[nsp-sec] Bracing For Impact... MS08-067

Rob Thomas robt at cymru.com
Thu Oct 23 17:36:17 EDT 2008 

Hey, Nick.

Great stuff, thanks!

> HTTP check in:
> 59.106.145.58

We see two samples with this action in them.

SHA1 fb486ee69baacb57e07f614a67a5586395f57be4
MD5 ccbb73c5f137335fa2a49d7f79722a6c

It creates the following files:

   C:\Documents and Settings\LocalService\Local Settings\Temporary
Internet Files\macnabi.log
   C:\WINDOWS\system32\wbem\basesvc.dll
   C:\WINDOWS\system32\wbem\syicon.dll
   C:\WINDOWS\system32\wbem\winbase.dll

We see three DNS RR lookups, A RR queries all:

   doradora.atzend.com
   perlbody.t35.com
   summertime.1gokurimu.com

The malware then performs three distinct HTTP GETs (the first is repeated):

   h x x p : / / 59.106.145.58/test2.php?abc=2?def=2
   h x x p : / / perlbody.t35.com/icon.php
   h x x p : / / doradora.atzend.com/icon.php

Interesting AV results - on 2008-10-09 05:32:23 UTC four AV packages
tagged this one as at least suspicious.  As of 2008-10-22 02:51:45 UTC
only two AV packages tag this as at least suspicious.

SHA1 be71878c08544e093ab41f245c32e76259181bf8
MD5 f173007fbd8e2190af3be7837acd70a4

As of 2008-10-23 18:02:02 UTC at least four AV packages tag this sample
as suspicious.

The malware creates the following files:

   C:\DOCUME~1\user\LOCALS~1\Temp\FPMOOWRB.bat
   C:\WINDOWS\system32\wbem\sysmgr.dll

It launches cmd.exe with the batch file as input.  Ultimately in the
chain of subsequently launched processes, it creates:

   C:\WINDOWS\system32\basesvc.dll
   C:\WINDOWS\system32\inetproc02x.cab
   C:\WINDOWS\system32\install.bat
   C:\WINDOWS\system32\scm.bat
   C:\WINDOWS\system32\syicon.dll
   C:\WINDOWS\system32\winbase.dll
   C:\WINDOWS\system32\winbaseInst.exe

It performs DNS queries for:

   doradora.atzend.com
   perlbody.t35.com
   summertime.1gokurimu.com

Some similar HTTP GETs:

   h x x p : / / 59.106.145.58/test2.php?abc=2?def=2
   h x x p : / / perlbody.t35.com/icon.php
   h x x p : / / summertime.1gokurimu.com/icon.php
   h x x p : / / doradora.atzend.com/icon.php

The data returned from that GET request is interesting.  I'm still
wading through it.

This is an interesting command that is launched later in the mix of fun:

   C:\WINDOWS\system32\cmd.exe /c net stop sysmgr

I'm not a Windows guy, so that's all a mystery to me.

I'm running queries for the referenced IPs now.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the nsp-security mailing list