffcaecc37d40aee4553c0ae74
6f57feed43269616de6282fe441066c2
7045fb1d7f01ce93e2ecd6c675b72954(New added)


The email message has the following details:

Subject:
5 Reasons I Love You
A Bouquet of Love
A Day in Bed Coupon
A Hug & Roses
A Kiss for You
A Kiss So Gentle
A Little (sex) Card
A Monkey Rose for You
A Red Hot Kiss
A Relaxing Coupon
A Romantic Place
A Song to You
A Special Flower for You
A Special Kiss
A Sweet Love
A Token of My Love
A Weekend Getaway
Against All Odds
All For You
All That Matters
Angel of Love
Awaiting Your Love
Baby, I’ll Be There
Back Together
Between Us
Bewitching Moonlight
Brand New Love
Breakfast in Bed Coupon
Bubble Bath Coupon
Can’t Wait to See You!
Crazy way to say I Luv U
Cuddle Me Please
Cuddle Up
Cyber Love
Dancing With You
Dinner Coupon
Doing It for You
Dream Date Coupon
Dream Girl
Emptiness Inside Me
Eternity of Your Love
Evening Romance
Every Inch of Your Body
Everyone Needs Someone
Falling In Love with You
Feeling Horny?
Fields Of Love
For Better of For Worse
For You
For You….My Love
Forever and Ever
Forever in Love
From this day forward
Full Heart
Hand in Hand
He Blessed Our Lives
Heart is Breaking
Heart of Mine
Hey Cutie
Hold Me (distant love)
Hold On
How Much I Love You
Hugging My Pillow
I Always Knew
I am Complete
I Am Lost In You
I Believe
I Can’t Function
I Dream of you
I Give to You
I Love Thee
I Love You Mower
I Love You So
I Love You Soo Much
I Love You with All I Am
I Still Love You
I Think of You
I Win with You
I wish
I Woof You
I Would Do Anything
I Would Give you Anything
I’ll Be Your Man
If I Could
If I Knew
In Love
In My Heart
Inside My Heart
Internet Love
It’s Your Move
Just You
Just You & Me
Kiss Coupon
Kisses, Hugs & Roses
Last Night was Hot!
Let’s Get Frisky
Live With Me
Longing for You
Love at First Sight
Love Birds
Love for Granted
Love is in the Air
Love Remains
Love You Deeply
Made for Each Other
Magic of Flowers
Massage Coupon
Memories
Miracle of Love
Moonlit Waterfall
Most Beautiful Girl
My Eye on You
My Heart belongs to you
My Heart is Thinking
My Invitation
My Love
My Perfect Love
Now and Forever
Now I Know
Old Together
Only You
Our Love
Our Love Everyday
Our Love is Free
Our Love is Strong
Our love is torn by miles
Our Love Nest
Our Love Will Last
Our Two Hearts
Our Wedding Day
P.M.S
Passionate Kiss
Peek-A-Boo
Pockets of Love
Puppy Love
Red Rose
Romantic Picnic Coupon
Rose for my Love
Safe and Sound
Safe With You
Search for One
Sending Kiss
Sending You My Love
Showers Of Love
So in Love
So Unique
Solitary Beauty
Someone at Last
Soul Mates
Soul Partners
Steamy Dream
Steamy Sex Coupon
Summer Love
Take My Hand
Teddy Bear & Roses
Tender Whispers
Thanks…Love
That Special Love
The Candle’s Light
The Dance of Love
The Kiss
The Letter
The Long Haul
The Love Bugs
The Miracle of Love
The Mood for Love
The Sweet Taste of Love
The Time for Love
Thinking about you
Thinking of You
This Day Forward
This Feeling
Til the End of Time
Till Morning’s Light
Till Morninig’s Light
Times Are Hard, I Luv U
To New Spouse
Together Again
Together You and I
Touched by Love
True Love
Trunk Full Of Love
Twice Blest
Twilight Paradise
Two of a Kind
Unique Love
Unmatchable Beauty
Until the Day
Vacation Love
Waiting for You
Want to Meet?
Want You to Know
We Are Different
We Have Walked
We’re a Perfect Fit
When I look at you
When I’m With You
When You Fall in Love
Why I Love You
Wild Nights–Wild Nights
Will You?
Window of Beauty
Wine and Roses
Wish I Could Tell You
Wish Upon a Star
With All My Love
With All of My Heart
With This Ring
Without Your Love
Won’t you dance with me
Words I Write
Worthy of You
Wrapped in Your Arms
Wrapped Up
You + Me
You and I
You and I Forever
You Are My Guiding Star
You are out of this world
You Asked Me Why
You Brighten My Day
You Lucky Duck!
You Rock Me!
You Were Worth the Wait
You’re My Hero
You’re so Far Away
You’re Soo kissable
You’re the One
Your Love Has Opened
Your Silly Smile

Body:(blank)

Attachment:
Flash Postcard.exe
Greeting Card.exe
Greeting Postcard.exe
Postcard.exe
greeting_postcard.exe
Greeting_Postcard.exe

The size of worm is 50,634 bytes,Kaspersky detects it as Email-Worm.Win32.Banwarum.l,Trend Micro detects it as WORM_NUWAR.EL.

Upon execution, this worm drops a copy of itself as “\%system%\ALSYS.EXE”. It also drops a randomly named file, which is the file of Storm Worm, in the folder where this worm is initially executed.

It creates the following registry entries:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
agent = "%System%\alsys.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
agent = "%System%\alsys.exe"

This worm searches for .EXE and .SCR files on the affected system where it inserts a code that programs the target files to automatically execute a copy of this worm that bears the file name {Random}.T.

An hour ago,we received a new variant.The size is 50,629 bytes,Kaspersky can’t detect it now.
MD5 hash: 6eeac4605674b648af3f1ecdc56ffd7f
Update Jan.29:Kaspersky detects it as Email-Worm.Win32.Zhelatin.h