[VIRUS] RE: Statement of fees 2008/09

From: Reid Zapata [mailto:tequilla65@hotmail.com]
Sent: Friday, 29 August 2008 7:43 AM
To: user@host
Subject: Statement of fees 2008/09

Please find attached a statement of fees as requested, this will be posted today.

The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Reid

WARNING!:
just in case anyone thinks that this one is a valid email. The attachment contains a zipped copy of a new Trojan (Win32/Emold.gen)

The attachment: Fees-2008_2009.zip
Contains the file: Fees-2008_2009.doc.exe

Only 10 of 36 (27.78%) anti-virus products currently detect this as a threat using virustotal, with the same result at virscan. Unfortunately McAfee VirusScan DAT-5372 is one of the products that doesn’t identify the threat.

UPDATE:
Now that I’ve been presented with an infected machine via this attachment I can tell you it is a variant of Braviax (braviax/cru629/beep.sys)

I’ll let you know about the clean up process when I get there

Note 1:
In %SystemRoot%\System32\
braviax.exe buritos.exe karina.dat {appears to be a DLL} winivstr.exe {FakeAlert-XPSecCener [Trojan]} wpa.dbl

In %SystemRoot%\System32\dllcache\
beep.sys figaro.sys

Note 2:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Appinit_dlls --> karina.dat

HKCU\Sfoftware\Microsoft\Windows\CurrentVersion\Run HKLM\Sfoftware\Microsoft\Windows\CurrentVersion\Run braviax.exe buritos.exe

Note 3:
delself.bat
@echo off :try del "C:\WINDOWS\TEMP\rld63.tmp" if exist "C:\WINDOWS\TEMP\rld63.tmp" goto try del delself.bat

Note 4:
This version of Braviax will infect removable drives with autoexec.inf + system.exe which is a self replicating copy of the Braviax infection.

Note 5:
Removes the DESKTOP and SCREEN SAVER tabs from the Display Properties.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage = 1
Restore by changing registry setting from 1 to 0

Note 6:
Disables McAfee VirusScan and possibly the Windows XP firewall

Note 7:
In %SystemRoot%\System32\ you may also see a variant of the following
blphcgamj0ev6j.scr phcgamj0ev6j.bmp lphcgam0ev6j.exe

A quick search using regedit finds these hooked in as wallpaper and screensavers;

\HKLU\Control Panel\Desktop\ Converted Wallpaper = %SystemRoot%\System32\phcgamj0ev6j.bmp Original Wallpaper = %SystemRoot%\System32\phcgamj0ev6j.bmp Wallpaper = %SystemRoot%\System32\phcgamj0ev6j.bmp ScreenSaver = %SystemRoot%\System32\blphcgamj0ev6j.scr

CLEAN UP:

1. Unplug the machine from the network, this infection will continue to communicate and download other crud if it is left on the network

2. Restart in safe mode

3. Using the search function in explorer (or other tool if available) with the advanced options to search system folders, hidden files and folders, subfolders enabled. Delete all occurrences of the following;
braviax.exe buritos.exe karina.dat winivstr.exe wpa.dbl beep.sys figaro.*

4. Using regedit search for and remove keys that point at

braviax.exe buritos.exe karina.dat winivstr.exe wpa.dbl beep.sys figaro.*

5. Using regedit browse to \HKLU\Control Panel\Desktop\ and check the values for
Converted Wallpaper = Original Wallpaper = Wallpaper = ScreenSaver =
If these filled with values similar to note 7 (above) remove the values.

6. Clear the directory %SystemRoot%\Prefetch

7. A this point you should be able to reactive your firewall, make sure the settings haven’t been altered.

8. Re-install your Anti-virus product if it was disabled. Install any patches and the latest definitions (download these and bring them across to the infected machine on a burnt CD). Configure your antivirus to delete autoexec.inf and system.exe, this will avoid your recovery tools being infected.

