Ecard Malware Spam

[JohnC]

File 12.240.21.105.exe received on 08.09.2007 18:52:58 (CET)
Result: 12/32 (37.5%)

Antivirus Version Last Update Result
AhnLab-V3 2007.8.9.2 2007.08.09 -
AntiVir 7.4.0.57 2007.08.09 WORM/Zhelatin.Gen
Authentium 4.93.8 2007.08.08 -
Avast 4.7.1029.0 2007.08.09 -
AVG 7.5.0.476 2007.08.09 -
BitDefender 7.2 2007.08.09 -
CAT-QuickHeal 9.00 2007.08.09 (Suspicious) - DNAScan
ClamAV 0.91 2007.08.09 -
DrWeb 4.33 2007.08.09 -
eSafe 7.0.15.0 2007.07.31 Suspicious Trojan/Worm
eTrust-Vet 31.1.5045 2007.08.09 Win32/Sintun.AC
Ewido 4.0 2007.08.08 -
FileAdvisor 1 2007.08.09 -
Fortinet 2.91.0.0 2007.08.09 -
F-Prot 4.3.2.48 2007.08.08 -
F-Secure 6.70.13030.0 2007.08.09 Tibs.gen126
Ikarus T3.1.1.12 2007.08.09 -
Kaspersky 4.0.2.24 2007.08.09 Email-Worm.Win32.Zhelatin.gq
McAfee 5094 2007.08.09 W32/Nuwar@MM
Microsoft 1.2704 2007.08.09 -
NOD32v2 2447 2007.08.09 -
Norman 5.80.02 2007.08.08 Tibs.gen126
Panda 9.0.0.4 2007.08.09 -
Prevx1 V2 2007.08.09 -
Rising 19.35.33.00 2007.08.09 -
Sophos 4.19.0 2007.08.01 Mal/Dorf-A
Sunbelt 2.2.907.0 2007.08.09 VIPRE.Suspicious
Symantec 10 2007.08.09 Trojan.Packed.13
TheHacker 6.1.7.166 2007.08.09 -
VBA32 3.12.2.2 2007.08.09 -
VirusBuster 4.3.26:9 2007.08.09 -
Webwasher-Gateway 6.0.1 2007.08.09 Worm.Zhelatin.Gen
Additional information
File size: 113141 bytes
MD5: 32565ec38b7a66c78e38ec234c55fcd8
SHA1: 2da6caea18c127149a9fe0718106fa24400464fd
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Zhelatin? Sintun? Tibs? Nuwar? Dorf?  I have also seen it labeled as Peed too. Would be nice if they could agree on a name and use it.

This malware is normally distributed through email, claiming to be an ecard from popular ecard websites.

Twenty two ecard samples can be found below. (VirusTotal Scans may differ from each file)
http://www.malwaredomainlist.com/mal/ecard-09.08.07.rar

Below are the filenames, filesizes, filehashes, and 64 byte entry point signatures for each of the twenty two samples. Each file is 110KB.

