This one has been big in the news as of late and I received a few samples to play with. I have not seen any cases in the forums yet but I’m wondering if it’s because of the fact there are almost no indications of it running. This could be unfortunate because if it goes undetected for either 20 or 40 days, depending on the variant, it will overwrite the Master Boot Record on the system and render it un-bootable.

The sample tested here is masked as an IQ Test. Since it is a worm it will spread via the usual ways such as removable drives and has also been reported embedded in legitimate websites as a self extracting download. Originally it has been reported that the Malware was developed as a prank against a small community of bikers in Slovakia, but this Malware has spread into the wild and the US has reported the highest incident rate.

The sample tested here has a pretty solid detection rate.

Virus Total IQTest.exe sample results

Analysis

As stated earlier the Malware pretends to be an IQ Test. Upon execution of the sample the entire monitor screen will go black with what I assume is an Slovakian IQ Test?

A full reboot is necessary to fully launch the Malware.

System Analysis

The following files and folders are created:

C:\Program Files\Dump                          
C:\Program Files\Dump\Dump.exe
C:\WINDOWS\system32\ainf.inf                 
C:\WINDOWS\system32\mseus.exe                
C:\WINDOWS\system32\tokset.dll         
C:\WINDOWS\system32\drivers\Mseu.sys                
C:\WINDOWS\system32\drivers\Mstart.sys

The following registry modifications are made:

Registry Keys created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mseu
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService

Registry Values created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dump = "%ProgramFiles%\Dump\Dump.exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mseu]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService]

Symptoms of infection are essentially non-existent. No system slow down, re-directs, pop-ups, or any of the other usual indicators. The only indication is you will see the Mseus.exe process running in Windows Task Manager. So you say, what’s the problem? Well, the payload will hit in a matter of days (or weeks). Depending on the variant you will get a system message either after 20 or 40 days.

I was able to trigger this message by setting the clock ahead by 21 days. Clicking OK restarts the computer and on the next boot…

Ouch!!! Master Boot Record written over will cause this message, and an unbootable PC.

Removal

I tried 2 tools that are “advertised” to remove this infection.

Bitdefender removal tool

Eset Zimuse remover

Neither tool was successful. The Bitdefender tool simply stalled the system and did nothing after several hours of running. The Eset tool ran but did not remove the infection.

I was able to remove it “manually” using specialized tools, but MalwareBytes Anti-Malware was able to remove most of it and disabled the active part of the infection, allowing the Bitdefender tool to run and finish the cleanup (which could also have been done manually). Like I usually advise, you should visit one of the free forums and get expert help to make sure you’re all clean.

As opposed to the early days of script kiddies writing prank viruses, most infections these days have some motive for their operation, usually profit. This one brings us back to those days in some ways as I see no motive (other than a “prank”) for its’ existence.

I know what some of you might say….”why would you want do that?” As the man said when asked why did you climb the mountain? “Because it was there”. My answer is, “because I can!”

Summary

The analysis done here is as usual within an isolated virtual machine. The sample was picked up from a poisoned web page.

File name: Downloads_P.com

Identified as Win32 Trojan Bancos (among many other names).

Virus Total Results – 17 of 41 scanners identified as Malware

Now, Bancos is not new (although this variant is) and there is information dating back to 2003 on this trojan.

Report from Symantec

The main goal of this Malware is to steal banking information such as login names, passwords, personal data, etc…

My goal with this analysis is to try and understand how this particular trojan actually captures the data from the compromised computer.

Analysis

Let’s take a look at what happens when the Malware installs.

When the Downloads_P.com file is run there is one window that pops up a few seconds later:

A simple click on Fechar and the windows disappears. No other visible activity takes place.

System Activity:

There are well over 100 various modifications and additions to the registry. But the main 2 are here:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CBDC705-6B7E-4B0E-89BE-B55FC00D6C42}89BE-B55FC00D6C42}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Machine Works, Inc.: "C:\WINDOWS\system32\aecces.exe"


The first is a malicious BHO (Browser Helper Object) that is installed. There is no file referenced by the BHO which makes me think something may have gone wrong here.

The second entry is a run key that restarts the Malware every time Windows reboots.

Four files are also created:

C:\WINDOWS\system32\aecces.exe
C:\WINDOWS\system32\flashdob.dll
C:\WINDOWS\Mstecf.dat
C:\WINDOWS\Oculs.log

Threat Expert Report

There are absolutely no symptoms of this trojan running on the PC. No redirects, pop-ups, or system slowdown. There is the one process, aecces.exe, that is running in task manager. It takes up only about 8k of memory and is not hogging any CPU cycles. One would never know it was running unless you were looking for it.

Network Activity:

27    62.407379000    192.168.1.7    192.168.1.1    DNS    Standard query A newvirtual200x01.rememberit.com.au
29    63.133198000    192.168.1.7    192.168.1.1    DNS    Standard query A google.com.br

The first entry is sending out a DNS query to the specified domain in bold.

