Date discovered:28/01/2009
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:1.507.328 Bytes
MD5 checksum:9e004c0e96b6c033c8c9fa9a3cfaa707
IVDF version:

 General Methods of propagation:
   • Autorun feature
   • Messenger

   •  Mcafee: Generic MultiDropper.a
   •  Sophos: Mal/Generic-A
   •  Panda: W32/Autorun.IZQ
   •  Eset: Win32/AutoRun.VB.BE
   •  Bitdefender: Trojan.VB.Agent.CW

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %HOME%\Application Data\intranetexplorer.exe
   • %drive%\.Autorun\%random character string%\Autorun.exe

The following files are created:

%drive%\.Autorun\%random character string%\Desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Intranet Patcher"="%home%\Application Data\intranetexplorer.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   • "Microsoft Intranet Patcher"="%home%\Application Data\intranetexplorer.exe"

The following registry key is added:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   • "%malware execution directory%\%executed file%"="%malware execution directory%\%executed file%:*:Enabled:Microsoft Intranet Patcher"

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger
– Yahoo Messenger

All entries in the contact list.

The sent message looks like one of the following:

   • meinst du das ernst?
     ich hoffe es gef?llt dir
     das ist geil
     bist du das?
     du bist echt sexy
     haha das ist sooo lustig
     kennst du das?
     s en serio??? :S:S
     no sab
     a que te metias cosas asi :S
     esto es horrible :S
     alguien dijo que eras tu
     eres tu de verdad?
     tu eres realmente sexi ;)
     jajaja esto es muy divertido
      esto... te resulta familiar?
     check this one
     i find this one really funny :)
     is this really you???
     did you take this picture?
     who is this?
     rio??? :S:S
     eu n
     o soube que voc
      apreciou o material como este:S
     m disse que este era voc
      isto realmente voc
      realmente sexy ;)
     o hahaha isto
     o engra
     eu encontrei que isto olha familiar??
     t'es serieu la?
     je savais pas que t'aimait ce genre de truc
     c'est horrible ahah
     qqn m'a dit que c'
     tait toi
     c'est vraiment toi ou!?
     lol vraiment pas mal
     hehe detta
     r roligt
     kolla det h
     haha roligt :D
     hehe gjorde du detta?
     jag visste inte att du gillade s
     nt h
     r :S
     r detta du?
     bent u ernstig??? :S:S
     ik wist niet u van materiaal als dit genoot :S
     dit is afschuwelijk :S
     iemand zei dit u was
     dit is werkelijk u?
     u bent werkelijk sexy ;)
     hahaha dit is zo grappig
     ik vond dit het? vertrouwd kijkt?
     :D ACCEPT!

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: pptp.da**********.net
Port: 47221
Channel: #blaze
Nickname: [USA|00|XP||%number%]

– Furthermore it has the ability to perform actions such as:
    • Download file
    • Execute file
    • Updates itself

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

説明の挿入者 Petre Galan の 2010年2月26日金曜日
説明の更新者 Petre Galan の 2010年2月26日金曜日

戻る . . . .