I-Worm/Nuwar.W + Rustock.E Variant – Analysis

Posted by on Monday, November 24th, 2008  |  29,299 views

Steve sent me a new interesting malware sample classified as I-Worm/Nuwar.W. When I executed the file, it injected code into a system process named svchost.exe, and I started to receive a lot of traffic from a specified domain that has a random name (aaqarkznvb.com), and during the established connections with the domain, a lot of files were downloaded and executed in my system:

1
2
3
4
5
6

C:\-24322245 | 444BCB3A3FCF8389296C49467F27E1D6
C:\psqrhqn.exe | 102FF59F4530E084005A2E04B768E9C1
C:\cvqkuk.exe | 102FF59F4530E084005A2E04B768E9C1
C:\ebafud.exe | 3A13D81D2B0F667BE96AD9567EDAFE0A
C:\nriljal.exe | 5293DB6EC3BB865DA8A2C25FD20897C7
C:\naxv.exe | 252EF354DADF254AF07ECD92AC0A31A8

And was created an interesting file in /system32/drivers/:

1

C:\WINDOWS\system32\drivers\aec.sys.bak

The file named aec.sys is the driver of Microsoft (Microsoft Acoustic Echo Canceller) and the malware seem to have created a backup copy (.bak extension) of it, maybe because later the malware will infect the original .SYS file !

After, it created new files:

1
2
3

%User%\LOCALS~1\Temp\winlogin.exe | 17DC830917EABCF78514F559627102BC
%User%\LOCALS~1\Temp\2322862672.exe | 76DD26BBB2571997E0C0035A35A8F7C0
%User%\LOCALS~1\Temp\csrssc.exe | 76DD26BBB2571997E0C0035A35A8F7C0

Both files, winlogin.exe and csrssc.exe will install code hooks (IAT Modifications) as shown in image below:

IAT Modifications

And finally we can see that 3 drivers were created in /system32/drivers/ folder:

1
2
3
4
5

C:\WINDOWS\system32\drivers\beep.sys.bak
C:\WINDOWS\system32\drivers\d521de.sys
C:\WINDOWS\system32\drivers\ethqksbi.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\WINDOWS\system32\drivers\aec.sys

Note that the malware has created a copy of the driver beep.sys.bak, and then it infects the original beep.sys with I-Worm/Nuwar.W! We can see that the file size is different from the original size, its now 55 KB. When you try to delete the drivers you always get an error, you cannot modify/change/delete any registry key that is related to the rootkit’s drivers, and you cannot modify/change/delete the 2 .SYS files created by the rootkit. The rootkit also hides some TCP Ports.

Report of the scan of the infected beep.sys:

Report Generated 23.11.2008 at 1.44.14 (GMT 1)
Filename: beep.sys
File size: 55 KB
MD5 Hash: 9ECF2DDC3500B5212DC5DB7E7C17CE3E
SHA1 Hash: 8B17BFC350914EA5F61F6FF9D9BDDECFCAA80A89
CRC32: 3119767162
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
Detection Rate: 2 on 24

Antivirus Result
a-squared –
Avira AntiVir –
Avast –
AVG Virus identified I-Worm/Nuwar.W
BitDefender Trojan.Peed.Gen
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA –
IkarusT3 –
Kaspersky –
McAfee –
MHR –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –

We can extract interesting strings from the infected beep.sys:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

ZwOpenKey
ZwCreateKey
svchost.exe
ZwCreateEvent
TransportAddress
ConnectionContext
C:\progz\NewWork\driver\objfre\i386\driver.pdb
LoadLibraryA
GetProcAddress
SetEvent
Init
CreateThread
SleepEx
d521de
FATAL_UNHANDLED_HARD_ERROR
ntoskrnl.exe
\BaseNamedObjects\5B37FB3B-984D-1E57-FF38-AA681BE5C8D9
\registry\machine\system\CurrentControlSet\Services\%x
\SystemRoot\System32\drivers\%x.sys
\BaseNamedObjects\{60F9FCD0-8DD4-6453-E394-771298D2A471}
services.exe
\registry\machine\system\CurrentControlSet\Enum\Root\LEGACY_%ws
\SystemRoot\System32\ntdll.dll
%ws%ws
\Device\Tcp
svchost.exe
\SystemRoot\Temp\%u.tmp
.log
\registry\machine\system
\Device\Tcp

Again, we see this string:

C:\progz\NewWork\driver\objfre\i386\driver.pdb

That was present in new Rootkit.Rustock.E variants, and we can see the reference to svchost.exe where the malware injects its code. We can see also the reference to d521de that is the other kernel driver that is installed by the rootkit.

