Virus

W32/Naldem-eml

Analysis

  • W32/Naldem-tr is 32bit with a compressed file size of 6,656 bytes
  • Trojan is introduced to the system by visiting a malicious web page and may exist on an infected system as "DivX.exe"
  • W32/Naldem-eml was sent by a hacker or group of hackers as spammed emails to various users across the Internet with a spoofed "from" address
  • The text of the email suggested the user view an electronic greeting card by visiting a hyperlink in the message - the hyperlink was suggested to be 123greetings.com however it is actually a user account within the idownline.com domain
  • The index page on that user account contains an instruction to open a malicious web page in another browser window
  • That page (named "p") contains instructions to open three additional malicious web pages in Iframes - the pages are hosted at another web address presumably based in the UK, and the three pages are named "spy", "in" and "s"
  • The page "spy" is a logging script which logs usage hits to the hosting domain
  • The page "in" contains various instructions -
    - downloads a Trojan binary named "divx.exe" from a web page
    - implements an "ADODB.Stream" exploit to write "divx.exe" as a file on the local system
    - downloads and executes a Java Applet Trojan in a file named "BlackBox.class"
    - using an Object data tag, downloads and runs an HTA file named "ouch.php"
  • The page "s" also implements an "ADODB.Stream" exploit to overwrite Notepad.exe in various subfolders to maximize the chance of targeting different operating systems for English Windows - the following files are targets for being overwritten by W32/Naldem-tr -

    c:\winnt\notepad.exe
    c:\windows\notepad.exe
    c:\winnt\system32\notepad.exe
    c:\windows\system32\notepad.exe

  • The Trojan binary file named "divx.exe" is known as W32/Naldem-tr - if this Trojan is run, it will attempt to connect to the Internet and bind with a randomly chosen TCP port

  • Periodically the Trojan will send a SYN packet to the IP address 69.36.204.206 and request and acknowledgement from the server

  • The Trojan may connect with that IP address and use a .CGI script to send data to that server possibly as an attempt to log infection statistics as well as the port number chosen

  • The Trojan may also auto run by modifying the registry as well as create additional registry keys -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "DivX Updater" = C:\WINNT\System32\DivX.Exe

    HKEY_CURRENT_USER\Software\DivX\
    "LastUpd" = (hex values)

    HKEY_CURRENT_USER\Software\DivX\
    "UniqueID" = (hex values)

  • The "ADODB.Stream" exploit is coded to take advantage of systems not patched against this vulnerability - the exploit is initiated as an ActiveX Object and the code retrieves W32/Naldem-tr as the file "DivX.exe" from a web page and saves it as the following -

    "C:\Program Files\Windows Media Player\wmplayer.exe"

  • The Java Applet Trojan contains an exploit which targets vulnerable systems into running arbitrary code - the code could be subtle such as changing the Internet Explorer start page

  • The file "ouch.php" contains HTA code to write encoded data to a file on the target system - the encoded data translates into hex code for a 32bit file

  • The file is saved locally as "divxupdater.exe" and then it is run

Recommended Action

  • Block access to the following URLs -
    advertising.co.uk
    69.51.11.87
    69.56.204.206
  • Add the following to email filters for your FortiGate unit -
    123greetings+view+BS11109150938172
  • Configure email servers to quarantine "tagged" emails and delete as necessary