Filename: 12.240.21.105.exe
Filehash: 32565ec38b7a66c78e38ec234c55fcd8
Filesize: 113141 Bytes
EP Sig: FF 74 24 1C 58 8D 80 D4 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D CE 04 98 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 65.24.96.136.exe
Filehash: 6dd97490eccb2c4ec57225d007e4a21a
Filesize: 113083 Bytes
EP Sig: FF 74 24 1C 58 8D 80 9A 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 5C FC 48 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 65.29.153.234.exe
Filehash: d6638da87a14b6f4c0c399d0d99c1d24
Filesize: 113207 Bytes
EP Sig: FF 74 24 1C 58 8D 80 16 65 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D AE 84 4A 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 66.66.252.117.exe
Filehash: f723402a1c3aab11d6e39522bd18a6ce
Filesize: 113141 Bytes
EP Sig: FF 74 24 1C 58 8D 80 D4 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D A9 2E D9 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 67.186.156.67.exe
Filehash: 5817a6baac6ab2d3a554d37528357b0a
Filesize: 113083 Bytes
EP Sig: FF 74 24 1C 58 8D 80 9A 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D E6 D0 94 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 69.154.54.13.exe
Filehash: 850a5dd77a75595583d5a1dc05c57604
Filesize: 113166 Bytes
EP Sig: FF 74 24 1C 58 8D 80 ED 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 32 46 4A 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 75.70.103.249.exe
Filehash: f144d97495a18fc4d1fc60080c4cf481
Filesize: 113125 Bytes
EP Sig: FF 74 24 1C 58 8D 80 C4 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 08 C2 48 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 75.82.1.125.exe
Filehash: 993b05e78572622bf9ca038c23e2b658
Filesize: 113046 Bytes
EP Sig: FF 74 24 1C 58 8D 80 75 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 9C 91 55 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 76.31.144.78.exe
Filehash: 5c8d96a4a589ed3dea46e208248629e5
Filesize: 113030 Bytes
EP Sig: FF 74 24 1C 58 8D 80 65 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 5A 2A 49 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 76.116.23.189.exe
Filehash: 619c31595b655a6baa2befea376db55e
Filesize: 113093 Bytes
EP Sig: FF 74 24 1C 58 8D 80 A4 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D FB 70 58 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 76.182.89.112.exe
Filehash: d3c28a4067d6ae2c8a00af624d33a8e3
Filesize: 113119 Bytes
EP Sig: FF 74 24 1C 58 8D 80 BE 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 5B E4 56 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 77.97.214.56.exe
Filehash: 1fb22df1372a705321b7a51809554601
Filesize: 113040 Bytes
EP Sig: FF 74 24 1C 58 8D 80 6F 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D DE A5 35 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 82.44.210.182.exe
Filehash: 41f47ddbebb59f3d9d854deb6f8095bd
Filesize: 113126 Bytes
EP Sig: FF 74 24 1C 58 8D 80 C5 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D FA D0 47 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 82.55.234.59.exe
Filehash: da87f1f9ad718bada4073e9ab0cac667
Filesize: 113138 Bytes
EP Sig: FF 74 24 1C 58 8D 80 D1 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 87 65 4C 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 83.84.20.47.exe
Filehash: 5caa9eca9591e3324d24bc203f9c76b7
Filesize: 113033 Bytes
EP Sig: FF 74 24 1C 58 8D 80 68 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 77 F4 50 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 83.254.83.211.exe
Filehash: c42d8fe7ea0aea2316a44eadf621cd1f
Filesize: 113183 Bytes
EP Sig: FF 74 24 1C 58 8D 80 FE 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 4B 92 4A 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 86.104.103.169.exe
Filehash: 07653ff1813b33e8f0a42c905eda66e7
Filesize: 113202 Bytes
EP Sig: FF 74 24 1C 58 8D 80 11 65 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 1D 2C 6E 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 98.194.66.112.exe
Filehash: ab63cd8e661e1b788d9bc6911f02262f
Filesize: 113126 Bytes
EP Sig: FF 74 24 1C 58 8D 80 C5 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 95 EF 5E 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 98.198.104.32.exe
Filehash: 5e2c6ee3b94fb4cccabf6ef53340b55b
Filesize: 113154 Bytes
EP Sig: FF 74 24 1C 58 8D 80 E1 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 46 B7 68 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: 98.199.227.109.exe
Filehash: 8deb1de5a3b4364e706136f2eec2e7e1
Filesize: 113151 Bytes
EP Sig: FF 74 24 1C 58 8D 80 DE 64 77 04 50 68 62 34 35 04 E8 46 00 00 00 50 8D 15 59 99 E4 0E 52 50 51 55 E8 5E 00 00 00 E8 76 00 00 00 8D 2D 34 CE 55 01 8D 54 05 00 01 CA E8 71 00 00 00 56 53 E8 79

Filename: ecard1.exe
Filehash: cd387bbfbd76685ff35725f4d23f6431
Filesize: 113244 Bytes
EP Sig: FF 74 24 1C 58 8D 80 AB 64 77 04 50 68 62 34 35 04 E8 56 00 00 00 40 40 50 8D 15 A1 16 DE 0F 52 50 51 55 E8 72 00 00 00 E8 84 00 00 00 8D 2D 75 E9 C4 01 89 EA 50 51 59 01 CA 59 01 CA E8 7B 00

