One of previous DHL scam campaign propagated downloader in ziped attachement named DHL_label_NR1156.exe.
Collected Name: DHL_label_NR1156.exe
SIZE: 41984 bytes
MD5: f71d48a86776f8c0da4d7a46257ff97c
After execution malware copies itself as incognito.exe into %system% folder.
Downloader then gets two binaries named exe0.exe and dll.dll and installs them into system.
Collected Name: exe0.exe
SIZE: 33280 bytes
MD5: c0ed88ccdc920a951f750c53b21996a1
Packer: Thinstall
This binary is copied to %system% folder as smss32.exe and is executed.
After execution, the wallpaper is changed by the figure below:
Due to fact that malware modifies these Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetActiveDesktop
The change of this wallpaper is blocked to the user, as shown in the next figure:
After a while, a message pops-up to the user, alerting an infection:
As the malware runs, it verifies if the file smss32.exe is in “C:\Windows\system32”, inserting it in the registry in order to execute this file in init and logon. There are some excerpts below showing registry changes to be done by the malware.
This change in logon is done to show an alert when userinit.exe is executed. The alert message shown before MS Windows starts is:
If the user tries to open some Windows applications as calc.exe, cmd.exe or “Microsoft Word”, all of them quit unexpectedly with the following message, indicating a loss of functionality:
Full list of affected applications follows:
"calc.exe"
"notepad.exe"
"control.exe"
"WINWORD.exe"
"WinRAR.exe"
"winmine.exe"
"vmware.exe"
"uTorrent.exe"
"notepad.exe"
"msconfig.exe"
"thebat.exe"
"taskmgr.exe"
"spider.exe"
"sol.exe"
"sndvol32.exe"
"Skype.exe"
"wupdmgr.exe"
"GoogleEarth.exe"
"chrome.exe"
"MsnMsgr.Exe"
"EXCEL.exe"
"WINWORD.exe"
"word.exe"
"POWERPOI.exe"
"RealPlayer.exe"
"skypePM.exe"
"regedit.exe"
"RegCloneCD.exe"
"RecordingManager.exe"
"POWERPNT.exe"
"PokerStars.exe"
"pinball.exe"
"Photoshop.exe"
"OUTLOOK.exe"
"OIS.exe"
"nfs.exe"
"NeroExpressPortable.exe"
"Nero.exe"
"MSWorks.exe"
"mspaint.exe"
"msmsgs.exe"
"msimn.exe"
"mshearts.exe"
"mplayer2.exe"
"mplay32.exe"
"moviemk.exe"
"miranda32.exe"
"Illustrator.exe"
"Icq.exe"
"hrtzzm.exe"
"GOM.exe"
"FullTiltPoker.exe"
"freecell.exe"
"shvlzm.exe"
"RWipeRun.exe"
"RwcRun.exe"
"PowerDVD.exe"
"LA.exe"
"setup_wm.exe"
"winamp.exe"
"windvd.exe"
"realplay.exe"
"WindowsAnytimeUpgradeUI.exe"
"sidebar.exe"
"tvp.exe"
"AdvancedDVDPlayer.exe"
"QuickTimePlayer.exe"
"digitaleditions.exe"
"cmd.exe"
"CloneCD.exe"
"rstrui.exe"
"AcroRd32.exe"
"wmplayer.exe"
"mplayerc.exe"
"AdvancedDVDPlayer.exe"
"QuickTimePlayer.exe"
"userinit.exe"
If there is no process that matches the malware list, an error occurs:
After the error message, this malware sample tries to execute two binaries in sequence: IS2010.exe and IS15.exe, respectively.
IS15.exe creates links to a fake antivirus (Internet Security 2010), whose homepage was used to host binaries needed by this malware and there were also some advertisements related to buying the fake antivirus. The main homepage was shown below:
If a user clicks the “Download now!” button, there is a form to be filled with personal information, as well as credit card information.
The main DLL used was helper32.dll, which is the downloaded file dll.dll renamed by the malware.
The DLL component works as a network wrapper filtering some URLs and forwarding the user to an alert about an infection in the machine and providing access to the malware antivírus.
This malware supports the following browsers:
Firefox
Internet Explorer
Flock
Opera
Safari
Below, the list of sites blocked by the malware:
facebook.com
youtube.com
myspace.com.live.com
craigslist.org.wikipedia.org
ebay.com.blogger.com
amazon.com
twitter.com
go.com
bing.com.flickr.com
wordpress.com
photobucket.com
weather.com
nytimes.com
pornhub.com
mapquest.com
foxnews.com
hulu.com
livejasmin.com
youporn.com
digg.com
adultfriendfinder.com
mywebsearch.com
rapidshare.com
redtube.com
ask.com
tube8.com
linkedin.com
thepiratebay.org
xvideos.com.godaddy.com
mozilla.com
guardian.co.uk
imageshack.us
livejournal.com
washingtonpost.com
monster.com
bbc.co.uk.bebo.com
When the victim tries to access one of those sites, he receives an alert in an HTML page different from the requested one:
AVG detects all malware samples mentioned in this analysis.
(Thanx to Diego Bassani de Souza)
I've already had to clean two computers infected with 'Antivir Solution Pro' virus. Both were protected with AVG free 8.5. How is this possible, and is a fix in the near future?
Thanks.
Posted by: Roy Hansen | August 03, 2010 at 00:48
I too was infected by Antivir Solution Pro even though I have AVG Anit-Virus 9.0. I had to use another computer to get the info on how to remove it because I was unable to do anything with my computer. I re-started the computer in safe mode with networking and downloaded the RKILL tool to stop the rouge scanner. I then went back and started the computer in normal mode. Antivir was still on it but I just applied the RKILL several times and then ran AVG scan. It seems to have worked but I wonder how this virus was allowed to get through my AVG anti-virus program.
Posted by: cisco | August 11, 2010 at 17:44