Fake IE 7.0 Update: Full Analysis

Antivirus XP 2008 is currently detected on 1.68% of all PCs scanned and is ranked as 3rd in active malware. The application causes extreme annoyance, system performance degradation – mainly through pop-up messages, registry keys and spawning a large volume of files. 
 
The unfortunate part for end-users is the vector for delivery of this application is through false Google sponsored links and maliciously influenced search results. In other words the user believes he is downloading an application to fix threats that an online web-page detected on his PC, thus, the after effects are quite similar to the behavioral traits of other parasites (system resource consumption, popup messages, browser hi-jacking, etc).

The analysis method used for capturing these behavioral traits is an automatic sandbox for recording application behavior.
 
Here is the full analysis of the application in terms of behavioral traits on the system (process, file and registry activity):
 
MD5 Hash: ef99ebb8e1699733b3bd1de7de2a0da1
Main Process: file.exe
 
Spawned Processes:
 
C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\Owner\Local Settings\Temp\.tt7.tmp.vbs
C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp /AID=e354dd6a773d899336c058fb89fce801
wscript //B C:\DOCUME~1\Owner\LOCALS~1\Temp\pin.vbs C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 Antivirus XP 2008.lnk
wscript //B C:\DOCUME~1\Owner\LOCALS~1\Temp\pin.vbs C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 Register Antivirus XP 2008.lnk
C:\WINDOWS\system32\cmd.exe /c bgjm.bat C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp
C:\Program Files\rhce37j0ep3a\rhce37j0ep3a.exe
C:\WINDOWS\system32\pphca37j0ep3a.exe
Registry Activity:
HKEY_LOCAL_MACHINE\Software\rhce37j0ep3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\rhce37j0ep3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirXP08
File Activity (created files):
 
C:\WINDOWS\system32\blphca37j0ep3a.scr
C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsh19.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx1B.tmp\MachineKey.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx1B.tmp\update.ini
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx1B.tmp\lastpage.ini
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk 
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Program Files\rhce37j0ep3a\rhce37j0ep3a.exe
C:\Program Files\rhce37j0ep3a\database.dat
C:\Program Files\rhce37j0ep3a\msvcp71.dll
C:\Program Files\rhce37j0ep3a\MFC71.dll
C:\Program Files\rhce37j0ep3a\MFC71ENU.DLL
C:\Program Files\rhce37j0ep3a\msvcr71.dll
C:\Program Files\rhce37j0ep3a\license.txt
C:\Program Files\rhce37j0ep3a\rhce37j0ep3a.exe.local
C:\DOCUME~1\Owner\LOCALS~1\Temp\pin.vbs
C:\Program Files\rhce37j0ep3a\Uninstall.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\nsx1B.tmp\KillSelf.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Documents and Settings\Owner\Local Settings\Temp\.tt11.tmp
C:\WINDOWS\system32\pphca37j0ep3a.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\compress.dat

Advertisements

10 Responses to Fake IE 7.0 Update: Full Analysis

  1. This Antivirus XP 2008 is showing up everywhere, Ive been removing this virus for customers all week. The virus also tries (and does a good job) to mask itself as a flash update (get_flash_update.exe) Any idea how this is getting past so many virus scanners (ive seen peopole get it on computers with updated norton and avast real time scanners)

  2. Because there is a large volume of new binaries from differnet spam messages that have been modified slightly in terms of the byte blocks it is rendering them undetectable by signature based defenses (in some cases we are seeing different hashs for different families of binary samples along with different file names). For example AV XP 2008 yesterday came in the form of a fake IE 7.0 update. However, the essential behavior of Antivirus XP 2008 is the same across the boards.

  3. […] https://pandasecurityus.wordpress.com/2008/08/07/fake-ie-70-update-full-analysis/ Another fake email that looks like it’s from CNN, that links to the infamous XP Antivirus 2008: https://pandasecurityus.wordpress.com/2008/08/08/cnn-alerts-new-malcode-antivirus-xp-2008/ And another about a fake Adobe Flash player update, that tries to download malware: http://isc.sans.org/diary.html?storyid=3024 […]

  4. Why don’t antivirus companies simply block the name of the executable from running? I understand that many of the batch files and executable are randomly generated; however, this recent string seems to have names that are common. I currently do this with Kaseya, when I find a virus on a computer I add the name of the exe that caused the infection to a blacklist of executables that kaseya won’t let the OS run.