Filename: ecard2.exe
Filehash: 38aa8aac56d5896098cf67606d252e72
Filesize: 113231 Bytes
EP Sig: FF 74 24 1C 58 8D 80 9E 64 77 04 50 68 62 34 35 04 E8 54 00 00 00 50 8D 15 A1 16 DE 0F 52 50 51 55 E8 6A 00 00 00 E8 7C 00 00 00 8D 2D 24 19 55 01 89 EA 50 51 59 01 CA 59 01 CA E8 73 00 00 00



The packer used on the ecard variants is currently unkown. The (97 byte) EP signature below can be used to detect the packer used on all twenty two samples above and possibly more. 

Code: [Select]

[Drace Unknown Packer (AA)]
signature = FF 74 24 1C 58 8D 80 ?? ?? 77 04 50 68 62 34 35 04 E8 ?? 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? FF 
ep_only = true
If you want more of a precise signature then you could make it from less signatures. This may be especially useful if you have a specific unpacking routine which works on some executables but not on all. If you would like to make the signature more generic, you could make it from some more executables which have different signatures. It could be that all the variants have been packed by the same packer and that it has some kind of polymorphic ability. Like Morphine or PEncrypt. I haven't had a look so I couldn't say. It may not have any polymorphic ability, but the files that are being packed might be diffrent because the files before being packed were different which would of course create different packed code.

Or the other possibilities are that they are different packers, or at least different versions of the same packer. If it is the case that it uses polymorphism, then creating a signature in the form of a string of bytes may not be possible. You could try and create multiple signatures, or it may be better to create a routine which tries to identify it from the way the code works.

You can view an example of the greeting card spam from here.

[bobby]

The packer's name is also Tibs (according to Kaspersky), and as far I know, there is no unpacker for it even between unpacking engines used by antivirus programs. So, the detections are mostly based on the signatures of the packed files, so changing the packer would probably throw another detection (or no detection in the worst case).

[sowhat-x]

Tibs...would be nice if we could get a copy of this packer/trojan builder tool/whatever itself...
Googled a bit for tibs/ecard etc.,and it seems that at least the media,
have given the generic name "StormWorm" to variants of these malware,eg.:
http://www.theregister.co.uk/2007/06/29/ecard_storm_trojan/

[toni]

The packer is not public as far as I know. It is quite trivial to unpack it manually. If I ever get enough time, I'll code an unpacker for it. It only takes a minute or so to unpack it manually, so it's more like smoke and mirrors than an actual packer. Stormworm has been a pain in the butt for a long time, mostly because of the volume of spam it sends and the DDOSes it launches.

[spysrch]

how to download this packer

please help

[JohnC]

It isn't public, when I started this thread there was going to be more in depth information about it. But I never really got the time to do it. I would guess that newer versions of storm worm are using different variations of the packer, to make it more difficult for antivirus companies to detect.

[sowhat-x]

With that many Zhelatin variants that got released since earlier this year,
it's quite reasonable to assume that most possibly it isn't even a standalone packer...

Furthermore,even say if the above doesn't stand true,
and there exists indeed a standalone 'private Zhelatin scrambler' out there,
I really doubt that spreading it in the wild would do any good:
information should be free,but this is assuming there's common sense also,he-he...
Both time and the way something gets publicly released play a major role on this,
and this is what is called 'responsible disclosure'...

It's one thing to release in public 'leaked' malware samples and tools,
which no matter the case,after a few months they are gonna get widespread:
this way helps end-users protect themselves in the meanwhile by personal means,
and also puts pressure in the AV companies to add proper detection for them in a timely manner.
But Tibs/Zhelatin's cycle certainly doesn't seem to be closing anytime soon...
ie.the only thing this would achieve,would be to spread further confusion and mess in the net,
as every skiddie would start modding backdoors with it in order to supposedly 'show off'...