« Unpacking NsPack
Microsoft Change Analyzer »

More malware by the Virut-gang

The gang behind the file infecting virus tagged as Virut are commanding more malware to be downloaded:

Â

Virut downloading additional malware

So, let’s take a closer look at the adv735.exe. The size is very small, 4Â 045 bytes, and it’s packed with FSG. I submitted the file into Norman Sandbox, and here are the main results on it:

 [ Network services ]
   * Opens URL: http://xgjamtulux.com/progs/hcwpyi/hcvblie.php?adv=adv735.
   * Connects to “xgjamtulux.com” on port 80 (TCP).
   * Opens URL: xgjamtulux.com/progs/hcwpyi/hcvblie.php.
   * Opens URL: http://xgjamtulux.com/progs/hcwpyi/etwpzmwgcz.php.
   * Opens URL: xgjamtulux.com/progs/hcwpyi/etwpzmwgcz.php.
   * Opens URL: http://xgjamtulux.com/progs/hcwpyi/eyerbo.php.
   * Opens URL: xgjamtulux.com/progs/hcwpyi/eyerbo.php.php.
   * Opens URL: http://xgjamtulux.com/progs/hcwpyi/pebllmmww.php.
   * Opens URL: xgjamtulux.com/progs/hcwpyi/pebllmmww.phpp.
   * Opens URL: http://xgjamtulux.com/progs/hcwpyi/flrbblv.php.
   * Opens URL: xgjamtulux.com/progs/hcwpyi/flrbblv.phphpp.
   * Opens URL: http://xgjamtulux.com/progs/hcwpyi/mfcyiwfp.php.
   * Opens URL: xgjamtulux.com/progs/hcwpyi/mfcyiwfp.phppp.
   * Opens URL: http://xgjamtulux.com/progs/hcwpyi/budaby.
   * Opens URL: xgjamtulux.com/progs/hcwpyi/budabyfp.phppp.
   * Opens URL: http://xgjamtulux.com/progs/hcwpyi/ekqznx.php?adv=adv735&code1=INIF&code2=0132&id=1814656820.
   * Opens URL: xgjamtulux.com/progs/hcwpyi/ekqznx.phphppp.

The file seems to be an adware downloader. What’s interesting is that http://xgjamtulux.com/progs redirects to iframedollars.biz.

When we look at the two domains, their IP’s are:

;; ANSWER SECTION:
xgjamtulux.com.        30     IN     A      81.95.153.108

and

;; ANSWER SECTION:
iframedollars.biz.     30     IN     A      81.95.153.92

Quite an short TTL, eh? Both are hosted under AS28866, AKIMON-AS Aki Mon Telecom, a known black russian ISP. AKIMON in turn buys it’s transit from AS40989, RBN-AS RBusiness Network (Russian Business Network), the darkest ISP on planet. If you’re in charge of a network, I’d suggest you give both AS numbers the good o’le /dev/null handling.

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Monday, March 26th, 2007 at 7:14 pm and is filed under Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “More malware by the Virut-gang”

  1. MAD Says:
    April 24th, 2007 at 7:52 am

    XGJAMTULUX.COM have been taken down.
    Thanks to, Gandi.

    Regards,

  2. toni Says:
    April 25th, 2007 at 7:10 am

    Gandi has, as far as I can tell, been on the good side. We need more responsible registrars like them to effectively battle against various malware spreaders.

  3. Jonathan Says:
    September 3rd, 2007 at 12:05 pm

    Hi there,
    I’ve just been dealing with a Virut virus on my machine.
    The IPs (and trailing folder locations it has been trying to access to download various trojans etc are:
    85.114.140.107/-grander/dl.exe
    85.114.140.107/-grander/adv735.exe
    81.95.146.254

    Perhaps this info helps you in your exploration of this virus.
    By the way, what is the “Virut Watcher” application you are using?

    Regards,
    Jonathan

  4. toni Says:
    September 3rd, 2007 at 12:34 pm

    Hi,
    thanks for the info :)

    Virut Watcher is a small botnet tracker I did for tracking the Virut botnet. it’s about 1500 bytes in size and written in assembly.

    The last IP in that list (81.95.146.254) belongs to Russian Business Network, which is a rogue ISP in Russia. Verisign did an excellent report on them a while back:
    http://www.economist.com/displayStory.cfm?story_id=9723768&fsrc=RSS
    http://www.theage.com.au/news/business/from-russia-with-malice-criminals-trawl-the-world/2007/07/23/1185043032049.html?page=fullpage#contentSwap1

  5. Jonathan Says:
    September 4th, 2007 at 12:06 am

    I’ve just noticed that winlogon.exe is still trying to connect to 81.95.146.254.
    I thought I had this thing cleaned off. Have you got any suggestions for cleaning this thing (bar a complete system reinstall) ??

    I’ll read up on that ISP.

    Would that tracker help me to monitor if Virut is still actively trying to access the net (and thus still active on my system)?

    Cheers,
    Jonathan

  6. toni Says:
    September 4th, 2007 at 7:03 am

    Sorry, but no. It’s just a small IRC bot that tracks the botnet itself. If you know which thread inside winlogon.exe is the one with infection you could download Process Explorer from SysInternals and snuff the particular thread with it. Otherwise I suggest some kind of online virus scan or several of them.

    Process Explorer can be found from http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx

Leave a Reply

You must be logged in to post a comment.

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.

InspectorWordpress has prevented 2 attacks.