Virus:Worm/Ntech.D
Date discovered:13/08/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:20.992 Bytes
MD5 checksum:DFADE0D9B21BE4FD57DD6975D9FE7CCD
IVDF version:6.39.00.233 - Monday, August 13, 2007

 General Method of propagation:
   • Email


Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Uses its own Email engine

 Files  It creates the following directory:
   • %WINDIR%\temp\



It overwrites a file.
%SYSDIR%\driver\secdrv.sys



The following files are created:

%SYSDIR%\driver\runtime.sys Furthermore it gets executed after it was fully created. Detected as: RKit/Posh.A

%WINDIR%\temp\startdrv.exe Detected as: Worm/Ntech.E

%SYSDIR%\driver\runtime2.sys Detected as: RKit/Posh.A




It tries to download a file:

– The location is the following:
   • http://67.18.114.98/**********
It is saved on the local hard drive under: %TEMPDIR%\%several random digits%8.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.



It tries to executes the following file:

– Filename:
   • %SYSDIR%\driver\runtime2.sys
Used to hide the process from Task Manager. Detected as: RKit/Posh.A

 Registry One of the following values is added in order to run the process after reboot:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • startdrv"="%WINDIR%\Temp\startdrv.exe"



The following registry keys are added in order to load the services after reboot:

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECDRV\0000\Control\
   ActiveService
   • Secdrv

– HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\Control\
   ActiveService
   • runtime

– HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME2\0000\Control\
   ActiveService
   • runtime2

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
Gathered addresses from the internet. Please do not assume that it was the senders intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails that tell you that you are infected. This might also not be the case.


To:
– Gathered addresses from the internet.


Subject:
One of the following:
   • A pretty-pretty fly
   • Always ready
   • Anything else?
   • Enjoy with you hard stick
   • Here is it
   • Hot game
   • Hot pictures
   • Joy stick
   • Magic is real
   • Magic stick
   • Something hot
   • Super stick
   • To be or not to be. To be...
   • Very-very magic stick
   • You ask me about this game, Here is it
   • You can...

The subject line is empty.
The subject line contains random letters.


Body:
The body of the email is one of the following:

   • %replacement 1%, %replacement 2%!
     
     Funny game. %replacement 3% fucks %replacement 4%... In your attachemnt.

   • %replacement 1%, %replacement 2%!
     
     Amusing game. %replacement 3% fucks %replacement 4%... In your attachemnt.


Continued by one of the following:

   • Best Regards.

   • Bye.

   • Good Bye.

   • Regards.

   • Thanks.


%replacement 1% is expanded to one of the following:
   • Good afternoon
   • Good Day
   • Good evening
   • Good morning
   • Hello
   • Helo
   • Hi


%replacement 2% is expanded to one of the following:
   • buddy
   • dear Friend
   • dear
   • friend
   • man
   • old chap


%replacement 3% is expanded to one of the following:
   • Angelina Jolie
   • Carrie Ann Moss
   • Lara Croft
   • Nicole Kidman


%replacement 4% is expanded to one of the following:
   • Dart Wader
   • Harry Potter
   • Luke Skywalker


Attachment:

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 Backdoor Contact server:
The following:
   • 216.195.61.87:2581



Remote control capabilities:
    • Send emails

 Rootkit Technology – Its own files
– Its own processes


Method used:
    • Hidden from Interrupt Descriptor Table (IDT)

Hooks the following API functions:
   • ZwDeleteValueKey
   • ZwEnumerateKey
   • ZwOpenKey
   • ZwSetValueKey

Description inserted by Viktor Graeber on Monday, August 13, 2007
Description updated by Philipp Wolf on Monday, August 13, 2007

Back . . . .