MoMusings

Last night I suddenly started to receive some very odd e-mails, which frankly absolutely reeked of being malware, but NONE of the 14 virus scanner I had available detected anything suspicious! Not a good sign.

Here is an example of the e-mail:

Subject: Important notice for user xxx@xxx.xxx
From: “Support” xxx@pxxxxxx.xxx
Message-Id: 1ipBgH7ZN5.IaKxl@v
Reply-To: xxx@pxxxxxx.xxx

Dear user of [domain]
Your account has been used to send a large amount of spam messages during
the recent week.Most likely your computer had been infected by a recent
virus and now runs a trojaned proxy server.

We recommend that you run in attach free spyware remover
software to keep your computer safe.

Password to archive: 7831
License key: 15-5-2795

Best regards,
The [domain] team

Attachment: SpyKiller.zip

As you may have noticed the attachment is a ZIP file, password protected using a password of 7831.

The attachment and text would lead you to believe that you are infected and that you should run the attached FREE tool to fix the problem [yeah right, like I’m going to do that!].

So, I extracted the file from the ZIP. The extracted file is called SpyKiller.exe and scanned it again with the 14 up-to-date scanners, still not one of them detected anything suspicious. So, at 19:29 on the 19th of January I dutifully sent it off to the AV companies for analysis [as I usually do with suspicious files].

Below are more details on the ZIP and the extracted EXE file:

FileName: SpyKiller.zip
FileDateTime: 19/01/2005 19:10:31
Filesize: 9852
MD5: 826856f2d2f7c0e3849391176bddfec5
CRC32: 4EF3957E
File Type: ZIP Archive File

FileName: SpyKiller.exe
FileDateTime: 20/01/2005 02:13:54
Filesize: 10133
MD5: f2d29276bf087e9fc4993eae109c19d8
CRC32: B3D23EC4
File Type: PE Executable
Packer: FSG

And to detect it until the anti-virus firms got round to it I created the following SNORT signature which will detect the incoming infected e-mails:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”Troj/Lohav-Q [SOPHOS] - MIME”; content:”CyXouhfNUeJ9i3t0N7k993sVScEjojNh78DVeU12dvLEjLHRNqIW5YI+EE5yLSFMEAXw3icA5xh2″; classtype: misc-activity;rev:1;)

A Result!
At 13:00 today [20th January] I finally received a response from ONE of the anti-virus companies confirming my suspicions, thanks go to Sophos for having the courtesy to respond and give me useful data.

Below is the data they supplied [please check their site for latest details]:

The file spykiller.exe that you sent to us for analysis was a Trojan, Troj/Lohav-Q, that also downloads the Trojan, Troj/Padodor-U. There are descriptions below.

Troj/Lohav-Q is a backdoor proxy Trojan.

Troj/Lohav-Q may arrive with a filename of SPYKILLER.EXE as part of an email, with the subject “Important notice for user [user@domain]” and body text:

Dear user of [domain]

Your account has been used to send a large amount of spam messages during the recent week. Most likely your computer had been infected by a recent virus and now runs a trojaned proxy server.

We recommend that you run in attach free spyware remover software to keep your computer safe.

Password to archive: [password]
License key: [key]

Best regards,
The [domain] team

Troj/Lohav-Q will attempt to download and run an executable file detected as Troj/Padodor-U.

When first run, Troj/Lohav-Q will copy itself to the Windows system folder as WINHOST.EXE. In order to run automatically each time a user logs in, Troj/Lohav-Q will set the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winhost.exe
%SYSTEM%\winhost.exe

Troj/Lohav-Q will also set the following registry entries:

HKCU\Software\Timeout
uid
[number]

HKCU\Software\Timeout
port
[listening port number in hexadecimal]

HKCU\Software\Timeout
pid
[process identity number]

where the default listening port number is 9010.

Periodically, Troj/Lohav-Q will contact a number of websites in order to register the computer as being infected.

Troj/Lohav-Q can be used to route internet traffic from other computers via the proxy component and can be used to forward spam email.

Troj/Lohav-Q will attempt to terminate the following security-related processes:

AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE,
APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE,
ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE,
AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE,
AVprotect9x.exe, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE,
BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE,
BIPCPEVALSETUP.EXE,
BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE,
CDP.EXE, CFGWIZ.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIADMIN.EXE, CFIAUDIT.EXE,
CFIAUDIT.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET.EXE, CFINET32.EXE,
CFINET32.EXE, CLEAN.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER.EXE, CLEANER3.EXE,
CLEANPC.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMGRDIAN.EXE, CMON016.EXE,
CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE,
CWNTDWMO.EXE, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE,
DRWATSON.EXE,
DRWEBUPW.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE,
EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE,
FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE,
FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, GUARDDOG.EXE,
HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMAPP.EXE,
IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE,
ICSUPP95.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE,
IRIS.EXE,
JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE, KERIO-PF-213-EN-WIN.EXE,
KERIO-WRL-421-EN-WIN.EXE, KERIO-WRP-421-EN-WIN.EXE,
KILLPROCESSSETUP161.EXE,
LDPRO.EXE, LOCALNET.EXE, LOCKDOWN.EXE, LOCKDOWN2000.EXE, LSETUP.EXE,
LUALL.EXE, LUCOMSERVER.EXE, LUINIT.EXE, MCAGENT.EXE, MCUPDATE.EXE,
MCUPDATE.EXE, MFW2EN.EXE, MFWENG3.02D30.EXE, MGUI.EXE, MINILOG.EXE,
MOOLIVE.EXE, MRFLUX.EXE, MSCONFIG.EXE, MSINFO32.EXE, MSSMMC32.EXE,
MU0311AD.EXE, NAV80TRY.EXE, NAVAPW32.EXE, NAVDX.EXE, NAVSTUB.EXE,
NAVW32.EXE,
NC2000.EXE, NCINST4.EXE, NDD32.EXE, NEOMONITOR.EXE, NETARMOR.EXE,
NETINFO.EXE, NETMON.EXE, NETSCANPRO.EXE, NETSPYHUNTER-1.2.EXE, NETSTAT.EXE,
NISSERV.EXE, NISUM.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE,
NPF40_TW_98_NT_ME_2K.EXE, NPFMESSENGER.EXE, NPROTECT.EXE, NSCHED32.EXE,
NTVDM.EXE, NUPGRADE.EXE, NVARCH16.EXE, NWINST4.EXE, NWTOOL16.EXE,
OSTRONET.EXE, OUTPOST.EXE, OUTPOSTINSTALL.EXE, OUTPOSTPROINSTALL.EXE,
PADMIN.EXE, PANIXK.EXE, PAVPROXY.EXE, PCC2002S902.EXE, PCC2K_76_1436.EXE,
PCCIOMON.EXE, PCDSETUP.EXE, PCFWALLICON.EXE, PCFWALLICON.EXE,
PCIP10117_0.EXE, PDSETUP.EXE, PERISCOPE.EXE, PERSFW.EXE, PF2.EXE,
PFWADMIN.EXE, PINGSCAN.EXE, PLATIN.EXE, POPROXY.EXE, POPSCAN.EXE,
PORTDETECTIVE.EXE, PPINUPDT.EXE, PPTBC.EXE, PPVSTOP.EXE,
PROCEXPLORERV1.0.EXE, PROPORT.EXE, PROTECTX.EXE, PSPF.EXE, PURGE.EXE,
PVIEW95.EXE, QCONSOLE.EXE, QSERVER.EXE, RAV8WIN32ENG.EXE, REGEDIT.EXE,
REGEDT32.EXE, RESCUE.EXE, RESCUE32.EXE, RRGUARD.EXE, RSHELL.EXE,
RTVSCN95.EXE, RULAUNCH.EXE, SAFEWEB.EXE, SBSERV.EXE, SD.EXE,
SETUP_FLOWPROTECTOR_US.EXE, SETUPVAMEEVAL.EXE, SFC.EXE, SGSSFW32.EXE,
SH.EXE,
SHELLSPYINSTALL.EXE, SHN.EXE, SMC.EXE, SOFI.EXE, SPF.EXE, SPHINX.EXE,
SPYXX.EXE, SS3EDIT.EXE, ST2.EXE, SUPFTRL.EXE, SUPPORTER5.EXE,
SYMPROXYSVC.EXE, SYSEDIT.EXE, TASKMON.EXE, TAUMON.EXE, TAUSCAN.EXE, TC.EXE,
TCA.EXE, TCM.EXE, TDS-3.EXE, TDS2-98.EXE, TDS2-NT.EXE, TFAK5.EXE,
TGBOB.EXE,
TITANIN.EXE, TITANINXP.EXE, TRACERT.EXE, TRJSCAN.EXE, TRJSETUP.EXE,
TROJANTRAP3.EXE, UNDOBOOT.EXE, UPDATE.EXE, VBCMSERV.EXE, VBCONS.EXE,
VBUST.EXE, VBWIN9X.EXE, VBWINNTW.EXE, VCSETUP.EXE, VFSETUP.EXE,
VIRUSMDPERSONALFIREWALL.EXE, VNLAN300.EXE, VNPC3000.EXE, VPC42.EXE,
VPFW30S.EXE, VPTRAY.EXE, VSCENU6.02D30.EXE, VSECOMR.EXE, VSHWIN32.EXE,
VSISETUP.EXE, VSMAIN.EXE, VSMON.EXE, VSSTAT.EXE, VSWIN9XE.EXE,
VSWINNTSE.EXE,
VSWINPERSE.EXE, W32DSM89.EXE, W9X.EXE, WATCHDOG.EXE, WEBSCANX.EXE,
WGFE95.EXE, WHOSWATCHINGME.EXE, WHOSWATCHINGME.EXE, WINRECON.EXE, WNT.EXE,
WRADMIN.EXE, WRCTRL.EXE, WSBGATE.EXE, WYVERNWORKSFIREWALL.EXE,
XPF202EN.EXE,
ZAPRO.EXE, ZAPSETUP3001.EXE, ZATUTOR.EXE, ZAUINST.EXE, ZONALM2601.EXE,
ZONEALARM.EXE

====

Troj/Padodor-U is a password stealing Trojan.

When first run, Troj/Padodor-U will copy itself to the Windows System folder as SYSTEMIL.EXE. The Trojan will also create a copy of itself as IL.DAT.

Troj/Padodor-U will drop the files SYSIE.DLL and SYSIL.DLL. These files are detected as Troj/Padodor-N.

In order to run the Trojan automatically on startup, Troj/Padodor-U will set the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
systemil
(Random CLSID)

HKCR\CLSID\(Random CLSID)\InProcServer32
(Default)
sysil.dll

Troj/Padodor-U monitors access to banking websites in order to steal username and password information.

At the time of writing only the following anti-virus products detect this:

• Sophos

** Yes it was sent to Symantec, Trend and many, many, other anti-virus companies and researchers.