Christmas Postcard Spam and Trojan.Win32.Waledac

Steve sent me a sample of malware classified as Trojan.Win32.Waledac that he has received in some Christmas Postcard Spam emails with following subjects:

Merry Christmas and best wishes just for you
Merry Christmas 2009!
A super Xmas card for you
Merry XXXmas!
You’ve got a Merry Christmas greeting e-card
I made this e-card only for U!
Xmas postcard for U!

The file come from this malicious domain:

1
superchristmaslights.com

The file is named postcard.exe :

Report Generated 1.1.2009 at 23.45.44 (GMT 1)
Filename: postcard.exe
File size: 378 KB
MD5 Hash: 31A8756B48576862E6312BDC063FA94B
SHA1 Hash: B463B6D251A26A86A1F1472D6DBC0D953F4B4D5C
CRC32: 1186267902
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 10 on 23 (43.478 %)

Antivirus Sig Version Result
a-squared 01/01/2009 Trojan.Win32.Waledac!IK
Avira AntiVir 7.1.1.58 TR/Proxy.Gen
Avast 090101-0 –
AVG 270.10.1/1870 Downloader.Generic_r.CL
BitDefender 01/01/2009 –
ClamAV 01/01/2009 –
Comodo 859 –
Dr.Web 01/01/2009 –
Ewido 01/01/2009 –
F-PROT 6 20090101 W32/Downloader.F.gen!Eldorado
G DATA 19.2206 Email-Worm.Win32.Iksmas.u A
IkarusT3 01/01/2009 Trojan.Win32.Waledac
Kaspersky 01/01/2009 Email-Worm.Win32.Iksmas.u
McAfee 01/01/2009 Generic.dx trojan
MHR (Malware Hash Registry) – –
NOD32 v3 3731 Win32/Waledac
Norman 2009/01/01 –
Panda –
Solo Antivirus 01/01/2009 –
Sophos 01/01/2009 W32/Waled-E
TrendMicro 741(574100) –
VBA32 01/01/2009 –
VirusBuster 10.100.12 –

After executing the file the malware loaded 2 interesting Windows .DLL files:

1
crypt32.dll

crypt32.dll is a module that contains the functions used by the Windows Crypto API.

1
rsaenh.dll

rsaenh.dll is a module that implements the Microsoft enhanced cryptographic service provider (CSP) that uses 128-bit encryption.

Next, postcard.exe established a connection with this IP:

1
128.174.141.174 (scouter.age.uiuc.edu)

Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
POST /moalahio.png HTTP/1.1
Referer: Mozilla
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 128.174.141.174
Content-Length: 2471
Cache-Control: no-cache
...
...
 
POST /tkstywuzpa.png HTTP/1.1
Referer: Mozilla
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 128.174.141.174
Content-Length: 231
Cache-Control: no-cache
...
...
 
POST /moalahio.png HTTP/1.1
Referer: Mozilla
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 128.174.141.174
Content-Length: 2471
Cache-Control: no-cache
...
...
 
POST /sqzexu.png HTTP/1.1
Referer: Mozilla
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 128.174.141.174
Content-Length: 957
Cache-Control: no-cache
...
...
 
POST /tkstywuzpa.png HTTP/1.1
Referer: Mozilla
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 128.174.141.174
Content-Length: 231
Cache-Control: no-cache
...
...

The malware sent a large amount of encrypted data to the previous IP, then we saw a new established connection with this IP:

1
77.81.158.87 (host-77-81-158-87.nettelecom.ro)

Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
POST /ljpo.png HTTP/1.1
Referer: Mozilla
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 77.81.158.87
Content-Length: 935
Cache-Control: no-cache
...
...
 
POST /qiahgxhv.png HTTP/1.1
Referer: Mozilla
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 77.81.158.87
Content-Length: 957
Cache-Control: no-cache
...
...
 
POST /ljpo.png HTTP/1.1
Referer: Mozilla
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: 77.81.158.87
Content-Length: 935
Cache-Control: no-cache
...
...

The malware sent different data (always encrypted) to the previous IP.
The malware maybe has used the above loaded .DLLs to generate the encrypted data to send. The malware created the following registry key to be able to start everytime Windows is booted:

