[Dshield] RE: New virus/remake of Win32.Rightu.A

Ruigrok van der Werven, Jeroen Jeroen.Ruigrok at t-mobile.nl
Fri Oct 31 12:53:41 GMT 2003


All,

> This file is 12 KB.  And instead of being a trojan is has a more dangerous
> payload since a colleague's PC we used, disconnected from the network, was
> pretty FUBARed.

> We just heard from McAfee they classified it as Win32/Bics at MM, see:

> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100795

To add to this, I just use the standard Win32 console UPX
(upx.sourceforge.net) to decompress it on the command line.

Then I proceded with a disassembly.

What I find curious is the fact that it refers to:

www.google.com

Not sure what it does with www.google.com, perhaps create a window
with the error message.

www.darkprofits.com
www.darkprofits.net

Now these are more interesting, apparently it is fetching something
from these URLs since the disassembly I am looking at does a GET / HTTP/1.0
on these sites.

I am looking at the index.html of this site and it is kind of odd:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>DarkProfits</title>
<meta name="author" content="new user">
<meta name="generator" content="Microsoft FrontPage 4.0">
<meta name="description" content="profits">
<meta name="keywords" content="dark, darkprofits, profits, underworld">
<!-- text used in the movie -->
<!-- dark, darkprofits, profits, underworld -->
<!-- Created by SWiSHmax - Flash Made Easy - www.swishzone.com -->
</head>
<body bgcolor="#000000" text="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF"
alink="#C0C0C0">
<center>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
 
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.ca
b#version=5,0,42,0"
  id="profits" width="422" height="96">
  <param name="movie" value="profits.swf">
  <param name="quality" value="high">
  <param name="bgcolor" value="#000000">
    <embed name="profits" src="profits.swf"
     quality="high" bgcolor="#000000" swLiveConnect="true"
     width="422" height="96"
     type="application/x-shockwave-flash"
     pluginspage="http://www.macromedia.com/go/getflashplayer"></embed>
</object>
</center>
<p>&nbsp;</p>
<table border="0" width="100%" cellspacing="0" cellpadding="0">
  <tr>
    <td width="100%">
      <p align="center" style="margin-top: 0; margin-bottom: 0"><font
face="The Godfather" size="7">*</font></p>
      <p align="center" style="margin-top: 0; margin-bottom: 0"><font
face="The Godfather" size="7"><a
href="http://www.darkprofits.com/index.php">Enter
      DarkProfits</a></font></p>
      <p align="center">&nbsp;</p>
      <p align="center">&nbsp;</p>
      <p align="center"><font face="Arial Narrow" size="2"><a
href="spam.html">Spam Disclaimer</a></font></td>
  </tr>
</table>
</body>
</html>

It looks as if it trying to DoS this site.  Futhermore, McAfee now calls it
W32/Mimail.c at MM, and it has a hardcoded IP address: 212.5.86.163.

The darkprofits site is located/registrated in Thailand.  It might also be
that google.com is also going to be DoSed.

This IP address is a site in Russia.

--Jeroen


N.B.: op (de inhoud van) deze e-mail is een DISCLAIMER met belangrijke
VOORBEHOUDEN van toepassing: zie http://www.t-mobile.nl/disclaimer 

This e-mail and its contents are subject to a DISCLAIMER with important
RESERVATIONS: see http://www.t-mobile.nl/disclaimer 





More information about the list mailing list