MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

12.05.2009

Swizzor reload. Adware and control of P2P networks

P2P networks are one of the sources used to propagate different types of malicious code. That makes him very dangerous vector for those who don't take into account certain preventive measures.

Moreover, the main function is to deploy adware popups displaying advertising without us even asking him many times after infection, it can display advertising even when a connection is made.

This is an increasingly common case where different types of malware interact with each taking control of the computer to download and install additional malware.

Nomenclature: NSIS/TrojanDownloader.Swizzload.A (ESET)
Md5: e2a2089255811ff295cdb695e426adc4
Sha1: 99eccdc87671138b9f4b15b0610bef8a3df418b6
Report VirusTotal 15/41 (36.59%)
Packer: NSIS

It spreads through web pages using a strategy of social engineering. When run a number of file download from which there is an update of itself.

From install.x3codec.com/get_file.php?file=program&program=codec_x3 download:

Nomenclature: -
File: x3codec.exe located in codec_x3.zip
Md5: 06579ded81b2b648c5106d4732a4b06f
Sha1: a2d05264eeb807e5fadd3bd60df3c0b6495c5a75
Report Virus Total 0/41 (0.00%)
Packer: -

From install.x3codec.com/get_file.php?file=program&program=p2pc download

Nomenclature: Trojan-Dropper.Agent (Ikarus)
File: p2pc.exe alojado en p2pc.zip
Md5: 9964ee2867cb2128c8f3c84b311bdb86
Sha1: a83edbe783856edf5c1838e2e1f9df9bca6ea6f2
Report Virus Total 3/41 (7.32%)
Packer: NSIS

Nomenclature: Downloader.Agent (Ikarus)
File: VistaPutcher.exe alojado en p2pc.zip
Md5: c899655cf6c26eadcd4f8adbc32d7da6
Sha1: f316b3d09519cb73b512a58be6b7b688374839eb
Report Virus Total 9/41 (21.95%)
Packer: NSIS

After checking a number of information in the system makes the connection against connect.p2pcontrol.com/?command=install&uid={EE72CD72-7427-E246-A983-AF903B5DEC0E}&affid_tr=&os=XP where down the instructions to install the programs.

The aim is to control the downloads through P2P networks by establishing a number of eDonkey servers and Kademila.

From http://connect2.p2pcontrol.com/?command=download&filename=known_e.met establishes the following servers:

  • 208.53.131.220:4662
  • 208.53.131.221:4662
  • 76.73.89.210:61895
  • 208.53.131.220:27600
  • 208.53.131.221:7258
  • 76.73.77.66:52352
  • 76.73.77.66:53352
  • 208.53.131.221:4500

From install.x3codec.com/get_file.php?file=minime connects to http://space.cachefly.net/7714569/ and download the malware

Nomenclature: a variant of Win32/TrojanDownloader.Swizzor.NCV (ESET)
File: minime.exe
Md5: 898a21afe498579797e8bc8163f4b1e2
Sha1: 817f44e1fbf98f51f3266a35b246af757574ebd1
Report Virus Total 22/39 (56.41%)
Packer: -

It also installs adware, responsible for changing the settings of Internet Explorer and Firefox through the following lines:

[InternetExplorer]
MinVersion=6
HomePage=http://www2.iesearch.com/
DefaultSearchEngine=Ask
SearchUrl=http://www2.iesearch.com/s/?q={searchTerms}&iesrc={referrer:source?}
GuidHash=x3Codec-search

[FireFox]
MinVersion=2.0
HomePage=
DefaultSearchEngine=Ask
SearchUrl=http://www2.firesearch.com/s/?q={searchTerms}&src=FF-SearchBox



Some countermeasures


  • Uninstall programs Ask Search, P2PControl and x3Codec
  • Delete the folders option bird and x3Codec located in the Program Files
  • Delete entry inside eggs located in the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Delete entry eggs joy math type located in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Delete the folder option bird located in X:\Documents and Settings\Administrator\Application Data. This folder contains the files: SEEKOWNSMETA.exe [a variant of Win32/TrojanDownloader.Swizzor.NDE Trojan (ESET)]. borereadmebike.exe [a variant of Win32/TrojanDownloader.Swizzor.NCS Trojan (ESET)]. tfonuuvu.exe [E:\malware\not\tfonuuvu.exe - a variant of Win32/TrojanDownloader.Swizzor.NCY Trojan (ESET)]
  • Restart your computer
  • Delete the folder Bind army eggs joy located in Documents and Settings\All Users\Application Data
  • Change the start page in the browser and delete temporary files
  • Run your antivirus program updated

Malware Disasters Team

0 comentarios:

Post a Comment