W32/Zoek.D@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 217,600
bytes
- When first executed, virus may display an image
and in the background, the virus may initiate WINIPCFG.EXE
in order to capture IP information to a file named
"ipinfo.txt" and save this file into the
Windows folder.
- The virus may then write two Uuencoded files which
are then decoded -
c:\WINDOWS\hoen.txt -> hoen.exe - 40Kb Trojan
c:\WINDOWS\tcasuta.txt -> tcasuta.exe - 220Kb virus -
The file hoen.exe is executed at next Windows startup and is then copied to the Windows\System folder as "tcasutb.exe", the registry is then modified to load this file at Windows startup and open connections with the Internet on TCP port
33530 -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
tcasutb.exe = "C:\WINDOWS\SYSTEM\tcasutb.exe" -
Virus backs up copies of the mailboxes for Outlook Express and prefixes the backup .DBX file with "bek" as in this example -
c:\WINDOWS\Application Data\Identities\
{longstring}\Microsoft\Outlook Express\bekInbox.dbx
The virus scavenges these files for email addresses to create a list of targets. -
The virus writes additional files to the Windows folder -
* accountboy.ini - contains POP3/SMTP email configuration details in the following format:
[POP3]
Server=text
User Name=text
[SMTP]
Server=text
User Name=text
Display Name=text* attachready.ini - contains date email propagation routine was initiated, in this format:
[MAIL]
Done=mm/dd/yy* mailboy.ini - contains email addresses, in this format:
[First]
1=email address[Rest]
2=email address
3=email addressContinues for as many address as could be found in the Windows address book
* mailboy2.ini - contains all email addresses found by searching all .DBX folders related to Outlook Express, in this format:
[victims]
0=email address
1=email address
2=email address
3=email address
4=email address (and so on)[candidates]
0=email address* passboy.ini - contains email configuration data
-
Virus attempts to connect to one of several hard-coded SMTP servers and send itself as a single MIME encoded message to each contact listed in the Outlook Address Book in this format (the URL in the body is no longer accessible) -
Subject = Maxima Screensaver
Body =
http://home.wanadoo.nl/kees.tittel/screenmaxima.scr
Attachment = "screenmaxima.scr"
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |