Another new trojan computer virus in the wild

As not being many enough, it seems a new trojan computer virus written in Delphi programming language was born and now is circulating free on cyberspace. The author of this trojan claims that it have a very little foot print on the infected systems and has a very low detection rate according to novirusthanks.org, see report. I’ve scanned it at novirusthanks.org because at the time of written this virustotal.com was temporarily out of service. In fact the detections are the results of the heuristic analysis, the trojan has not yet a name and a signature in antivirus databases.

This new trojan uses a less common configuration: while the most virus trojans uses the two modules client-server configuration, this one has a third module named gateway, used as an intermediate between client and server, so all the communications are performed through the gateway. The gateway can reside in the same computer with the client program(actually the “Control Panel” of the trojan) but using a different port for communications or in a different computer, also the gateway folder contains in its folder the real trojan server in a form of a dll file, which will be downloaded later by the pseudo-server.

The server(pseudo-server) first connect to a previously set FTP account to grab the gateway IP to communicate with it, each time is running the gateway upload(update) to that FTP account its connection details:

1. the gateway’s IP
2. the gateway’s port
3. the gateway’s password

Why it is used a so complicated configuration is beyond my understanding, perhaps to not be traced the real IP address of the client(Command & Control), instead only gateway’s IP is revealed in the logs in the case someone perform a network sniffing, gateway act as a kind of proxy here sitting between the attacker and the victim PCs. It can be other reason? I don’t know yet, let’s see.  The author of this malware says in the readme file:

… To avoid firewalls and routers, there is no direct connection between the client and server. They are connected through the gateway..

The server(pseudo-server according to its author who says the real server sits in the gateway folder), let’s say the infecting module for the sake of clarity, is disguised as a WinZip self-extractor archive but running it in a computer will result in a virus infection while fake message error is displayed :

error

 

Being in a fake self-extracting archive, the attackers can more easily to convince innocent users to execute it, lying them it is a photos or songs archive for example via social networking sites like Facebook or Twitter but it can be binded aswell in keygens, cracks, warez software or torrent downloads in modified programs installers.

The analysis report when the server trojan is running in Sandboxie with Buster Sandbox Analyzer add-on is:

[ General information ]
* File name: c:\documents and settings\administrator\desktop\the_latest\mirage\server\mirage – server 2.0.exe
* File length: 2116096 bytes
* File signature: Borland Delphi 6.0 – 7.0
* MD5 hash: 840bd7657143f96f478a1576f5d0d56b
* SHA1 hash: 081db207f896bcefdc9a92f471a7884ee82fdfea
* SHA256 hash: e05169a0eb6c8fca84062f61c16f31f628b68c7a4cbda7d80f7f02e719be99db

[ Changes to filesystem ]
* Creates file C:\Program Files\Intel\pcta.exe
* Creates file C:\Program Files\Intel\pctaARA.dll
* Creates file C:\Program Files\Intel\pctaCHS.dll
* Creates file C:\Program Files\Intel\pctaCHT.dll
* Creates file C:\Program Files\Intel\pctaCSY.dll
* Creates file C:\Program Files\Intel\UNS Instructions.pdf
* Creates file C:\WINDOWS\mouse.vxd
* Creates file C:\WINDOWS\system32\Dscr.dll
* Creates file C:\WINDOWS\system32\hwd.vxd
* Creates file C:\WINDOWS\system32\lsproc.dll
* Creates file C:\WINDOWS\system32\Wupdt.dll
* Creates file C:\Documents and Settings\All Users\Application Data\hardware.vxd

[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* Creates value “AlwaysUnloadDll=1″ in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer
* Modifies value “Userinit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\Intel\pcta.exe,” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Winlogon
old value “Userinit=C:\WINDOWS\system32\userinit.exe,”
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

[ Process/window information ]
* Keylogger functionality.
* Creates a mutex “CTF.LBES.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Compart.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Asm.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Layouts.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.TMD.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.TimListCache.FMPDefaultS-1-5-21-839522115-261903793-1417001333-500MUTEX.DefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “MutexNPA_UnitVersioning_1048″.
* Creates a mutex “WinZipSelfLoader”.
* Creates a mutex “MSCTF.Shared.MUTEX.MIF”.
* Creates a mutex “MSCTF.Shared.MUTEX.IFM”.
* Creates an event named “MSCTF.SendReceive.Event.IFM.IC”.
* Creates an event named “MSCTF.SendReceiveConection.Event.IFM.IC”.

