Since Thursday, a warning is circulating in the AV community about an impending outbreak for the malware named “Here you have”. The urgency in the message to follow the link had contributed to its widespread infection.
Visual Basic Compiled
The file has a PDF icon but it is actually a VB compiled application. The malware usually arrives via an email message with a subject line “Here you have” hence the name. Other possible propagation method might occur via YM from a user named “alicia.taylor2003” (this is still being investigated).
HTML Formatting
These are the two variants of email that it produces. Here’s the message using the “Here you have” subject.
<html><font size=4 color=blue>Hello:<br><font size=4 color=black><br>This is The Free Dowload Sex Movies,you can find it Here.<br><font size=4 color=blue><a target=new href=hxxp://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr>http://www.sharemovies.com/library/SEX21.025542010.wmv<font size=4 color=blue> </a><br><br><font size=4 color=black>Enjoy Your Time.<br><br><br><font size=4 color=blue>Cheers,</html>
This is the one having a “Just for you” subject.
<html><font size=4 color=blue>Hello:<br><font size=4 color=black><br>This is The Document I told you about,you can find it Here.<font size=4 color=blue><a target=new href=hxxp://members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr>http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf<font size=4 color=blue> </a><br><br><font size=4 color=black>Please check it andreply as soon as possible.<br><br><br><font size=4 color=blue>Cheers,</html>
The message is crafted in HTML. The use of HREF tag allows the actual URL to be hidden and a dummy URL displayed so that a user may think they will visit a harmless non-executable file. The HREF tag is normally used to shorten or provide an alias to a usually long URL. The user will think that they will be redirected to http://www.sharemovies.com/library/SEX21.025542010.wmv but the actual link is the one pointed to by HREF tag.
Infection
Once executed, the malware drops copies of itself on the local computer:
C:\WINDOWS\csrss.exe
C:\Administrator CV 2010.exe
C:\WINDOWS\system\Administrator CV 2010.exe
C:\WINDOWS\system\updates.exe
It also drops dummy executables having zero file size on the following paths:
C:\WINDOWS\ff.exe
C:\WINDOWS\gc.exe
C:\WINDOWS\hst.iq
C:\WINDOWS\ie.exe
C:\WINDOWS\im.exe
C:\WINDOWS\m.exe
C:\WINDOWS\op.exe
C:\WINDOWS\pspv.exe
C:\WINDOWS\rd.exe
C:\WINDOWS\re.exe
C:\WINDOWS\re.iq
C:\WINDOWS\SendEmail.dll
C:\WINDOWS\tryme1.exe
C:\WINDOWS\w.exe
C:\WINDOWS\system32\SendEmail.dll
Network Shares
It executes an embedded VBScript which enumerates all computers in the network and drops copy of it using a filename of N73.Image12.03.2009.JPG.scr.Affected shared folders are the following:
• d
• c
• New Folder
• music
• print
• E
• F
• G
• H
It also drop open.exe on removable drives with its autorun.inf having the following text:
[autorun]
open=open.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1
Note that “shell32.dll, 4” is a folder icon. This somehow overrides the original PDF icon of the malware.
JIT Debugger?
The malware modify various registry settings. One thing that's worth mentioning is that its use of “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\”. It adds known security application filenames to the said registry key having a “Debugger” as its value and the malicious “crss.exe” as its data. What it does is that it hijacks or redirects calls to a filename to execute crss.exe.
For example we have this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
If we have any application let’s say calc.exe renamed to procexp.exe and tried to run it, the system will instead execute crss.exe.
The following filenames are being targeted:
00hoeav.com, 0w.com, 360rpt.ExE, 360safe.ExE, 360safebox.ExE, 360tray.ExE, 6.bat, 6fnlpetp.exe, 6x8be16.cmd, _aVP32.ExE, _aVPCC.ExE, _aVPM.ExE, a2cmd.ExE, a2free.ExE, a2service.ExE, a2upd.ExE, abk.bat, adobe Gamma Loader.exe, algsrvs.exe, algssl.exe, angry.bat, anti-trojan.exe, aNtIaRP.ExE, antihost.exe, aNtS.ExE, apu-0607g.xml, apu.stt, aPVxdWIN.ExE, arSwp.ExE, ashdisp.exe, ashEnhcd.exe, ashLogV.exe, ashMaiSv.exe, ashPopWz.exe, ashQuick.exe, ashServ.exe, ashSkPcc.exe, ashUpd.exe, ashWebSv.exe, ast.ExE, aswBoot.exe, aswRegSvr.exe, aswUpdSv.exe, autorun.bin, autoRun.ExE, autorun.ini, autorun.reg, autorun.txt, autorun.wsh, autoRunKiller.ExE, autoruns.exe, autorunsc.exe, avadmin.exe, avastSS.exe, avcenter.exe, avciman.exe, avconfig.exe, aVCONSOL.ExE, aVENGINE.ExE, avgamsvr.exe, avgas.exe, avgcc.exe, avgcc32.exe, avgemc.exe, avginet.exe, avgnt.exe, avgrssvc.exe, avgrsx.exe, avgscan.exe, avgscanx.exe, avgserv.exe, avguard.exe, avgupsvc.exe, avgw.exe, avgwdsvc.exe, avltd.exe, avmailc.exe, avMonitor.ExE, avnotify.exe, avp.com, avp.exe, aVP32.ExE, aVPCC.ExE, aVPM.ExE, avscan.exe, avzkrnl.dll, bad1.exe, bad2.exe, bad3.exe, bdagent.exe, bdsubwiz.exe, BdSurvey.exe, BIOSREad.exe, blackd.exe, blackice.exe, caiss.exe, caissdt.exe, catcache.dat, cauninst.exe, Cavapp.ExE, cavasm.ExE, CavaUd.ExE, CaVCmd.exe, CaVCtx.exe, CavEmSrv.ExE, Cavmr.ExE, CavMUd.ExE, Cavoar.ExE, CavQ.ExE, CaVRep.exe, CaVRid.exe, CaVSCons.ExE, cavse.ExE, CavSn.ExE, CavSub.ExE, CaVSubmit.ExE, CavUMaS.ExE, CavUserUpd.ExE, Cavvl.ExE, CCenter.ExE, CEmRep.ExE, ckahcomm.dll, ckahrule.dll, ckahum.dll, cleaner.exe, cleaner3.exe, clldr.dll, CMain.ExE, copy.exe, curidsbase.kdz, destrukto.vbs, dF5Serv.exe, diffs.dll, drvins32.exe, drwadins.exe, drweb32w.exe, drweb386.exe, drwebscd.exe, drwebupw.exe, drwebwcl.exe, drwreg.exe, e.cmd, e9ehn1m8.com, edb.chk, egui.exe, ekrn.exe, EMdISK.exe, f0.cmd, FileKan.exe, flashy.exe, FPaVServer.exe, FProttray.exe, fpscan.exe, fptrayproc.exe, FPWin.exe, FrameworkService.exe, FRW.ExE, FrzState2k.exe, fs6519.dll.vbs, fssf.exe, fssync.dll, fun.xls.exe, g2pfnid.com, GetSI.dll, GFUpd.ExE, guard.exe, GuardField.ExE, guardgui.exe, guardxkickoff.exe, guardxkickoff_x64.exe, guardxservice.exe, guardxup.exe, h3.bat, Hijackthis.ExE, hookinst.exe, host.exe, i.bat, iamapp.exe, iamserv.exe, IceSword.ExE, ICLOad95.ExE, ICLOadNt.ExE, ICMON.ExE, ICSUPP95.ExE, ICSUPPNt.ExE, Identity.exe, iefqwp.cmd, IEShow.exe, IFaCE.ExE, ij.bat, InstallCaVS.ExE, InstLsp.ExE, Iparmor.ExE, iSafe.exe, iSafInst.exe, KaSaRP.ExE, kav.bav, kav32.ExE, kavbase.kdl, KaVPFW.ExE, kavstart.ExE, ker.vbs, KeyMgr.exe, killVBS.vbs, kissvc.ExE, kl1.sys, klavemu.kdl, klbg.cat, klbg.sys, klif.cat, klif.sys, klim5.sys, kmailmon.ExE, KPfwSvc.ExE, KRegEx.ExE, KVSrvxP.ExE, KVWSC.ExE, kwatch.ExE, licmgr.ex, licreg.exe, lky.exe, lockdown2000.exe, m2nl.bat, mbam.exe, mcagent.exe, mcappins.exe, mcaupdate.exe, mcdash.exe, Mcdetect.exe, mcinfo.exe, mcinsupd.exe, mcmnhdlr.exe, mcregwiz.exe, McShield.exe, Mctray.exe, mcupdmgr.exe, mcupdui.exe, McVSEscn.exe, mcvsftsn.exe, mcvsmap.exe, mghtml.exe, Mmsk.ExE, MooLive.exe, msdos.pif, msfir80.exe, MSGrc32.vbs, msime80.exe, msizap.exe, msmsgs.exe, msvcm80.dll, msvcp80.dll, msvcr71.dll, msvcr80.dll, mzvkbd.dll, mzvkbd3.dll, naiavfin.exe, naPrdMgr.exe, Navapsvc.ExE, NaVaPW32.ExE, NaVW32.ExE, netcfg.dll, new folder.exe, njibyekk.com, nod32.exe, nod32krn.exe, nod32kui.exe, oasclnt.exe, olb1iimw.bat, OnaccessInstaller.ExE, Pagent.exe, Pagentwd.exe, PavFnSvr.exe, pavprsrv.exe, PavReport.exe, pavsched.exe, PaVSRV51.ExE, pavtest.exe, pctsauxs.exe, pctsSvc.exe, pctstray.exe, PFW.ExE, preupd.exe, prloader.dll, procexp.exe, psctrlc.exe, PsCtrlS.exe, PSHost.exe, PsImSvc.exe, pskmssvc.exe, QQdoctor.ExE, QtnMaint.exe, RaV.ExE, ravmon.exe, Ravservice.ExE, RavStub.ExE, RaVtRaY.ExE, rcukd.cmd, reload.exe, rescue32.exe, rescuecd.zip, rfwmain.ExE, rfwProxy.ExE, rfwsrv.ExE, Rfwstub.ExE, rose.exe, RStray.ExE, Runiep.ExE, safeboxtray.ExE, sal.xls.exe, sched.exe, SCVHOSt.exe, scvhosts.exe, SCVHSOt.exe, SCVVHOSt.exe, scvvhosts.exe, SCVVHSOt.exe, seccenter.exe, SendLogs.exe, session.exe, shstat.exe, Socksa.ex, SOLOCFG.exe, SOLOLItE.exe, SOLOSCaN.exe, SOLOSENt.exe, Sphinx.exe, spidercpl.exe, spiderml.exe, spidernt.exe, spiderui.exe, spml_set.exe, Spybotsd.exe, SREngLdr.ExE, ssvichosst.exe, sxs.exe, system.exe, tca.exe, temp.exe, temp2.exe, toy.exe, tPSrv.exe, trojandetector.ExE, trojanwall.ExE, trojdie.KxP, UdaterUI.exe, uiscan.exe, unp_test.ExE, update.exe, updater.dll, UPSdbMaker.ExE, userdump.exe, UUpd.ExE, v.exe, Vba32act.exe, Vba32arkit.exe, Vba32ECM.exe, Vba32ifs.exe, vba32ldr.exe, Vba32PP3.exe, Vba32Qtn.exe, vbcmserv.exe, vbcons.exe, vbglobal.exe, vbimport.exe, vbinst.exe, vbscan.exe, vbsystry.exe, VetMsg.exe, virusutilities.exe, Visthaux.exe, VPC32.ExE, VPtRaY.ExE, VSECOMR.ExE, VSHWIN32.ExE, vsmon.exe, vsserv.exe, VSStat.ExE, VstskMgr.exe, WEBPROxY.ExE, WEBSCaNx.ExE, whi.com, WinGrc32.dll, WOPtILItIES.ExE, Wradmin.exe, WrCtrl.exe, wscntfy.exe, wsctool.exe, yannh.cmd, ybj8df.exe, zonealarm.exe
Prevention
Turning off HTML formatting on our email will help us to detect that there's something fishy in the link given. The malware don't have any complicated code to analyze, no antidebugging skills employed, it does not even exploit any vulnerabilities in the system. Same with other reports on this malware, the trick is social engineering. Until we learn our lessons, malware like these will always return.
