we werken daar met XP. Blijkt dat er op het bedrijfsnetwerk een beestje is binnengeslopen dat zich met veel plezier op mijn mem-stick (en op alle 250 PC's van het unsecure network) geïnstalleerd heeft deze morgen.
Er was natuurlijk grote paniek bij de IT-mensen ;D en het hele netwerk moest plat.
Ik heb zonet mijn mem-stick effe in mijn Mint box gestoken om effe te zien wat de snoodaard er heeft op gezet.
In de root vind ik een 'autorun.inf' met volgende code:
Code: Selecteer alles
[autorun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1
Code: Selecteer alles
$ tree /media/BAUDREZ/RECYCLER/
/media/BAUDREZ/RECYCLER/
`-- S-1-6-21-2434476521-1645641927-702000330-1542
|-- Desktop.ini
`-- redmond.exe
1 directory, 2 files
$ ls -l -h
totaal 320K
-rwxr-xr-x 1 alain root 511 2009-10-29 12:15 Desktop.ini
-r-xr-xr-x 1 alain root 315K 2009-10-29 10:15 redmond.exe
$
En ik maar in mijn vuistje lachen...Trojan.Buzus.avwn arrives on a system as a file dropped by other malware, or downloaded by an unsuspecting user when visiting malicious Web sites. It spreads using removable drives also.
Malware Type : Trojan
Alias : TR/Buzus.avwn.1 [Avira], Generic.dx!w trojan [McAfee]
System Affected : Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Risk Rating : Low
Description
When Trojan.Buzus.avwn is executed, it performs the following activities:
After execution it creates below files:
%System%\javaloadr.exe
%System%\zarukige
%System%\yozugifi.dll
%System%\enanowan.ini
%System%\javacq.exe
%System%\tomewope.dll
%System%\kizevati.dll
%System%\yofiyuya.dll
%System%\rudajeki.dll
%System%\yimogate.dll
%System%\ginuzefa.dll
%System%\itavezik.ini
%userprofile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
%userprofile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat
Most of the dll files are injected in to the running processes.
It creates below files on to removable drives only:
%Driveletter%\autorun.inf
%Driveletter%\RECYCLER\{string}\Desktop.ini
%Driveletter%\RECYCLER\{string}\redmond.exe
It drops "autorun.inf" for auto execution of "redmond.exe", When the
drive is accessed. It contain below string:
[autorun]
open=RECYCLER\{string}\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\{string}\redmond.exe
shell\open\default=1
It drops a non malicious "desktop.ini", which contain below string.
In effect the folder gets the icon of recycler folder.
[.ShellClassInfo]
CLSID={6F5F1430-5092-102A-9F08-05BB012F954E}
It creates/modifies below registry entries for auto execution:
SunJavaUpdateSched v3.5 = "%System%\javacq.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
%System%\javacq.exe = "%System%\javacq.exe:*:Enabled:Explorer"
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
CPM93eafacd = "Rundll32.exe "%System%\yozugifi.dll",a"
90d9c951 = "rundll32.exe "%System%\nawonane.dll",b"
moyubazime = "Rundll32.exe "%System%\dotudoyi.dll",s"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AppInit_DLLs = "%System%\johakehe.dll %System%\yozugifi.dll"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
UpdatesDisableNotify = "1"
HKLM\Software\Microsoft\Security Center
Notification Packages = "scecli%System%\johakehe.dll"
HKLM\System\CurrentControlSet\Control\Lsa
The below domain is requested to know the IPAddress of affected machine:
* http://whatismyip.com
The below domain is asked after execution:
* [xxxx]gto.net.om
* [xxxx]non-online.com.lb
* [xxxx].buysoft.co.kr
It connects to the remote smtp servers and send an emails.
Payload
* Downloads malicious files.
Solution
Disable System Restore.
* Disable System Restore under Windows Me:
Point to Start, Settings, and Control Panel. Double-click 'System', then click on the 'Performance' tab. Click 'File System' then click the 'Troubleshooting' tab. Select 'Disable System Restore' and click 'Apply'. Restart your system.
* Disable System Restore under Windows XP:
Point to Start, Control Panel, Performance and Maintenance. Double-click “System”, then select the System Restore tab. Select the 'Turn off System Restore” on all drives box. Click Apply. Click Yes. Restart your system.
Quick Heal users are requested to update your Anti-Virus with the latest signature pattern definitions and perform a system scan using Quick Heal Scanner.