Method of propagation:
• No own spreading routine
Aliases:
• Kaspersky: Packed.Win32.Krap.x
• F-Secure: Packed.Win32.Krap.x
• Eset: Win32/Kryptik.AWF
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops malicious files
• Registry modification
Files
– %SYSDIR%\sys.dat Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Glecia.A
– %SYSDIR%\bhdvgtueyitf.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Glecia.A
– c:\%malware execution directory%\sys.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
Registry
The following registry keys are added:
– [HKCR\CLSID\{%CLSID%}]
• "(Default)"="Microsoft Online Helper!"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{%CLSID%}]
• "(Default)"="Microsoft Online Helper!"
– [HKCR\CLSID\{%CLSID%}\InProcServer32]
• "(Default)"=hex(2):%hex values%
• "ThreadingModel"="Apartment"
The following registry key is changed:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
New value:
• ^%\E$@@
• n%^a&^()%b
• (^$%l%(^%$e(^& ^%\
• $%r$^%o$
• (%w@$%
• $s%^^%$e%^(()(*& %
• E*&^&x$(%%t%$
• $@e^^%@(n
• $%s))
• %i*^o$%$^$^n(&*s(%^&="yes"
It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:
From:
The sender address is spoofed.
Subject:
The following:
• DHL service. Please get your parcel. Delivery NR.163400
Body:
The body of the email is one of the lines:
• Hello!
•
• The courier company was not able to deliver your parcel by your address.
• Cause: Error in shipping address.
•
• You may pickup the parcel at our post office personaly!
•
• Please note!
• The shipping label is attached to this e-mail.
• Please print this label to get this package at our post office.
•
•
• Thank you for attention.
• DHL Global Forwarding Services.
Attachment:
The filename of the attachment is:
• DHL_package_label_6f1aa.zip
The attachment is an archive containing a copy of the malware itself.
The email looks like the following:
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Handle with Avira Premium Security Suite v9
No comments:
Post a Comment