Monthly Archives: August 2007

TrojanHunter 5.0 Beta 1 Released!

The first beta version of TrojanHunter 5 is now ready for testing! Featuring an improved user interface and some exciting scan engine changes under the hood, this version of TrojanHunter is the best ever.


Please report any and all bugs here or by email ([email protected]). Note that using the beta will start your trial period. However, we will provide an additional 30-day trial period upon request to any beta tester who wishes to test out the final version.

What’s new in TrojanHunter 5.0?

  • Redesigned, polished user interface
  • Schedule page allows scheduling of LiveUpdate and TrojanHunter scans
  • Optional automatic cleaning of trojans found during scheduled scans
  • During a scheduled scan, TrojanHunter Scanner runs invisibly so as to not get in the user’s way. If trojans are found, however, a message box alert is displayed, and optional automatic cleaning initiated. This happens even if no user is logged in to the computer when the scan is run.
  • New file analyzer in engine ensures all files are scanned correctly according to content, no matter what extension they have
  • TrojanHunter now scans inside RARSFX archives
  • Scanning inside resources embedded in Windows PE executables, as well as numerous other scan engine improvements.

Why compound scanning is important..

Doing some housecleaning, and going through a whole bunch of malware files with the new scanner (as you do..)

This one brings a smile.. TrojanHunter now includes SFX detection among other things in the 5.0 beta, here’s an “installer”…

Found trojan file: C:\TESTING\2005107\2005107.exe/3721.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad1.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad2.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad3.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad4.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad5.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad6.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad7.exe (TrojanClicker.VB.166)
Found adware file: C:\TESTING\2005107\2005107.exe/bind_8432.exe (Adware.AdHelper.107)
Found adware file: C:\TESTING\2005107\2005107.exe/dmshell.dll/Upxlpbqnauj (Adware.Dm.100)
Found trojan file: C:\TESTING\2005107\2005107.exe/s45337.exe (Agent.629)
Found adware file: C:\TESTING\2005107\2005107.exe/setup_110013.exe (Adware.WSearch.121)
Found trojan file: C:\TESTING\2005107\2005107.exe/system.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/system2.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/system3.exe (TrojanClicker.VB.167)
Found adware file: C:\TESTING\2005107\2005107.exe/WIS174.exe (Adware.AllSum.105)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/3721.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad1.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad2.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad3.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad4.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad5.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad6.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad7.exe (TrojanClicker.VB.166)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/bind_8432.exe (Adware.AdHelper.107)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/dmshell.dll/Upxtgyxoryw (Adware.Dm.100)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/s45337.exe (Agent.629)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/setup_110013.exe (Adware.WSearch.121)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system2.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system3.exe (TrojanClicker.VB.167)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/WIS174.exe (Adware.AllSum.105)

We detect supsicious droppers too, simply because a normal SFX should be well, normal. Lets just say I wouldn’t want to execute the above on MY system…

Latest Zhelatin Emails

A new wave of Zhelatin emails is currently going out. A typical example is this email:

Are you ready to have fun at Web Joker.
Account Number: 775152935455
Temp Login ID: user1160
Your Password ID: px259
Please keep your account secure by logging in and changing your login info.
Use this link to change your Login info: http://74.64.28.xx/
Confirmation Dept.
Web Joker

The page linked to in the email advises the user to install a “Secure Login Applet” to view the page, which of course is an executable trojan file — a typical name is applet.exe. Below is a brief analysis.

The applet.exe file, when run, performs the standard Zhelatin actions: Copying itself to C:\Windows\spooldr.exe, and extracting a driver file to C:\Windows\system32\spooldr.sys. It also adds a rename entry for a .tmp file:

HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = C:\Windows\system32\drivers\OLD3.tmp"

This entry will simply delete the file on reboot. Interestingly enough, the variants we’ve examined so far haven’t patched the tcpip.sys file to make themselves autostart. This makes removal easier since tcpip.sys does not need to be restored from backup. (Check that the digital signature on tcpip.sys is valid though, in case you are infected with this and it is a different variant!)

