Upon starting the laptop and logging, I was greeted by the fake antivirus, "AntiViraAv". Of course, it started pretending to scan the hard drive and began presenting the traditional dire warnings of fatal virus infection and so on. I had read about this one on the S!Ri.URZ recently, so I went back and read that post again. It said running MBAM would fix the problem, although in our case it hadn't. I ran MBAM again, along with Super AntiSpyware, but again nothing was detected. MBAM is usually my go-to program for stuff like this, so I was surprised that hadn't worked. I took the machine to my forensics office, removed the hard drive and attached it via usb cable to another machine and ran MBAM and Vipre Antivirus against it, again coming up empty.
I pulled the registry files and took a look at the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key, finding an obviously suspicious entry listed showing "podnkiwd: "C:\DOCUME~1\<USERNAME>\LOCALS~1\Temp\lyxnxvrky\rciprogsika.exe." Okay, this isn't the interesting part. Lots of different malware programs insert something in the Run key.
But that's not what I wanted to tell you about.
I wound up finding two copies of the malware with identical MD5 hashes, one in the Local Settings\Temp folder called "6.129952833419995E7.exe" and the other in a newly created folder called "lyxnxvrky" inside the Temp folder .This new folder contained the "rciprogsika.exe" file referenced above and it is identical in every way, except its name, to the "6.129952833419995E7.exe." I decided to test the malware further to see what all happened. I submitted it to VirusTotal and found that only 17 of the 43 scanners there detected it. Based on that plus the fact MBAM didn't recognize it, I believe this is a newer variant of the AntiViraAV rogue AV. As of this writing, my submission is still the only one for this particular version at VirusTotal.
So you're probably wondering, what's the big deal. What was interesting to me may not mean much, but I hadn't seen it before. Seasoned malware experts and incident responders may have seen the other registry additions/modifications I'm about to describe, so this may not be anything earth shattering. You have been warned.
I set up a Windows XP virtual machine in VMWare Workstation and placed a copy of the "6.129952833419995E7.exe" file in the Local Settings\Temp folder. I ran RegShot, got my baseline and then executed the malware file. Nothing visible happened, unless you were looking in the Local Settings folder. However, all sorts of things were happening in the Registry.
Three new keys were created in the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- HKEY_CURRENT_USER\Software\g043oqxanu
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
- RunInvalidSignatures = 0x00000001
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
- LowRiskFileTypes = ".exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
- SaveZoneInformation = 0x00000001
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- rqluxpqp = "%Temp%\lyxnxvrky\rciprogsika.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
- CheckExeSignatures ="no"
My intent now is to learn a bit more about those new registry keys and values.
EDIT: By the way, the MD5 for this file is c6a3a4477e17570a5c1da58e34312b4b
Awesome post. I haven't seen that behavior before either.
ReplyDeleteThanks!
ReplyDeleteKen,
ReplyDeleteI blogged about the keys and references to how they are used by the OS...
http://windowsir.blogspot.com/2011/02/links.html
Thanks, Harlan. I meant to add a post here mentioning you had done that and completely forgot. Thanks for the info!
ReplyDelete