+++++++++++++++++++++

Now there are many ways that the Bancos Trojan captures the data from an infected system. There is a great writeup here from Kaspersky on the many ways Trojan Bancos works.

A quick summary:

• Modifies hosts file to redirect to phishing sites
• Uses keylogger to capture data entered in to logon forms
• Uses screen capture to gather data
• Sends data back to attackers email or remote server

In the case of our Malware here there was no modification of the hosts file. The means of capturing data here appears to be coming from the flashdob.dll file, which is identified as a password stealing trojan. There were no system re-directs to phishing sites so I assume the password stealer is capturing information from live transactions.

+++++++++++++++++++++

MalwareBytes’ Anti-Malware does a nice job of cleaning this variant up. But often Malware comes with other friends and there may be more, so visiting one of the free help forums with the appropriate logs is a good idea.

Also critical here is that if you have been infected with this you need to contact all of your banks, credit card companies, and any other financial institutions that you make online transactions with. Making sure not to do this from the infected computer. Read here for more information.

Introduction:

Just picked up a downloader trojan for Internet Security 2010 rogue from a fellow researcher. This is a fairly new variant that is only picked up by 5 out of the 41 scanners at Virus Total as Malware. Analysis here was done in a virtual machine as the file is not VM aware.

Note that while the Malware tested here is very similar to the report and removal instructions by Grinler at Bleeping Computer, this is a new variant and the removal instructions given there will not work as of this writing (I’m sure MBAM will be updated to deal with this soon though).

Technical Analysis:

Please note that the analysis here should not be used as a removal guide for this or any other Malware. If you think you’re infected you should either go to the forums for help, bring it to a pro, or reformat the PC (which is what the pro will probably do).

Static Analysis:

File Name: winlogon32.exe

Virus Total Results

Threat Expert Report

Anubis Report

Dynamic Analysis:

Upon execution of the sample the system almost immediately generates this window dialog:

After dismissing the screen the main Internet Security 2010 window appeared.

The typical onslaught of system tray nags and pop-ups then will ensue.

[...]

Bagle Malware appears to be making a comeback lately. Not as much in the US but more so in Europe, although that’s subject to change as it can spread fast.

Bagle is not necessarily new, although new variants are constantly being developed. Usually nastier with each version. This new version is absolutely nasty. Some symptoms of the infection are browser closing, system lags, system security and security tools (such as AntiVirus and Firewall) functions disabled, and the inability to run most any security tools.

Technical Analysis:

Please note that the analysis here should not be used as a removal guide for this or any other Malware. If you think you’re infected you should either go to the forums for help, bring it to a pro, or reformat the PC (which is what the pro will probably do).

Static Analysis:

On the date that the sample was captured I ran it by Virus Total and almost 60% of the scanners identified it as Malware. Not bad, but not great either and I’m sure that will get better with time.

Virus Total Results

The sample I tested was packed with Themida, which is a commercial grade packer. This pretty much rules out any real static analysis with my limited unpacking skills at this point. Note that the packing is used to help avoid detection and prevent this type of analysis.

Dynamic Analysis:

Here is where the fun begins for me…

I was able to get this sample to run in VMWare which is nice for analysis.

Upon execution of the sample the system pauses for a few seconds then generates this window:

Well, I don’t know what that means but I know what OK! means. So I proceed with that and see this next:

What looks like some kind of a Windows logon screen or something. Well again….OK is good for me.

After that not much and was wondering if it really ran in the VM. I tried to run some basic system analysis with HijackThis and a rootkit scan with GMER and neither would run. Soon after the system rebooted by itself. At this point I was pretty confident that the Malware took to the VM.

Looking at the file/folder/registry modifications with InstallWatch and RegShot showed several folders and registry entries created, very similar to the report from Threat Expert.

Threat Expert Report

As we can see quite a bit of activity and this is starting to look like some nasty stuff, but more will be revealed…

After reboot I tried HijackThis and GMER again (without success). I also tried running MalwareBytes and that would not go.

I was able to get both Old Timers OTL and sUBs DDS tools to run which showed some interesting entries (definitely Malware).
OTL:
Processes:
PRC - [2009/11/10 14:05:13 | 00,899,076 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\drivers\downld\62359.exe
Driver Services:
DRV - [2009/11/10 14:04:59 | 00,119,188 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys -- (srosa)
Pseudo HJT:
O4 - HKCU..\Run: [flec003.exe] C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe (http://www.emule-project.net)

DDS showed the same process, run key, and driver that OTL did.

Now, making sure that hidden files are showing in XP, I looked for those files and registry entries but none of them were visible. The only thing I could see was a file called srosa2.sys in the drivers folder.

Now, we can pretty much deduce from these findings that there is no doubt a well planted rootkit running here. The presence of srosa (which is a well known rootkit) and the fact we cannot see anything with the normal Windows tools confirms this.

So since we cannot run my favorite rootkit tool GMER, we’ll try some others. Tried running SysProt ARK but no success there. Next tried RootRepeal and was able to run.

