Recently, anonymous hackers released symantec 2006 antivirus source code for all platforms .
As symantec released their quick analysis, it appears that the source code leaked from Indian military research and south asian shipping organizations .
the paper is available here :
also source code is available @ piratebay :
This is the latest malware I got from the malware repositories, here I present how this malware infect the system and which third-party actions is doing by this specimen .
written in Visual Basic 6.0
MD5 Checksum : cb702c3319a27e792b84846d3d6c61ad
Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it's also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .
when start to executing, it's also drop a driver named "drive.sys" and "drive.sys.off" to system32\Drivers, had some rootkit behavior, while scanning with RKU it reports try to hide process update.exe .
Open a Handle to Cmd.exe .
seems, there's no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .
vt result : Result: 6/42 (14.29%)
vt perma link :
download sample from here :
pass : Infected
P.S : I've been added it OC dataBase, try to search this one : cb702c3319a27e792b84846d3d6c61ad
if you remember the old days in year "2002" (january), Microsoft and Norton companies warned the internet users about a new Hoax virus which circulate itself through E-Mails.
this Hoax virus is attached in a power point file, named "life is beautiful.pps"
please be aware, DO NOT OPEN THIS FILE UNDER ANY CIRCUM STANCES .
it's an official message from Microsoft and Norton companies, here the full advice :
Be Extremely Careful
Especially if using Internet mail such as Yahoo, Hotmail, AOL and so on.
Well, after took some glance at this malware, I've been decided to write up something useful for this kind of almost unknown malware .
the term "unknown" is not referred to something dangerous with the high level risk !
actually this malware doesn't dangerous as people have thinking about it, this kind of malware is difficult on the cleaning phase .
the malware doesn't act as so dangerous code, but it's robust in the field of self-defense .
It's seems good that symantec guys discovered C&C ( command & control ) on the private google pages, from the symantec blog the following quotes are available :
Maintaining a reliable command and control (C&C) structure is a priority for back door Trojan writers. Recent developments have included the utilization of Web 2.0 social networking websites to deliver commands. By integrating C&C messages into valid communications, it becomes increasingly difficult to identify and shut down such sources. It's a concept very similar to that of chaffing and winnowing. Symantec has observed an interesting variation on this concept in the wild. A back door Trojan that we are calling Trojan.Grups has been using the Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups is relatively common, but this is the first instance of newsgroup C&C usage that Symantec has detected.
It’s worth noting that Google Groups is not at fault here; rather, it is a neutral party. The authors of this threat have chosen Google Groups simply for its bevy of features and versatility.
The Trojan itself is quite simple. It is distributed as a DLL, and when executed will log onto a specific account:
The Web-based newsgroup can store both static “pages” and postings. When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject. The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.