Sunday, September 6, 2009

New Smitfraud Variant

I was searching my username today on google and I found a malicious site that uses my username as keywords. The malicious pages includes the following urls:
hxxp://q84.isutv.com/wap715-abuibrahim12.html
hxxp://ps51.isutv.com/wap565-abuibrahim12.html
hxxp://ps51.isutv.com/wap84-cherrytoons.html
hxxp://q84.isutv.com/wap363-query-letter.html
hxxp://ps51.isutv.com/wap780-whippedwomen.html
hxxp://ps51.isutv.com/wap293-dr-emma-starr.html
hxxp://q84.isutv.com/wap561-bnz.html
hxxp://q84.isutv.com/wap895-dmaiv.html
hxxp://q84.isutv.com/wap632-unesco.html

Each of the pages would redirect you tothe following rogue antivirus pages:
hxxp://best-virus-scanner4.com/scan1/?pid=111&engine=pHT3zjjyMjE2Mi4xMzEuMjQmdGltZT0xMjUuMIEMPAZO
hxxp://fast-virus-scan9.com/scan1/?pid=111&engine=pHT22jzyMjE2Mi4xMzEuMjQmdGltZT0xMjUuMkEMPAlO

The web page displays a classic fake explorer page giving an impression that your hard-disk partitions are being scanned and malware was found in the computer.
Clicking anywhere around the page, will prompt you download a new trojan named Antivirus_111.exe which at the time I write this blog entry has no detections by any antivirus.

The file when uploaded on VirusTotal, produced the following results:
File Antivirus_21_1_.exe received on 2009.09.06 07:48:07 (UTC)
AntivirusVersionLast UpdateResult
a-squared4.5.0.242009.09.06-
AhnLab-V35.0.0.22009.09.05-
AntiVir7.9.1.82009.09.04-
Antiy-AVL2.0.3.72009.09.04-
Authentium5.1.2.42009.09.05-
Avast4.8.1351.02009.09.05-
AVG8.5.0.4092009.09.05-
BitDefender7.22009.09.06-
CAT-QuickHeal10.002009.09.05-
ClamAV0.94.12009.09.06-
Comodo22042009.09.06Heur.Packed.Unknown
DrWeb5.0.0.121822009.09.06-
eSafe7.0.17.02009.09.03-
eTrust-Vet31.6.67212009.09.04-
F-Prot4.5.1.852009.09.05-
F-Secure8.0.14470.02009.09.05-
Fortinet3.120.0.02009.09.06-
GData192009.09.06-
IkarusT3.1.1.72.02009.09.06-
Jiangmin11.0.8002009.09.06-
K7AntiVirus7.10.8372009.09.05-
Kaspersky7.0.0.1252009.09.06-
McAfee57322009.09.05-
McAfee+Artemis57322009.09.05-
McAfee-GW-Edition6.8.52009.09.06-
Microsoft1.50052009.09.06-
NOD3243992009.09.05-
Norman6.01.092009.09.04-
nProtect2009.1.8.02009.09.06-
Panda10.0.2.22009.09.05-
PCTools4.4.2.02009.09.04-
Prevx3.02009.09.06-
Rising21.45.14.002009.09.01-
Sophos4.45.02009.09.06-
Sunbelt3.2.1858.22009.09.05-
Symantec1.4.4.122009.09.06-
TheHacker6.3.4.3.3962009.09.04-
TrendMicro8.950.0.10942009.09.05-
VBA323.12.10.102009.09.05-
ViRobot2009.9.4.19192009.09.04-
VirusBuster4.6.5.02009.09.05-

Additional information
File size: 167424 bytes
MD5 : 3aeef8ccec46822d91c97ed92f8a4af2
SHA1 : 9e310ffad459fe3a10544d6ee78403a3b382891d
SHA256: b2d842f4ebf1561429a0d84929ceeda2c7c5a7f850c2fd66ac4fa2ea6b6d6f15

http://www.virustotal.com/analisis/b2d842f4ebf1561429a0d84929ceeda2c7c5a7f850c2fd66ac4fa2ea6b6d6f15-1252223287

Upon executing the file, the following gui appears:The program then automatically installs a fake antivirus called "Total Security":
The malware creates the following folders:
c:\program files\common files\TSUninstall
c:\program files\TS

It also creates the following file:
C:\WINDOWS\system32\iehelpmod.dll

The following registry keys have been added:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}]
&IE Help - C:\WINDOWS\system32\iehelpmod.dll [2009-09-06 335360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TS"=C:\Program Files\TS\tsc.exe [2009-09-06 1542176]

[HKEY_USERS\S-1-5-21-725345543-484763869-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Uninstall\TS]

If you attempt to uninstall the rogue antivirus, it will show up the following window in order to lure unwary users to purchase their fake product:
I have uploaded the file C:\Program Files\TS\tsc.exe on virustotal which showed that Mcafee is the only antivirus that was able to detect it:
File tsc.exe received on 2009.09.06 11:48:22 (UTC)
AntivirusVersionLast UpdateResult
a-squared4.5.0.242009.09.06-
AhnLab-V35.0.0.22009.09.05-
AntiVir7.9.1.82009.09.06TR/Crypt.ZPACK.Gen
Antiy-AVL2.0.3.72009.09.04-
Authentium5.1.2.42009.09.05-
Avast4.8.1351.02009.09.05-
AVG8.5.0.4092009.09.06-
BitDefender7.22009.09.06-
CAT-QuickHeal10.002009.09.05-
ClamAV0.94.12009.09.06-
Comodo22042009.09.06-
DrWeb5.0.0.121822009.09.06-
eSafe7.0.17.02009.09.03-
eTrust-Vet31.6.67212009.09.04-
F-Prot4.5.1.852009.09.05-
F-Secure8.0.14470.02009.09.06-
Fortinet3.120.0.02009.09.06-
GData192009.09.06-
IkarusT3.1.1.72.02009.09.06-
Jiangmin11.0.8002009.09.06-
K7AntiVirus7.10.8372009.09.05-
Kaspersky7.0.0.1252009.09.06-
McAfee57322009.09.05FakeAlert-HP
McAfee+Artemis57322009.09.05FakeAlert-HP
McAfee-GW-Edition6.8.52009.09.06Trojan.Crypt.ZPACK.Gen
Microsoft1.50052009.09.06-
NOD3243992009.09.05-
Norman6.01.092009.09.04-
nProtect2009.1.8.02009.09.06-
Panda10.0.2.22009.09.06-
PCTools4.4.2.02009.09.06-
Prevx3.02009.09.06-
Rising21.45.14.002009.09.01-
Sophos4.45.02009.09.06-
Sunbelt3.2.1858.22009.09.05-
Symantec1.4.4.122009.09.06-
TheHacker6.3.4.3.3962009.09.04-
TrendMicro8.950.0.10942009.09.05-
VBA323.12.10.102009.09.05-
ViRobot2009.9.4.19192009.09.04-
VirusBuster4.6.5.02009.09.05-

Additional information
File size: 1542176 bytes
MD5...: 47f48d75791e9ff4831b0e4a553c5569
SHA1..: 3a1f8a2186611e0c3bcf53cc650307dd5a6bbe82
SHA256: a7173500bd783ef55d520cb4c9cdd235a250437e639ed589ac99855d65324b5f
ssdeep: 24576:L6x4SD2YP9PeJaSl2eiaQtXOstG0Bu/SCoIxFViKsSKlRZMXK:G4Si2Op2
TaQtestpiUSaZ

http://www.virustotal.com/analisis/a7173500bd783ef55d520cb4c9cdd235a250437e639ed589ac99855d65324b5f-1252237702

I have also uploaded the associated file iehelpmod.dll on virustotal and no definitions have been created for this trojan yet:
File iehelpmod.dll received on 2009.09.06 10:43:15 (UTC)
AntivirusVersionLast UpdateResult
a-squared4.5.0.242009.09.06-
AhnLab-V35.0.0.22009.09.05-
AntiVir7.9.1.82009.09.04-
Antiy-AVL2.0.3.72009.09.04-
Authentium5.1.2.42009.09.05-
Avast4.8.1351.02009.09.05-
AVG8.5.0.4092009.09.06-
BitDefender7.22009.09.06-
CAT-QuickHeal10.002009.09.05-
ClamAV0.94.12009.09.06-
Comodo22042009.09.06-
DrWeb5.0.0.121822009.09.06-
eSafe7.0.17.02009.09.03-
eTrust-Vet31.6.67212009.09.04-
F-Prot4.5.1.852009.09.05-
F-Secure8.0.14470.02009.09.06-
Fortinet3.120.0.02009.09.06-
GData192009.09.06-
IkarusT3.1.1.72.02009.09.06-
Jiangmin11.0.8002009.09.06-
K7AntiVirus7.10.8372009.09.05-
Kaspersky7.0.0.1252009.09.06-
McAfee57322009.09.05-
McAfee+Artemis57322009.09.05-
McAfee-GW-Edition6.8.52009.09.06Heuristic.LooksLike.Trojan.FakeAntivirus.I
Microsoft1.50052009.09.06-
NOD3243992009.09.05-
Norman6.01.092009.09.04-
nProtect2009.1.8.02009.09.06-
Panda10.0.2.22009.09.05-
PCTools4.4.2.02009.09.04-
Prevx3.02009.09.06-
Rising21.45.14.002009.09.01-
Sophos4.45.02009.09.06-
Sunbelt3.2.1858.22009.09.05-
Symantec1.4.4.122009.09.06-
TheHacker6.3.4.3.3962009.09.04-
TrendMicro8.950.0.10942009.09.05-
VBA323.12.10.102009.09.05-
ViRobot2009.9.4.19192009.09.04-
VirusBuster4.6.5.02009.09.05-

Additional information
File size: 335360 bytes
MD5...: 5a07fb253ebefadd26d289ccab379a99
SHA1..: 0b25e2c20b6e6b08df8f05267710f1ed9325dc32
SHA256: 73ac8c99e02c5475a55434f574d1ceee0bec2c56e126578fb466fd6f5c6b2c7c


If you ever get infected with VirusTotal, you can easily get rid of the pest by following these instructions:

1. end process to tsc.exe in taskmgr
2. close all browsers
3. make sure to view hidden files, system files and extensions within folder options
4. browse and delete the following folders:
c:\program files\common files\TSUninstall
c:\program files\TS
5. Run Hijackthis, and select 'do a system scan only', and then place a checkmark beside each of these entries:
O2 - BHO: &IE Help - {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} - C:\WINDOWS\system32\iehelpmod.dll
O4 - HKCU\..\Run: [TS] C:\Program Files\TS\tsc.exe
6. Then restart the computer


A. Elshafei
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)