The OLD3.tmp file is actually a patched version of the legitimate Microsoft kbdclass.sys driver file. The trojan version has an extra 15 KB of data appended to it. The entry point of the patched driver file has been modified to point to the start of this extra block of data. Once loaded, the OLD3.tmp file loads the spooldr.sys trojan driver using the native Windows API function ZWSetSystemInformation.

The spooldr.sys driver will as usual disable most common firewalls, including the built-in Windows firewall.

Manual removal steps

  1. Reboot computer in Safe Mode without networking
  2. Delete the following files: C:\Windows\spooldr.exe, C:\Windows\system32\spooldr.sys
  3. Restart computer normally

Analysis of an Ecard Exploit Page

The recent Ecard.exe trojan is spread via web pages served by infected machines. When a user receives an Ecard email (typical subject line: “Thank you e-card”) and clicks on the link in it, he ends up at a page that has an <embed> tag that will be displayed with a Windows Media Player object on Windows.

There is also a link to manually download the trojan file. This analysis will focus on the page contents, with a full analysis of the obfuscated and encrypted JavaScript that triggers the exploit.

If you view the source of an Ecard web page, you will see a piece of JavaScript that starts with the following:

function xor_str(plain_str, xor_key){ var xored_str = "";for (var i = 0 ; i < plain_str.length; ++i)
xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; }
var plain_str = "xb1x9cx9bx9cx9bx9c (...)

What this script does is take the variable named plain_str and decrypts it using simple XOR decryption (with the key 145 in this case). The result is another piece of JavaScript that starts off with 78 line breaks (presumably to make it harder to display the decrypted code using a JS alert() dialog). Following the line breaks you find the new JavaScript code:

var s=unescape("...");do{s+=s;}while(s.length<0x0900000);
s+=unescape([long unicode string])
<EMBED src="------------ (...)

This code snippet writes out HTML that triggers the Windows Media Player Plug-In EMBED Overflow Exploit (MS06-006). The JavaScript uses a for-loop to create a huge string that holds the buffer overflow data. Once the exploit is successfully triggered, the ecard.exe file is downloaded and installed. It will then in turn start up a web server on the infected machine, and start sending out emails to new unsuspecting victims, making the cycle complete.

Since this worm exploits a flaw in Windows, it can affect you whether you use Internet Explorer or Firefox to browse the web. The only way to be safe against this exploit is to have the Security Update for Windows Media Player Plug-in (KB911564) installed. Check your Windows folder for the presence of the file KB911564.log - if it exists you are patched and secured against this exploit.

Generic Ecard (Worm.Zhelatin) Detection!

After some hard work, we’ve completed development on generic detection for the new Ecard trojan that is going around. This, folks, is what you get when TrojanHunter finds Ecard malware:

Notice that this is all generic detection - you could run TrojanHunter without a single ruleset entry loaded and it would still detect the Ecard trojan.

Beefed up Rar Sfx Detection

I’ve completed work on new code in TrojanHunter that will make it able to scan inside Rar SFX (self-extracting Rar) files. In addition, we’ve also added generic detection for Rar trojan droppers - very common with IRC bots and the like. The updated detection for Rar trojan droppers will be available via LiveUpdate in just a few hours.

Obfuscation the go..

More and more obfuscation has been going on in the malware world.. for some time now. Its reaching a peak.. or has it peaked already ?

Obfuscated trojans are ones which have been created, and then manipulated with an obfuscator tool. This encrypts the file using only opcode tricks, and is not a packer. The trojan is encrypted, by jumbling it up so to speak, using encryption opcodes such as SHL SHR (Shift Left, Shift Right) XOR, ADD, SUB or other simple encryption.

Javascript/HTML trojans are also now obfuscated heavily.

So this creates efforts to detect obfuscation with heuristics. This works! For those using some AV’s, HTML or JS heuristic based  alarms are probably common. So what happens ?

If you look at the reaction, some are doing as I thought and not packing malware, and some are of course changing obfuscation technique significantly. For the first time in a long time, I yesterday got a VUNDO aka Adware.Virtumonde distributed unpacked! I hope this is not a mistake. This is something I was unsure if it would happen, ZLOB did it but would they too ? This further suggests a trend back towards unpacked malware, which would be very interesting and good for us!

Good for everyone! (except the bad guys).