Author Topic: hxxp://njvj.t35.com  (Read 6291 times)

0 Members and 1 Guest are viewing this topic.

January 24, 2008, 07:49:57 pm
Read 6291 times

Chato Flores

  • Special Access
  • Newbie

  • Offline
  • *

  • 2
Hello,

I'm new here. And I'm not sure this is the right forum category to post this. If not: my apologies.

Today I received an e-mail with a link to a website that hosts malware.
Just visiting the website drops a trojan (drive by download)
The download links in this webpage downloads a worm.

--------
received email (including the typo's):


Mail subject: Where was gone? I Julie from Sydney
From:  Julie <xmyw1981 [AT] nv.com
Date:  Thu, 24 Jan 2008 15:57:59 +0100

Message:
You remember m?e I do! Here my pgae yqyulhowynqqod:
Quote
hxxp://x-dxxx.nm.ru

----------------------

Link redirects to
Quote
hxxp://njvj.t35.com/

----------------

By just visiting the webpage the AV (Kaspersky) alerted for Trojan-downloader.JS.Agent.bak
(drive-by download)

Filename: ECDC7A08d01
located in
C:\Documents and Settings\Username\Local Settings\Application Data\Mozilla\Firefox\Profiles\l6lz1ttz.default\Cache

The webpage contains three downloadlinks.

Clicking on one of the download-links results in a download of a file named: sex.zip.
This zip-file contains one file, named setup.exe

This file was not detected by the AV
It has a very low detectionrate: VT-results:  8/31 (25.81%)
VT-Results: http://www.virustotal.com/nl/analisis/867aa59a98aeea2670bff37a2ce4644b

Doubleclick on the setup.exe results in an error-message:
"Could not initialize installation"

An other file is dropped:
Filepath and name: C:/i

Kaspersky alerts with: Worm.Win32.Feebs.mx

Deleting the file setup.exe was not possible: File is in use.

An other link on the webpage is for downloading an e-book titled: "Self made milionaires"
Clicking this link results in the download of a file called:  21book.zip.

This zip-file contains an other setup.exe
Not detected by the AV until I execute it.

The third link downloads a file called cm.zip
Also not detected by the Av

After execute the setup.exe drops
 c:\windows\system32\msrk32.dll//UPack
AV result: virus Worm.Win32.Feebs.mx   

--------------

Analysis of setup.exe

Started Processes:
c:\windows\system32\msyn.exe   
c:\windows\system32\svchost.exe   

Created files:
C:\i
C:\WINDOWS\system32\msrk32.dll   
C:\WINDOWS\system32\drivers\msaq
C:\WINDOWS\system32\drivers\PROCEXP111.SYS

Created Registry Keys:
HKLM\Software\Microsoft\MSAU\
HKLM\Software\Microsoft\Active Setup\Installed Components\{6CBBC508-0000-0000-9C55-ED1104F92217}
HKLM\Software\Classes\CLSID\{6CBBC508-0000-0000-9C55-ED1104F92217}
HKLM\Software\Classes\CLSID\{6CBBC508-0000-0000-9C55-ED1104F92217}\InprocServer32

Registry-value modifications:
Sets value "default"="" in key "HKLM\System\CurrentControlSet\Services".
Sets value "buf"="msjd.db" in key "HKLM\Software\Microsoft\MSAW".
Sets value "dll"="mswm32.dll" in key "HKLM\Software\Microsoft\MSAW".
Sets value "exe"="mssj.exe" in key "HKLM\Software\Microsoft\MSAW".

Other:
Modified OS kernel function code.
Anti debug/emulation code present.

MD5 hash: 62b2fe5eff7d5637d5f1fb945de8b4a1

If anybody here needs the samples I mentioned above for further analysis, please let me know.


Regards,

Chato Flores

January 24, 2008, 08:39:18 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thank you, this information was great. The domain will be added during the next update.

January 26, 2008, 10:55:22 am
Reply #2

Chato Flores

  • Special Access
  • Newbie

  • Offline
  • *

  • 2
An other analysis of NjVj.com, by Richard Jones, you can find here
(with screenshots!)

Quote
This site (hxxp://NjVj.com) uses obfuscated script to trigger by remote code execution the download of an executable, spoofed as a .jpg file

At the same website you can also find a very interesting article about spoofed executables attempting to download by remote code execution.

February 02, 2008, 05:17:15 pm
Reply #3

Drusepth

  • Special Members
  • Full Member

  • Offline
  • *

  • 57
  • Personal Text
    Drusepth
    • Drusepth.net
An other analysis of NjVj.com, by Richard Jones, you can find here
(with screenshots!)

Quote
This site (hxxp://NjVj.com) uses obfuscated script to trigger by remote code execution the download of an executable, spoofed as a .jpg file

At the same website you can also find a very interesting article about spoofed executables attempting to download by remote code execution.
That was a very interesting article, thanks.