The analysis is self-explanatory, I will mention only the less known automatic start-up registry entry through the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key where the trojan add its path as value among with the original userinit.exe value. Aswel we can see the installation folder path is %Program Files%\Intel where the trojan drops several dll’s and an executable:

pcta.exe MD5 : E2F2D1AB8AD570632D5EAB30CB0FBF70  with size 644KB

The Buster Sandbox Analyzer report about the gateway:

[ General information ]
* File name: c:\documents and settings\administrator\desktop\the_latest\mirage\gateway\mirage – gateway 2.0.exe
* File length: 630272 bytes
* File signature: ASPack 2.12 -> Alexey Solodovnikov
* MD5 hash: a4707b5260758377ec4003a194882676
* SHA1 hash: 7620dc1eeced8770faa4af16afd968bca40d8e06
* SHA256 hash: f8b2dd69d6e41f04e472bab3e0c0f421796c7e4cbf8f458b5a369d471628c7c6

[ Changes to filesystem ]
* No changes

[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

[ Network services ]
* Backdoor functionality on port 516.
* Connects to “72.233.89.199″ on port 80.

[ Process/window information ]
* Keylogger functionality.
* Creates a mutex “oleacc-msaa-loaded”.
* Creates a mutex “CTF.LBES.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Compart.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Asm.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Layouts.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.TMD.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.TimListCache.FMPDefaultS-1-5-21-839522115-261903793-1417001333-500MUTEX.DefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “MutexNPA_UnitVersioning_1832″.
* Creates a mutex “MSCTF.Shared.MUTEX.MIF”.
* Creates a mutex “MSCTF.Shared.MUTEX.AJI”.
* Creates an event named “MSCTF.SendReceive.Event.AJI.IC”.
* Creates an event named “MSCTF.SendReceiveConection.Event.AJI.IC”.

As you can see, the gateway connects to :   72.233.89.199 on port 80, it’s hilarious that using this trojan to infect other computers , you can become from hunter in hunted, you are spying on others and somebody is spying on you. It’s a backdoored backdoor.

Here are the screenshots of the client  :

client.jpg

 

and the gateway control panel :

 

gateway.jpg

 

OK, why is this new  trojan virus so special ?

Why it has a so little foot print on the infected systems ?

When the pseudo-server is first time launched it will inject itself into memory space of a legitim Windows program like explorer.exe, services.exe or default browser deceiving the antivirus scanner. Being injected in default browser for example, the trojan will have unrestricted access to the Internet without triggering any alert from antiviruses or firewalls, it will open a port and will download the real trojan server from the gateway. This real trojan server is not written to the hard disk and will be launched directly in RAM memory as injected code in the same legitimate Windows program memory space. In this way, the antivirus detection which is very careful with what is written to the hard disk but not so careful with what is running in memory, is by-passed. Another interesting fact is that the pseudo server will not run immediately after its launch, instead it will run and inject itself in the memory on the next computer restart, trying to avoid the antivirus detection.

Here are all parts of this new virus trojan :

Client folder:

- Mirage – Client 2.0.exe   MD5: BC52D9182D93F46E0A8F4AA0E7C48BEF

- Dscr.dll   MD5: F022DA3EF94924BD40E32C69EA7E3435

- lsproc.dll  MD5: 014C9747DD819B2CB8FCD9888870C859

Gateway folder:

- Mirage – Gateway 2.0.exe  MD5: A4707B5260758377EC4003A194882676

- exsrv.dll  – the real server MD5: DC74C989847EB15C18898E1CF6E54434  it has “Manages Windows updates” as description !!!

The pseudo server– this is the most important part, it starts the computer infection :

-  Mirage – Server 2.0.exe(it can be renamed of course) MD5: 840BD7657143F96F478A1576F5D0D56B

The name of this new trojan virus can be easily deduced if you look closely at this article.

Other features of this new trojan are :

- Remote desktop

- File manager

- Key spy

- Sound recorder

- Registry editor

- Window and process manager

As you can see, it gives to the attacker the full power in the infected PC — he can do whatever he want with the infected system, including to steal the online credentials, passwords or to make the system non-bootable. However, I have a feeling that the stolen credentials are sent also to the trojan creator not only to the attacker, via the gateway–remember that strange connection made by the gateway, it was revealed in the above Sandboxie reports.

Here is the scanning report from virustotal.com for this new trojan virus, you can see a low detection rate(7 /42 16.7%)and mostly based on heuristic analysis.

You can protect yourself of this new trojan virus, by not downloading software from untrusted sources or running self-extracting WinZip archives sent by unknown persons. Of course, running an up to date antivirus or Internet Security solution is a “must”.

Keep safe !

 

 

Posted in Thoughts.