Hidden/Locked Files
-------------------
Path: C:\Program Files\Movie Maker\Shared
Status: Invisible to the Windows API!

Path: c:\windows\system32\ntkrnlpa.exe
Status: Allocation size mismatch (API: 24576, Raw: 2060288)

Path: C:\WINDOWS\ime\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\hidires
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\downld
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\flec006.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\000058cb\autorun.inf
Status: Invisible to the Windows API!

Processes
——————-
Path: C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe
PID: 236    Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe
PID: 472    Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\flec006.exe
PID: 1376    Status: Hidden from the Windows API!

Hidden Services
——————-
Service Name: srosa
Image Path: system32\DRIVERS\sr.sys

I tried removing the hidden service, sr.sys, but RR would not do it. I then was able to wipe several of the hidden files and was subsequently able to run GMER. To try and bring some brevity to an already way too long post I’m not going to show everything GMER found (which was a lot!). Here is a summary:

It confirmed the Malware we have already seen with the other tools, but it found much more.

In this hidden folder:
C:\Documents and Settings\Administrator\Application Data\drivers\downld\
There were about 30 files similar to the following, 311109.exe. All random numbers.

Then the real find and the main goal of this Malware:
C:\Documents and Settings\Administrator\Application Data\hidires\WDIR\000-484 – Enterprise Connectivity with J2EE Practice Exam Questions 1.0 (KeyGen).zip
C:\Documents and Settings\Administrator\Application Data\m\shared\12Ghosts Timer 9.0.52.5740.zip

There were about 100 zip archived files in each of the WDIR and shared hidden folders. These are not keygen files or game files like they are all labeled. Analysis showed that in each of those archives the same Bagle dropper is packed up and ready for someone to download and infect themselves. So you’re saying, how are they going to get them off my PC? Well, this entry:
O4 - HKCU..\Run: [flec003.exe] C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe (http://www.emule-project.net)


Starts up an Emule P2P host right off your machine every time it starts. Yes, as my kids say, you and your PC have been Pwnd. Your PC is serving up Malware to the world.

The scary thing with this Malware is the only real indication of its’ presence is it slows down system performance (those CPU cycles are busy serving up Malware). There are no pop-ups or redirects, and your security software has been disabled so it knows nothing. You’re browser will shut down if you try to surf to any security sites, and many tools won’t run. So if you have these symptoms I would suggest getting help.

It is possible to remove this Malware. But again, unless you really know what you’re doing I would suggest heading over to the forums and posting the required logs so an expert can take a look.

Sorry for such a long post here, but I left a lot out, trust me. This one was also real fun to play with and analyze. I hope this provides some insight into how this stuff spreads itself around. Also it should alert you to the dangers of P2P file sharing.

WARNING: The material presented here may be offensive to some readers. It relates to the promotion of online porn and other questionable practices. If you are not comfortable with it then please surf away from here.

In follow up discussions and investigations of IObit, it has been discovered that part of their marketing plan is to use questionable search terms to drive traffic to their sites and products. NOTE: This has nothing to do with the alleged theft of intellectual property by IObit.

I have issues with at least 2 pages that they are currently hosting (note that I made sure the links below are not “clickable” and would need to be copy and pasted into your browser if you want to see them, just so it doesn’t happen by accident).

http://www.iobit.com/porn-games.html

http://www.iobit.com/naruto-hentai.html

While these pages do not explicitly host porn, they are promoting their products by directing users from those pages back to the main IObit pages. Note also that it has been proven that these pages have been up for some time now, long before the property theft scandal, and they have not been hacked.

Searching Google on very (I would assume) common terms used for folks who search on this stuff such as “hentai porn” or “porn games”, puts these pages in the top 10 or 20 rankings. Not bad, if you’re IObit. That will direct a lot of people your way, using very questionable methods.

Another product they are promoting, P2PTurbo, claims to greatly enhance and speed up peer2peer client performance. Now again, not illegal, but highly questionable.

Here is why I state that. Both online porn and P2P use are probably the number 1 and 2 ways that users get infected with Malware in the first place. I see it every day in helping folks in the forums. Many have P2P clients installed and admit to using them. And while I have no direct proof on porn I think we can all agree that the practice, while not illegal, is questionable. Tech note: If you ever want to get yourself infected (and I’m not suggesting or promoting this), fire up your favorite search engine, search on some porn keywords, click some links, and in no time you will have the opportunity to pick up some great, fresh Malware.

As far as I know, IObit has not even responded to questions on these tactics and the pages are still live as of today. In the main discussion thread at IObit I have asked that they be pulled and have adamantly voiced my opinion. The mods and the supporters have been patient and very active in this thread, but as far as I can tell no official representation from IObit has been made. Even some of its’ most emphatic supporters and losing patience and showing less support.

IObit accusation thread (warning, 33 pages of posts in 3 days).

Things just keep getting worse for IObit. MalwareBytes may have shoveled a bit of a hole for them, but they had already brought the heavy equipment and put in the foundation.