[Dshield] RE: New virus/remake of Win32.Rightu.A

Ruigrok van der Werven, Jeroen Jeroen.Ruigrok at t-mobile.nl
Fri Oct 31 12:53:41 GMT 2003


> This file is 12 KB.  And instead of being a trojan is has a more dangerous
> payload since a colleague's PC we used, disconnected from the network, was
> pretty FUBARed.

> We just heard from McAfee they classified it as Win32/Bics at MM, see:

> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100795

To add to this, I just use the standard Win32 console UPX
(upx.sourceforge.net) to decompress it on the command line.

Then I proceded with a disassembly.

What I find curious is the fact that it refers to:


Not sure what it does with www.google.com, perhaps create a window
with the error message.


Now these are more interesting, apparently it is fetching something
from these URLs since the disassembly I am looking at does a GET / HTTP/1.0
on these sites.

I am looking at the index.html of this site and it is kind of odd:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
<meta name="author" content="new user">
<meta name="generator" content="Microsoft FrontPage 4.0">
<meta name="description" content="profits">
<meta name="keywords" content="dark, darkprofits, profits, underworld">
<!-- text used in the movie -->
<!-- dark, darkprofits, profits, underworld -->
<!-- Created by SWiSHmax - Flash Made Easy - www.swishzone.com -->
<body bgcolor="#000000" text="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF"
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
  id="profits" width="422" height="96">
  <param name="movie" value="profits.swf">
  <param name="quality" value="high">
  <param name="bgcolor" value="#000000">
    <embed name="profits" src="profits.swf"
     quality="high" bgcolor="#000000" swLiveConnect="true"
     width="422" height="96"
<table border="0" width="100%" cellspacing="0" cellpadding="0">
    <td width="100%">
      <p align="center" style="margin-top: 0; margin-bottom: 0"><font
face="The Godfather" size="7">*</font></p>
      <p align="center" style="margin-top: 0; margin-bottom: 0"><font
face="The Godfather" size="7"><a
      <p align="center">&nbsp;</p>
      <p align="center">&nbsp;</p>
      <p align="center"><font face="Arial Narrow" size="2"><a
href="spam.html">Spam Disclaimer</a></font></td>

It looks as if it trying to DoS this site.  Futhermore, McAfee now calls it
W32/Mimail.c at MM, and it has a hardcoded IP address:

The darkprofits site is located/registrated in Thailand.  It might also be
that google.com is also going to be DoSed.

This IP address is a site in Russia.


N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke
VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer 

This e-mail and its contents are subject to a DISCLAIMER with important
RESERVATIONS: see http://www.t-mobile.nl/disclaimer 

More information about the list mailing list