1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg

We can see from unpacked code some interesting IP Database:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
e42bbf422911ae20c226ce474117d36b
69.216.244.118
33a4c14ed5b99a93d9051e861950c95b
84.16.228.132
875ad1299102e719d64e1f603579946f
195.66.21.101
bb313847e73e976ebf1d530e61580925
124.139.225.67
5a341f66b83424016a076835ab1e2028
82.234.120.193
56230a7f2762d952957c196ed5667708
76.114.29.106
795ae21fd963137cf764c13b7350d81e
69.226.184.49
1736fd55be508f098a7a3f51601cae28
85.113.20.62
546765494659555f456488273961ad7c
128.174.141.174
a94cd3032818e00f0124726991780d3e
88.180.152.39
00244943fe7ba2651e27637a9b404b58
77.81.158.87
9b35c94714342118db7cf638fd2e5552
208.96.18.58
6175420c4618b01fc06e965a2f31892f
98.149.117.205
b7284359a11e331d6a7a3649f015137f
89.204.197.156
d97e4b6d8654d505d60036576161b230
208.100.133.110
5e688303662cf5751373083b307fd310
87.68.182.181
e4609a3fcb07ea326654993d78362916
97.77.217.22
0b7d594d0d2a4b13f1609305e1318b55
68.145.54.93
6a02995eb47fa02d99192638042a084d
140.113.35.54
1d589b269c2c5c774a2da10323283a54
83.194.165.145
066cfc1a7a39cd639e7b3c37e6644c3d
64.228.2.176
064fd8557167e31f88509d0b8822b937
76.167.145.175
ec51551bc454a965d1408075ec756d06
86.20.80.208
7a5aeb16da4eff2aa7679567880a272c
216.117.238.161
5f58c925c9010148dd312b1d4f05af20
84.229.245.60
2d035f40a870a110f0244337b64e8928
76.16.23.4
0d2dae07643d262e203ea15f405eab72
99.254.16.247
6532a404d47aea066a36910d5974b463
68.144.251.138
40720551cd0ada6c7123a3089c20b61a
68.144.116.252
c323b124143757127813ca386a6ab65d
217.199.98.148
79334d1fab6b6d224508555f8a0b2d51
85.26.91.207
022c8b0cd0771439fc2e57177b5a224d
65.34.235.11
bd72a21e4046f358e821d12aeb6f8e1f
69.203.93.7
897c927517449c38fe53720bfd2a9c12
124.189.1.101
52692810613bf83f222fc57ba7540f26
93.126.83.104
840f401ba368e2355f58ef121b7b3241
24.20.193.61
211ae92b9466fe272f0b40385106c650
140.112.185.29
c941270b1e7cf42b72166922e02f5778
98.218.108.161
4b5d730cf827a057710a5013ae20d61c
121.188.215.191
4b122c5bcb169d4dc9264a32e65a2c0f
125.176.11.198
cc4fa44c644efa24ab7f6a3e2917ab09
125.99.58.135
2445c3486e3e093dd33e542b2310ee22
77.52.35.178
882f897b4f1dce534715ab3805139802
98.200.16.184
4a5fbe688419c0279643e4633d115761
211.58.123.154
ea05cf39221a96029f7444054524de04
82.137.77.90
ca584349fa2d2231b3581240325cc70b
71.205.27.148
623af10463241f316450154eaf7e4e7b
67.191.81.183
011d947df3310317fc138640bb18115e
84.215.135.59
bb3f8f764e7ace1fc560687e1b659d0e
89.76.120.87
ae4ec27ce13fa23273796f0d1e07596c
163.23.198.82
5368186f7d2b9d66037d71587348fd16
70.216.217.169
1104c926c72d4a05754b4a1c7b63c835
128.42.210.154
ac179a03ed62914bfb6d2c61f8696a13
24.7.208.150
ce5fc814746c514a08682a7760269b02
118.218.55.237
06215f44631b1d7ecf5d8f297b3e212d
89.162.165.122
db7e7f1cb56f5f166d134e13ff0fa340
80.167.195.221
f50b3533f75c1e389438e76f7c14fe28
70.128.123.202
472b4f1cbe7cd2369e548b3c85104942
134.114.26.128
6a543000997a9c6a8a33cf290840b40d
210.7.71.146
254f077a333de2072b0c812f5f5dd152
71.228.199.73
185977470819fb152133df248224b655
77.38.180.186
cb55db027f574b79315b4e2c7d2e8b79
84.127.99.237
90036017e449ec35ce3e2a763d6f0427
99.247.215.190

We can also see some references to a proxy or socks5 client/server, and some possible Spam commands:

1
2
3
4
5
6
7
socks5
emails
http_stats
dns_ip
smtp_ip
sender_threads
sender_queue

This is the malicious domain we found inside the malware code:

hxxp://mirabellaclub.com/goldenp.php

And we can also see a lot of file extensions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
.avi
.mov
.wmv
.mp3
.wave
.wav
.wma
.ogg
.vob
.jpg
.jpeg
.gif
.bmp
.exe
.dll
.ocx
.class
.msi
.zip
.rar
.jar
.hxw
.hxh
.hxn
.hxd

References:

W32.Waledac – symantec.com

Random Posts

Previous Posts