W32/Sysbug.A!tr
Analysis
- Trojan is 32bit with a compressed file size of 11,808
bytes
- The Trojan may have been introduced to the system
from an email attachment sent by a hacker or group
of hackers in this format -
From: james2003 @ hotmail.com
Subject: Re[2]: Mary
Hello my dear Mary,
I have been thinking about you all night. I would like to apologize
for the other night when we made beautiful love and did not use
condoms. I know this was a mistake and I beg you to forgive me.
I miss you more than anything, please call me Mary, I need you. Do
you remember when we were having wild sex in my house? I remember it
all like it was only yesterday. You said that the pictures would not
come out good, but you were very wrong, they are great. I didn't want
to show you the pictures at first, but now I think it's time for you
to see them. Please look in the attachment and you will see what I
mean.
I love you with all my heart, James.
Attachment: private.zip
-
If the Trojan is extracted from the .ZIP and run, it will bind to TCP port 5555 and await instructions from a hacker or group of hackers
-
The Trojan will copy itself into the undefinedWindowsundefined folder as "sysdeb32.exe" and then launch itself
-
The Trojan will modify the registry to auto run at next Windows startup as in this example -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"SystemDebug" = C:\WINNT\sysdeb32.exe
-
The Trojan will then perform two DNS queries
-
The first DNS query is for the server named 'www.kernel.org'
-
The second DNS query is for a server named 'finance.red-host.com'
-
The Trojan communicates with the second server using the DNS response IP address 82.146.56.242 - the Trojan communicates using TCP port 80
-
The Trojan attempts to gather RAS dial-up information from the infected system and then send this data to the web server using a server side script
-
The script file is named "events.php" and the Trojan sends data in the form of a query as in this example -
GET /events.php?id=undefineds&ip=undefineds&speed=undefinedd&timeonline=undefinedd
where undefineds and undefinedd are machine specific values
-
The Trojan attempts to connect with the web server repeatedly
-
The Trojan contains code to write other connection information to a file named "c:\temp35.txt" - this file could contain the following types of information -
Internet Account Name
POP3 Password
POP3 User Name
NNTP Server
NNTP User Name
SMTP Display Name
SMTP Email Address
SMTP Organization Name -
It is credible that infected systems could have this information sent to a hacker across TCP port 5555
Recommended Action
- Add the port 5555 as a service and block access
to this port for inbound and outbound traffic, (INT
-> EXT) and (EXT -> INT)
- Block access to the web address finance.red-host.com
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |