Thursday, November 25, 2010

New Password Stealer Found MD5: 6deb0bdb5fb07bcdb1205d6ddd6a4ec2

Today I stumbled across a new trojan/password stealer that installs itself through Sun Microsystems Java.

Users receive an email such as:

Amy Fibro commented on your photo.
To see the comment thread, follow the link below:
http://www.facebook.com/n/?photo.php&fbid=155175754523620&set=a.145049682202894.23363.100000935890817&mid=33283faG5af34842cf81G37f9cbG9
Thanks,
The Facebook Team

This email is not from facebook. If you look at the link on the email - it points to a different URL that contains the java application which installs the virus.



With a default install of Internet Explorer 8 with all latest security updates and patches up to 26/11/2010 and default security settings the worm was able to automatically install itself.

The worm adds itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it can automatically execute upon startup.

The worm also changes the internet explorer security settings by modifying a series of registry keys.

The following Registry Values were modified:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1406 =
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1406 =
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1406 =
1609 =


The worm is also capable of infecting executables.

The malware injects codes into the address space of the following processes to mask its presence:
taskhost.exe
taskeng.exe
wscntfy.exe
ctfmon.exe
rdpclip.exe
explorer.exe


If you do not run your PC as administrator the worm will not have permissions to infect beyond your user profile.

The worm collects FTP credentials (IP, port, username, and passwords) from the following FTP software:
•FlashFXP
•Total Commander
•ws_ftp
•FileZilla
•FAR/FAR2
•winscp
•FTP Commander
•CoreFTP
•SmartFTP

The worm also has a keylogger for logging all other password related activity such as bank accounts etc.

When installed the worm copied itself to:

%APPDATA%\<random letters%>\<random letters>.exe

For example for me it called itself niba.exe.



When the virus is running the description the virus gives itself in task manager is Windows Defender.

Running the virus through one of my favorite sites virscan.org we see that only some antivirus companies detect it and the ones that do only come back with a generic detection.



I will be submitting the virus sample to the other anti-virus companies to get this worm indexed ASAP.

4 comments:

  1. what version of java did you have installed when that happened?

    ReplyDelete
  2. Hi Clint,
    When you submitted the virus sample to the other anti-virus companies did they indexed fast? I want to know this because my cousin says it takes time... Thank you so much for sharing this invaluable info!
    Smiles to you,
    Chiara

    ReplyDelete