[Malware Review] MSN-spreading batch worm

Rootkit.Indag.A

This is a small generic rootkit driver that can be bundled in any malware. Its purpose is to kill any antivirus that can’t be killed in user-mode (that have a self-protection driver).

The rootkit is a driver, which is loaded as a device under the name “GanDiao”. Any user mode application has the possibility to kill any process when this driver is loaded.

To achieve this, an application only has to issue a DeviceIOControl request, passing as arguments, among others, 0x88888888 as an I/O control code and the PID (Process ID) of the targeted process to the driver. The rootkit will lookup the process’ EPROCESS structure, and, using an undocumented kernel function (MmUnmapViewOfSection), it will unmap a special portion of the ntdll.dll inside the attacked process, causing it to quit without warnings or errors.

Win32.Worm.Mafraz.A

This e-threat comes bundled inside a Delphi executable, which is nothing but a file generated by Quick Batch File compiler. QBF is used to “compile” batch files into executables. “Compile” is rather a wrong term, since it only generates an executable, that embeds the batch file and drops and runs that batch file from the %temp% folder.

When executed, it will first drop a batch file which does the following:

– will create a folder called “Global” inside the root folder of every drive, and will copy the executable file inside it as “Global.exe”

– will create an autorun.inf file and set the hidden attribute on it. This file will launch “Global.exe” every time the drive Is accessed, if the autorun feature is enabled.

– will disable Task Manager by making specific registry changes

– will make another copy of the executable under %windir%system32sistemaGlobal.exe or %windir%system32Global.exe

– will add registry entries to point to one of the files above in order to get executed at every system startup

– if it finds winrar.exe it will archive the “Global.exe” file and save it under %windir%system32GlobalFotos-Chaos-Global.rar

– if it finds MSN Messenger installed it will create a JavaScript file inside %programfiles%Messenger Plus! LiveScriptsMSN PLUSMSN PLUS.js and add the path to a specific registry entry

This file is used to attempt infection of other machines using MSN Messenger. The process works as follows:

– when a new chat window is opened the JavaScript file will be executed

– the script will automatically send the archived file to the contacted person along with some random text. The text can contain the following strings:

“En El 2009Por El Calentamiento Global”
“(-AZAFRAM-)”
“Visita forolibre.com.ar y registrate”

Next, the batch file will do the following:

– connect to a ftp server (ftp.by[removed]3.com), log in with a predefined username and password

– it will upload a file named %username%.txt where %username% is the username of the user under which the batch file runs. Inside the text file it will write specific hardware details (the output of the systeminfo command), the exact date and time of infection and the IP configuration of the infected computer

– it will change Internet Explorer’s home page to http://f[removed]ibre.com.ar

– it will set the hidden attribute to the folders %windir% and %windir%system32

– it will add some registry keys to mark it’s presence on the system

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad