Storm worm goes nuclear.
We've received reports about malware spreading with war related subject lines. The user reporting did not have a copy of the malware, but one of my email drops did. The binary appears to be communicating with several other systems over high, semi random UDP ports. The ISC has posted a diary related to this event. It can be found here.
File: Click Me.exe (95c563731b7828d6e98eae81ee08869f)
Subject lines in email:
Spreads as one of the following attachments:
Communication via UDP with over 200 peers:
Communication made through a random UDP port. The most common port is 30191 followed by 1857, 4061, 1859 and 1853.
Disables processes with the window names: blackice firewall avg vsmon zonealarm spybot nod32 regedit mcafee taskmgr hijackthis msconfig antivirus nav avp
Creates wincom32.ini with the following data:
Rootkit Revealer Output:
(hint: type c:\windows\system32\wincom32.sys >c:\windowstrojan.sys)
wincom32.sys (f9d04e27f908f9c50fd5ce2aeea72b08) infected: Trojan.Peed.BF (BitDefender)
Jose Nazario with Arbor Networks found some more hashes related to this malware run:
More information can be found here at secureworks.com
File: Click Me.exe (95c563731b7828d6e98eae81ee08869f)
Subject lines in email:
USA Declares War on Iran
USA Missle Strike: Iran War just have started
Missle Strike: The USA kills more than 20000 Iranian citizens
Missle Strike: The USA kills more than 1000 Iranian citizens
Missle Strike: The USA kills more than 10000 Iranian citizens
Isreal Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
Spreads as one of the following attachments:
Opened port UDP 11274 listener. (visible with netstat -ao)More.exe
Read More.exe
Click Here.exe
Read Me.exe
Movie.exe
News.exe
Video.exe
Communication via UDP with over 200 peers:
124.111.241.36, 124.150.75.126, 124.240.126.252, 125.131.29.176, 125.177.33.8, 125.25.203.140, 128.2.223.2, 131.114.13.230, 134.95.128.1, 141.30.123.42, 151.37.79.55, 154.37.66.117, 154.37.66.118, 154.37.66.119, 154.37.66.140, 154.37.66.163, 154.37.66.164, 154.37.66.186, 154.37.66.187, 154.37.66.209, 154.37.66.210, 160.75.14.190, 161.53.119.17, 193.198.36.3, 193.238.109.16, 194.15.147.40, 194.226.192.151, 195.111.2.70, 195.146.64.57, 195.158.117.39, 195.208.208.23, 195.5.19.34, 200.40.182.198, 202.71.93.14, 203.59.209.219, 207.212.26.3, 207.226.112.34, 209.222.54.55, 210.107.134.172, 211.178.169.34, 211.201.180.65, 211.51.122.173, 211.54.19.45, 212.42.91.82, 213.112.20.102, 213.251.132.34, 213.96.139.108, 216.130.188.168, 216.151.155.28, 216.151.155.52, 216.224.114.210, 217.127.81.254, 217.147.35.23, 217.160.208.201, 217.216.190.61, 217.229.107.161, 217.255.238.238, 217.8.61.68, 218.169.117.123, 219.7.138.42, 220.240.123.155, 220.78.177.58, 220.86.152.249, 222.101.241.112, 24.185.38.143, 24.232.127.169, 24.23.233.158, 24.91.13.235, 58.231.142.136, 61.228.201.222, 62.112.100.44, 62.1.122.240, 62.117.184.135, 62.121.113.97, 62.131.242.45, 62.149.227.219, 62.16.233.229, 62.204.120.132, 62.233.197.214, 62.234.51.180, 62.45.4.26, 64.229.75.158, 65.100.22.172, 66.90.79.226, 66.97.29.33, 67.15.4.10, 67.170.214.104, 68.13.18.8, 68.42.150.171, 69.26.174.131, 69.26.191.34, 69.63.60.170, 71.114.0.6, 71.133.154.97, 71.62.123.187, 72.224.137.213, 72.232.137.18, 72.36.146.114, 76.169.66.144, 80.102.127.102, 80.116.163.193, 80.132.226.44, 80.146.66.14, 80.171.187.9, 80.178.220.187, 80.62.149.20, 81.173.164.247, 81.174.12.96, 81.202.135.20, 81.202.47.48, 81.203.146.158, 81.204.129.108, 81.220.135.194, 81.2.209.136, 81.244.78.93, 81.248.26.210, 81.251.130.12, 81.37.253.45, 81.56.28.52, 81.57.135.146, 81.68.144.107, 81.83.232.171, 81.88.117.121, 81.9.204.210, 82.143.237.175, 82.156.34.116, 