  5. Roger Chiu says:

    I also received this email and perform a simple analysis, please read http://malware-test-lab.blogspot.com/2008/08/fake-ie7-update.html.

  6. Dave says:

    I’ve spent all day trying to weed this thing out… I did a fresh install of my PC after upgrading to a new MOB. Within minutes, I had this thing. I think I picked it up on Yahoo or the NBC Olympics… I’m not sure. But it at first kept crashing my system.

    Anyhow, everytime I thought I weeded it out, it came back. And I have a fully up to date new version of Norton 360 and AdAware Pro installed… neither detected it.

    I also found two instances of “system.exe” sitting on my two Flash Drives that I had sitting in USB ports — I didn’t notice these after the last time I weeded it out, but this time I did, so I deleted them and removed the drives. We’ll see if this time it works.

    Oh, and I won’t be downloading any updates from any major sites for awhile.

    Thanks for the tip on this story.

  7. Mike, you are correct anti-virus vendors do need to create generic detection routines for the malware binaries. In some cases the file names are not the same and vary from spam run to spam run, so a detection routine using file names woudn’t be best suited for mass volumes of different binaries. The best way would be to create a generic PE signature as I found that all the get_flash_update.exe binaries have the same PE signature.

  8. Dave says:

    I have an update for you guys, if you can use it… I’m obviously not a programmer (work in media for a living). But here’s what I’ve found out…

    All throughout this endeavor, I kept hearing my Floppy drive making noise every 10 seconds or so like something was trying to access it, even though there was no floppy in it. This was proceeded by a light on my flash drive lighting up, like something was accessing that, even though I wasn’t. I found out that every time it lit up, it reinstalled the “system.exe” file on that drive… even after I deleted it, it came back. This would happen on a floppy disk too, as I tried that out.

    I noticed the date/time stamp on the “system.exe” file was a specific date/time — ironically back when all this started on Saturday. So I did a system file search, looking for other files with that same time stamp. Sure enough I found a copy of “wuauclt.exe”, with the exact same time/date was sitting in my C:\Program Files\Microsoft Common folder. I did some research on both “system.exe” and “wuauclt.exe” and found they have both been linked to AV XP 2008… and that unless “wuauclt.exe” is in the system folder, it is malware. So I deleted all instances of the files in safe mode, as well as went through the registry cleaning it up… and that did the trick.

    So what I learned, was that “wuauclt.exe” appears to be the culprit — and it was placing “system.exe” on my removable/floppy drives… and then if I let it go, “system.exe” would eventually install “AV XP 2008” on my computer — which would then start making all kinds of changes to the desktop and locking me out of various functions, etc.

    As I understand it, the malware infected all of the autorun.inf files on all of my drives — I found this out because after I rooted out the malware for the final time, I lost access to my drives when I tried to access them via “my computer”… even the flash drives were in accessable. I found an article for fixing that issue, and am all good to go now.

    Hope this helps others trace out possible solutions!

  9. (another) Dave says:

    I was in the middle of leaving a detailed post when a side effect of this hit and I got a fake BSOD so I lost it all – so this is a much shorter version.

    This also adds do DEP settings – when I was looking around I found some new settings in the DEP setting – one of which was for a file called “A0000485.exe”. While none of the scanner find this file McCaffe did find it’s “partner” file – “A0000486.scr”. Where? Well when I first got hit I noticed that all my drives had been reset to “monitor” and all had restore points. I turned them all off and today I got hit again – which is how I found the DEP settings – and in the “C:\System Volume Information\_restore{477BBC7A-E1E3-4FBD-AF08-1D133FA7BD0A}\RP8\” folder there were the files.

    Also I made the mistake of trying (and liking) the “Malwarebytes’ Anti-Malware” program because it was the only one that detected a good portion of this so I got their “Rouge Remover Pro” program that supposedly monitors, real time, anything incoming – including this. However it does NOTHING. I got hit last night, this morning and again just now – and this program tells me everything is fine.