9. Restore access to screen saver and wallpaper by changing registry setting from 1 to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage = 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage = 1

10. At this stage things become a lot more complex as you need to determine what other rouge applications are running on the box and this will depend on how long the machine was on the network after it was infected. In most cases it is better to get the user’s data off at this stage and re-image the machine.

[1] Statement of Fees Malspam Campaign (AV XP 2008) (2008-Aug-28) [pandasecurityus]
[2] Statement of Fees (2008-Aug-23) [Sophos]

6 Responses to “[VIRUS] RE: Statement of fees 2008/09”

Feed for this Entry Trackback Address

1 SC August 30, 2008 at 2:59 am

I got hit by this yesterday, and it infected my system. Norton Internet Security 2007 caught the risk, but not before it made some nasty changes to my system. The most destructive change is that it somehow disables ftp protocol completely on the system. I cannot connect to any ftp server, through either my browser or ftp client(s) Dell support could not figure out how to identify the changges, but suggested I do a System Restore to 2 days ago.

At startup screen, I hit CTRL-F11 to initiate the restore, and that did not initiate the Dell restore, as their tech said it would.

Are the notes above complete? Did these 5 steps you listed completely clean things? I would rather not do a restore, so if the steps above may work, I will try that.

Any further information you have is much appreciated.

Thank you
SC

2 SC August 30, 2008 at 3:01 am

Sorry, I meant to include my system specs…

Dell 530 Quad
3GB RAM
Windows XP SP3
Norton Internet Security

3 Dante Polvara September 1, 2008 at 12:09 am

AFTER DELETING ALL INFECTED (wpa.dbl, karina.dat, winivstr.exe, buritos.exe) BOTH IN C/WIN AND C/WIN/S32 AND RESTORING MENTIONED KEYS OF REGISTRY HKCU+HKLM SW/MS/WIN/CV/RUN + SW/MS/WINNT/CV/WIN
DO AS FOLLOW:
1)CANCEL WITH MSCONFIG THE EMPTY LINE AT STARTUP MENU POINTING AT HKLM SW/MS/WIN/CV/RUN
2) IN SYSTEM STARTED IN SAFE MODE CHANGE THE CORRUPTED COPY OF BEEP.SYS (c/win/s32/dllcache + c/win/s32/drivers) with an uncorrupted copy (corrupted is about 25/28 kb uncorrupted is only 4624 bytes).
I DID AND SUCCEEDED WITHOUT RELYING ON LATE SUPPORT FROM TREND MICRO (my pccillin maker).
REGARDS

4 visibleprocrastinations September 10, 2008 at 12:00 pm

We are seeing a second wave of the “Statement of fees 2008/09″ Trojan emails this morning coming in via lists.

Attachment: Fees_2008-2009.zip
Contains: Fees_2008-2009.doc.exe

The bad news is that McAfee Engine=5300 DAT=5380 (2008-09-09) doesn’t detect the infection. I have had Fees_2008-2009.doc.exe analysed by two of the on-line scanners with 14 of 36 (38.89%) products detecting the file as malware. Even though the file name is the same it appears that the malware is another variant.

* Virus Total
* VirSCAN.org

Quite different behaviour on infection. Drops Cpl32ver.exe and wpa.dbl into System32 and adds them to CurrentVersion\Run
There is a watchdog (Administrator\svchost.exe?) that checks to see if the CurrentVersion\Run Cpl32ver.exe registry key is deleted and will replace it if it has been deleted.

A whole plethora of malware is download upon infection; rep[1].exe, kashir[1].exe, rld58.tmp, rld57.tmp, rld55.tmp, rld54.tmp. Identified by VirusScan as generic dorpper/trojans.

svchost.exe is also being used to infect removable media with autoexec.inf + system.exe

5 CBM UK September 17, 2008 at 8:12 pm

This email hit us today but fortunately the recipient queried it before trying to open it.

Thanks for posting info about it here.