Report of the scan of ethqksbi.sys:

Report Generated 24.11.2008 at 2.35.54 (GMT 1)
Filename: ethqksbi.sys
File size: 131 KB
MD5 Hash: BA4423EF27AAA93B35A0AB1ED64F0383
SHA1 Hash: 866652B76C42E94DD38039B48203924A999B01CD
CRC32: 452990838
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 1 on 24

Antivirus Result
a-squared –
Avira AntiVir TR/Rootkit.Gen
Avast –
AVG –
BitDefender –
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA –
IkarusT3 –
Kaspersky –
McAfee –
MHR –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 –
VirusBuster –

PE Import Tables:

ntoskrnl.exe
+DbgPrint
+ZwRestoreKey
+KeQueryTimeIncrement
+ObReferenceObjectByHandle
+_except_handler3
+ObLogSecurityDescriptor
+ExAllocatePoolWithTag
+wcsncpy
+FsRtlInitializeOplock
+ZwPulseEvent
+KeTickCount
+strncmp
+MmMapLockedPagesSpecifyCache
+KeBugCheckEx
+ExIsResourceAcquiredExclusiveLite
+RtlAddAce
+ZwQueryDefaultUILanguage
+ZwQuerySystemInformation
+ExAllocatePoolWithQuota
+strstr
+ExFreePoolWithTag
+ObfReferenceObject
+RtlAnsiCharToUnicodeChar
+strncpy
+IoGetCurrentProcess

Report of the scan of d521de.sys:

Report Generated 24.11.2008 at 2.35.54 (GMT 1)
Filename: d521de_sys
File size: 98 KB
MD5 Hash: 404032043145EB962E62887ECD065327
SHA1 Hash: F40F270F000709AF807F5155685C29AB333CF882
CRC32: 1053342703
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 5 on 24

Antivirus Result
a-squared –
Avira AntiVir TR/Rootkit.Gen
Avast Win32:Rootkit-gen [Rtk] (0)
AVG Virus identified I-Worm/Nuwar.W
BitDefender –
ClamAV –
Comodo –
Dr.Web –
Ewido –
F-PROT 6 –
G DATA Win32:Rootkit-gen [Rtk] B
IkarusT3 –
Kaspersky –
McAfee –
MHR –
NOD32 v3 –
Norman –
Panda –
QuickHeal –
Solo Antivirus –
Sophos –
TrendMicro –
VBA32 Malware-Cryptor.Win32.General.3
VirusBuster –

PE Import Tables:

ntoskrnl.exe
+IoDeleteDevice
+KeSetEvent
+KeInitializeMutex
+IoFreeIrp
+IoAllocateIrp
+ObfReferenceObject
+KeInitializeEvent
+IoAttachDevice
+ObfDereferenceObject
+ExFreePoolWithTag
+IoAllocateMdl
+memcpy
+IoFreeWorkItem
+IofCallDriver
+KeWaitForSingleObject
HAL.dll
+ExAcquireFastMutex
+ExReleaseFastMutex

Below there are some images of the infection:

Browser Helper Objects:

BHO

Message Hooks:

Message Hooks

SSDT Hooks:

SSDT Hooks

Beep.SYS infected and Ntfs.sys Hooks:

Beep.SYS and Ntfs.SYS Hooks

Unknown IRP Handler:

Unknown IRP Handler

Tcpip.sys Hooks:

Tcpip.sys Hooks

Stealth Code:

Stealth code

Registry Startup Keys

Startup keys

Other Code Hooks

Code hooks

Regedit is disabled

Regedit is disabled

Posted by on Monday, November 24th, 2008 at 12:47 pm and filed under Malware Analysis with tags , , , , . You can skip to the end and leave a response. Pinging is currently not allowed.

Random Posts

Previous Posts