82.159.247.33, 82.225.194.86, 82.231.107.108, 82.231.149.214, 82.231.223.75, 82.235.41.53, 82.238.26.118, 82.241.209.40, 82.245.157.248, 82.55.220.212, 82.59.77.21, 82.66.238.182, 82.67.168.28, 82.74.157.18, 82.92.253.142, 83.160.229.119, 83.165.141.129, 83.180.72.197, 83.19.165.243, 83.19.172.30, 83.199.215.211, 83.22.0.248, 83.222.14.114, 83.29.217.233, 83.37.140.132, 83.38.133.154, 83.40.205.158, 83.45.120.73, 83.97.181.149, 84.10.255.230, 84.115.20.205, 84.121.30.130, 84.123.166.106, 84.123.216.174, 84.134.174.205, 84.137.122.192, 84.157.114.165, 84.16.225.19, 84.16.230.162, 84.16.234.75, 84.16.239.110, 84.186.113.5, 84.205.2.117, 84.40.221.36, 84.48.106.96, 84.57.181.194, 84.58.177.68, 84.73.206.231, 84.74.226.207, 84.80.109.203, 84.82.181.136, 84.94.92.106, 84.97.208.35, 84.97.223.102, 85.118.33.111, 85.118.37.162, 85.118.41.93, 85.136.165.33, 85.137.87.194, 85.214.40.169, 85.216.228.7, 85.219.217.113, 85.234.37.43, 85.249.225.64, 85.25.136.89, 85.66.37.33, 85.76.252.138, 86.149.162.197, 87.0.79.250, 87.10.167.240, 87.1.102.103, 87.167.190.214, 87.184.146.152, 87.234.144.208, 87.5.76.207, 88.1.156.113, 88.191.11.45, 88.191.13.247, 88.191.15.80, 88.191.20.102, 88.191.21.31, 88.191.28.48, 89.145.34.71, 89.220.0.127, 89.85.252.147, 90.197.74.155, and 90.27.33.59
Communication made through a random UDP port. The most common port is 30191 followed by 1857, 4061, 1859 and 1853.
Disables processes with the window names: blackice firewall avg vsmon zonealarm spybot nod32 regedit mcafee taskmgr hijackthis msconfig antivirus nav avp
Creates wincom32.ini with the following data:
Scans files on the harddrive for email addresses to spread to. Spreads with built in SMTP relay.[counter]
Counter=0
[peers]
003964D3640550573F800125725481EF=5326859A123900
004982069E5DB75721B54CFF33A26170=5955FC93123900
...
F4842DAE3B27F129678E1847263CAB26=54506DCB17E800
F63EDCCBDCAF1A1E79DEC78C8666B552=58BF0F50468500
FD6A5500DC3ED6A4E8398E3580A974FA=48249272325D00
FDD38B10A859838455DF59392B3C3F71=51398792233800
Rootkit Revealer Output:
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32 4/8/2007 11:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000\DeviceDesc 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32 4/9/2007 12:45 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32\ImagePath 4/9/2007 12:45 AM 74 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\wincom32\DisplayName 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32 4/8/2007 11:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000\DeviceDesc 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32 4/9/2007 12:45 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32\ImagePath 4/9/2007 12:45 AM 74 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\wincom32\DisplayName 4/9/2007 12:45 AM 18 bytes Hidden from Windows API.
C:\WINDOWS\system32\wincom32.sys 4/8/2007 11:45 PM 52.75 KB Hidden from Windows API.
(hint: type c:\windows\system32\wincom32.sys >c:\windowstrojan.sys)
wincom32.sys (f9d04e27f908f9c50fd5ce2aeea72b08) infected: Trojan.Peed.BF (BitDefender)
Jose Nazario with Arbor Networks found some more hashes related to this malware run:
Thanks Jose! Jose also believes this is closely related to the storm malware we've seen over the month or so.00de52e42e23439f4469f6a0429f80ec8ce3cbd3 "Click Here.exe"
5df70e6794e96adcf68c8f5c0134645dd3f38884 "Movie.exe"
868a8f2dc2cf3d056c4c079c97ef6ea797b5e402 "Read Me.exe"
caf89f7dac0627cf0f523f414cc4e0bc8500debc "Video.exe"
f717291eb5e9edf70007f90a16c7e99fad6f16bb "News.exe"
More information can be found here at secureworks.com
Labels: nuwar, p2p botnet, peacomm, peed, Storm
posted by Nicholas at
16:35
<< Home