[Dshield] suspiroamor.land.ru trojan

jayjwa jayjwa at atr2.ath.cx
Sun Nov 25 04:17:32 GMT 2007 


(Possibly) new trojans. These came from a link spammed out in email
that ended up in my Hotmail inbox. The files are win32 PE's, with some
interesting strings embedded in them. One of the files appears to be a
server of some sort with smtp ability. There's also alot of calls to
graphics routines, so maybe one of the files is a client or user
interface of some type. Written in Delphi, downloaded from
suspiroamor.land.ru, root directory.

amor.com: The only file linked in the email. Probably downloads/exec others.

Interesting strings:

 	    taskkill -f /im gbpsv.exe
 	    C:\Arquivos de programas\GbPlugin\gbieh.dll
 	    C:\Arquivos de programas\GbPlugin\gbieh.gmd
 	    C:\windows\Crime.exe
 	    C:\WINDOWS\system32\WormList.exe
 	    URLDownloadToFileA
 	    shell32.dll
 	    ShellExecuteA

derby.com: Referenced in the above file.

javas.com: Same. Contains an email template, lots of calls to Winsock.

Interesting hardcoded strings:

 	   msnlist.txt
 	   dadospen at gmail.com
 	   Lista MSN (
 	   gsmtp185.google.com

 	   hsResolving
 	   hsConnecting
 	   hsConnected
 	   hsDisconnecting
 	   hsDisconnected
 	   hsStatusText
 	   ftpTransfer
 	   ftpReady
 	   ftpAborted
 	   IdComponent
 	   TIdStatusEvent
 	   ASender

 	   Indy 9.00.10
 	   X-Library

* About to connect() to suspiroamor.land.ru port 80 (#0)
*   Trying 82.204.219.223... connected
* Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
> GET /javas.com HTTP/1.1
> User-Agent: from Russia with love?
> Host: suspiroamor.land.ru
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/0.5.31
< Date: Sun, 25 Nov 2007 03:09:45 GMT
< Content-Type: application/octet-stream
< Content-Length: 523264
< Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT
< Connection: keep-alive
< Accept-Ranges: bytes
< 
{ [data not shown]


The signature/data files are a bit old (Nov. 9) but F-prot had this to say:

amor.com  Infection: Possibly a new variant of W32/NewMalware-LSU-based!Maximus

Available as downloaded above, or local copies together in a zip for
anyone that wants to look at them:

https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspiroamor-land-ru-trojan.zip

Useful tool to examine binaries:
http://hte.sourceforge.net/

More information about the list mailing list