    As to where it comes in and how it seems to manage to bypass McCaffe, Spybot and “RougeRemover Pro” – someone suggested the “get_flash_update.exe” idea and that is not too far off. Last night I was on MySpace and visited a page that looked like i had visted it before – and I had. When I was first hit on August 25. The it dawned on me – this page had one of the MySpace mods where it looks like an ipod – mySpace allows these little “apps” however somehow this one just allows these files to download in the background without notice. Excaly how, and in what order, I do not know but here is what seemed to happen – A “tmp” file is placed on your system. In my case my firewall popped up saying “RLDxxx.TMP” (Where the xxx can be anything – on the 25th is was RLDD02.TMP and this morning it was RLD11BA.TMP) was trying to access the internet. In both cases it was how I relized something was going on. I hit deny but then spybot detects changed are ebeing made to the REG file so now you get asked to allow these changes. I hit deny but while all this is going on files like “oembios.exe’, “scrnsver.exe'”, “wuauclt.exe” and other little files are being placed all over….normally files that wouldnt be scanned.

    In my case I have never gotten the “Antivirus XP 2008” files – I would guess because I am not letting the “RLDxxx.TMP” file access the internet to download it. All I have is a headache at cleaning my system and once gotten the fake screensaver to replace my desktop saying I had virus’s and to download the virsus scanner.

    Now I mentioned I got hit last night – I hit deny several times on spybot until I just hit “rember this”as well. In looking at the log I see that all night long – every second (yes I did say second) – this was going on even though I thought I had cleaned the system. Here is a sample – where it changes to “blacklist” is where I hit the “remember this”:

    9/5/2008 12:34:42 AM Denied (based on user decision) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 12:34:50 AM Denied (based on user decision) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 12:35:15 AM Denied (based on user decision) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 12:35:25 AM Denied (based on user decision) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 12:35:26 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!

    [Notice the time – now I am snipping but remember this was going on all night – each second until I got up abd looked at the monitor]

    9/5/2008 8:51:41 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 8:52:15 AM Denied (based on user decision) value “” (new data: “”%1″ %*”) changed in SCR Extension handler!
    9/5/2008 8:52:24 AM Denied (based on user decision) value “” (new data: “regedit.exe “%1″ %*”) changed in REG Extension handler!
    9/5/2008 8:52:24 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 8:52:25 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 8:52:26 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 8:52:27 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 8:52:28 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 8:59:12 AM Denied (based on user blacklist) value “” (new data: “”%1″ %*”) changed in SCR Extension handler!
    9/5/2008 8:59:20 AM Denied (based on user decision) value “” (new data: “regedit.exe “%1″ %*”) changed in REG Extension handler!

    Ok – I just noticed something here too – it went by in a blip so I almost missed this – I was fast asleep when all this happened and i thought it was fixed by 1 AM however take a look at this and note the time:

    9/5/2008 3:52:27 AM Denied (based on user blacklist) value “lphcpd1j0ea09” (new data: “C:\WINDOWS\system32\lphcpd1j0ea09.exe”) added in System Startup global entry!
    9/5/2008 3:52:27 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 3:52:28 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 3:52:29 AM Denied (based on user blacklist) value “UserInit” (new data: “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,”) changed in Winlogon!
    9/5/2008 8:39:02 AM Denied (based on user decision) value “scrnsave.exe” (new data: “C:\WINDOWS\system32\blphcpd1j0ea09.scr”) added in Desktop settings!

    Somehow at 3:52:27 AM ‘lphcpd1j0ea09.exe’ was created along with ‘blphcpd1j0ea09.scr’ and McAffe did not notice it, nor did “RougeRemover Pro”. It was not downloaded because nothing was outgoing – at 8:31 AM RLD11BA.TMP tried to access the internet but was denied – that was this morning not overnight.

    Now I thought all was ok until it started up again now –

    9/5/2008 10:19:20 PM Denied (based on user blacklist) value “” (new data: “”%1″ %*”) changed in SCR Extension handler!
    9/5/2008 10:20:09 PM Denied (based on user decision) value “” (new data: “regedit.exe “%1″ %*”) changed in REG Extension handler!

    Also one other thng – it is blocked but I keep getting someone at 189.81.145.47 from “veloxaone.com.br” trying to connect to my box. This is ongoing – non stop, all day and all night. The IP is banned by me. Also last night – at 3:05 AM I show 69.117.35.119 from dyn.optonline.net tried to gain access – however it was only once. and it does not show up anywhere else.

  10. (another) Dave says:

    Onme other item I forgot to mention – once you think everything is gone, even what I mentioned above, there is at least one other “hidden” file:

    “C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5H67GX2V\bk[1].exe”

    McCaffe picks it up – the others don’t. And you have to do a fulls scan to find it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: