MoonPoint Support Weblog

Redirection to Rogue rr.nu Site

While searching for a power adapter, I found a link for the part number of the power adapter for which I was searching that redirected me to www2.smartouholder.rr.nu. That site displayed a fake virus scan (see image), which reportedly was finding malware on the system from which I was searching, but was really just a ruse to try to lure unsuspecting users into buying rogue antivirus software, i.e., scareware. If I tried to navigate away from the site, I would receive a "Are you sure you want to navigate away from this page?" message.

Scareware - are you sure

No matter which option I selected from "OK" or "Cancel", I was left at the scareware webpage. After finally getting back to a prior Google search page, I checked the site's reputation at Norton™ Safe Web. It did not list the site www2.smartouholder.rr.nu, stating it had not been tested yet, but it did list rr.nu.

Norton Safe Web reported the following for the rr.nu site:

rr.nu

Summary

•Computer Threats:
1

•Identity Threats:
0

•Annoyance factors:

0

Total threats on this site:
1

•Community Reviews:

5

Norton Safe Web listed "Drive-By Downloads" as the threat from the site.

After I was able to navigate away from the site, I added an entry to the /Windows/system32/drivers/etc/hosts file to ensure that the system would not be able to contact the site again. I put the following 2 lines at the bottom of that file:

# Inserted on 2012-01-29. Site is attempting to download rogue antivirus software 127.0.0.1 www2.smartouholder.rr.nu

When a Windows system attempts to find an IP address for a website name, such as www.example.com, it will first check the hosts file to see if an IP address is listed there for the fully qualified domain name. If not, then it will perform a Domain Name System (DNS) query to obtain the IP address associated with the name. By associating the name with 127.0.0.1, which is the loopback address for the local system, you can ensure that a system on which the entry has been put in the hosts file will see the name as pointing to its own address and thus will never be able to reach the actual site.

Note: if you edit the hosts file with the Windows Notepad editor, be sure you save the file as hosts, not hosts.txt. The file may be marked as read-only, also, so in order to save the file. you will need to take off the read-only attribute temporarily and put the attribute back on after you have saved the file. You can do so by right-clicking on the hosts file, choosing Properties and unchecking the read-only attribute. Or you can use the following two commands from the command line to take the attribute off the file and put it back on after you've edited the file.

attrib -r C:\Windows\System32\drivers\etc\hosts attrib +r C:\Windows\System32\drivers\etc\hosts

You will need to run the commands from an administrator account to do so. You will also need to run Notepad from an administrator account to edit the file. If you are logged in as another user, you can use the "runas" command from the command line to run Notepad or the attrib command from the administrator account.

E.g., you can use runas /user:administrator cmd to open another command prompt under the administrator account to run the attrib commands or runas /user:administrator notepad to run Notepad from the administrator account. Alternatively, for the attrib command you could use runas /user:administrator "attrib -r C:\Windows\System32\drivers\etc\hosts". If you are using a domain administrator account you would use runas /user:domainname\administrator.

[/security/malware] permanent link

Tue, Nov 15, 2011 10:40 pm

Wed, Mar 30, 2011 11:59 pm

Tue, Jan 05, 2010 11:00 pm

Tue, Sep 08, 2009 9:52 pm

Hello Kitty Online - Trojan.Win32.Generic!BT

A family member got an offer to become a beta tester for Hello Kitty Online today. The email message she received provided a link to download a setup program HKO_Downloader.exe. After she downloaded the file, I had her submit it to Virustotal , a site that checks files for malware with multiple antivirus programs. The Virustotal analysis of the file showed 2 of the 41 programs it used to check the file reporting a potential issue with the file. Note: someone else had uploaded a file named HKO_Island_of_Fun.exe on September 3, 2009 that Virustotal identified as being an identical file because that file had an identical hash value.

File HKO_Island_of_Fun.exe received on 2009.09.03 20:55:55 (UTC)
Current status: finished
Result: 2/41 (4.88%)

The two that identified the file as potentially being malware were as follows:

Antivirus	Version	Last Update	Result
McAfee+Artemis	5730	2009.09.03	Suspect-29!4A5CA8AF0ECD
Sunbelt	3.2.1858.2	2009.09.03	Trojan.Win32.Generic!BT

Information on Mcafee+Artemis is available at McAfee Artemis Technology. An evaluation of McAfee+Artemis is available at Anti-Virus Comparative Technology Preview Report McAfee Artemis.

Sunbelt's Trojan.Win32.Generic!BT Information and Removal webpage shows the following:

Threat Name	Trojan.Win32.Generic!BT
Summary	Trojan.Win32.Generic!BT is a downloader associated with rogue security programs (also called “scareware.”) Once downloaded, the rogues pretend to scan a victim.s computer for malware then display false warnings that the machine is infected. It tries to convince victims to purchase useless security software.
Category	Trojan
Level	High
Advice	Remove
Description	Other names: F-Secure: Trojan-Downloader.Win32.FraudLoad.ffz Kaspersky: Trojan-Downloader.Win32.FraudLoad.ffz Microsoft: TrojanDownloader:Win32/FakeVimes
Release Date	Apr 7 2009
Last Updated	Aug 7 2009
File Traces	- No traces available.

The HKO_Downloader.exe file downloads the actual software needed to participate in Hello Kitty Online, which is a site run by Aeria Games. I concluded that they may have licensed a downloading program that some others may use for nefarious purposes, but I didn't see sufficient reason to be concerned in this case and told her she could download the software and participate in the beta testing.

[/security/malware] permanent link

Sun, Feb 22, 2009 7:11 pm

42odhr0b.exe

After scanning a Windows XP Professional Service Pack 2 system, MoonDreaming, with Spybot Search & Destroy 1.6.2, I installed Multi Virus Cleaner 2008 v8.6.1 on the system and scanned the system with it. It reported that a file, 42odhr0b.exe, which it found in a user's Local Settings\Temp folder was infected with the virus Trojan.Dropper.Small-8.

I submitted the file, which has an MD5 hash of 93d2546e58042ebe7f5ae26ec0ec50b3, to VirusTotal, a free service "that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines." It reported the file was first received on 10.07.2006 22:08:05 (CET). I had it reanalyze the file. VirusTotal reported that 91.18%, i.e. 31 of 34, of the antimalware programs with which it scanned the file identified the file as being malware (see VirusTotal report)

I also submitted the file to VirSCAN.org, "a FREE on-line scan service, which checks uploaded files for malware", using multiple antivirus engines. On uploading files you want to be checked, you can see the result of scanning and how dangerous and harmful/harmless for your computer those files are. VirSCAN reported that 76%, i.e. 28 of 37, of the antimalware programs it used reported the file as being malware (see VirSCAN report).

I also submitted the file to Jotti's Online Malware Scan, another free malware scanning site, for analysis. On that site, 18 of the 19 antivirus programs it used detected the file as malware (see Jotti report).

ThreatExpert, "an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode" identified the file as being associated with Spyware.FavoriteMan (see ThreatExpert report).

ThreatExpert provided the following information on Spyware.FavoriteMan:

FavoriteMan is a Browser Helper Object, which connects to its controlling servers to download and install other programs and add entries to your Internet Explorer favorites menu or computer desktop. This program has been known to download at least 28 different adware or spyware programs. Some controlling servers are www.f1organizer.com, www.prize4all.com, www.yourspecialoffers.com and www.r-vision.org.

ThreatExpert indicated that the file creates the following files on the system:

%System%\ATPartners.dll %System%\im64.dll

I had found ATPartners.dll on the system on February 27 of 2005 when I had scanned the system with other antimalware software. I had removed ATPartners.dll at that time. Apparently 42odhr0b.exe was left in the user's local settings\temp folder from that time. Checking my notes for information on FavoriteMan, I found I had encountered it on other systems, e.g. a Windows 98 system on March 28, 2004 (see Windows 98 System Hanging After Login) and a Windows 98 Second Edition system on April 25 of 2005 (see Calsdr.Dll Remnant).

Download a zipped copy of 42odhr0b.exe for analysis or testing antimalware software (use zoo as userid and malware as password). Note: You do so at your own risk; this file can infect a system, so only run the program on a test system.

[/security/malware] permanent link

Sun, Feb 22, 2009 6:56 pm

23010852235.exe

When I scanned a Windows XP Professional Service Pack 2 system, MoonDreaming, with Spybot Search & Destroy 1.6.2, it found 4 entries for Excite, but those were only tracking cookies. It also found 1 entry for Win32.Agent.cyt. It found a file 23010852235.exe, which has an MD5 hash of 9ec78aac59b04643bfb43415c6fa2909, in a user's Local Settings\Temp directory.

Spybot detected Win32.Agent.cyt entry

I uploaded the file to VirusTotal, a free online virus and malware scan website for analysis. Twenty-four of the 39 malware scan programs with which it scanned the file reported it contained malware (see VirusTotal report).

I also uploaded the file to VirSCAN.org, another multi-engine virus scanner site. It reported "The file are 23010852235.exe uploaded by other users and scanned successfully at 2008/01/18 20:48:04". I had it rescan the file. It reported that 49%, i.e. 18 of 37, of the malware detection programs that it used, identified the file as containing malware (see VirSCAN report).

File Name: 	23010852235.exe
File Size: 	3072
File Type: 	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 	        9ec78aac59b04643bfb43415c6fa2909
SHA1: 	        546e2d9c76fad865ac56b89fa54a864d564f1c16
Compressed: 	NA

Prevx, a security company that makes software that "identifies malicious code by its 'behavior'" lists SYSNSAD.EXE as being an alias for a file with this MD5 hash (see Prevx report).

The Prevx report states the following:

A file with the name SYSNSAD.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

Microsoft Corporation; File Compare Utility; 5.1.2600.0
Microsoft Corporation; File Compare Utility; 5.1.2600.0 (xpclient.010817-1148)

When I examined the file with Filealyzer , I saw the following version information:

File version	5.1.2600.0 (xpclient.010817-1148)
Company name	Microsoft Corporation
Internal name	Comp
Comments
Legal copyright	©Microsoft Corporation. All rights reserved.
Legal trademarks
Original filename	Comp.Exe
Product name	Microsoft® Windows® Operating System
Product version	5.1.2600.0
File description	File Compare Utility

Filealyzer version information for 23010852235.exe

The version information was likely inserted by the malware author to try to disguise the file as an innocuous Microsoft-provided operating system file.

I had Spybot fix the problem, i.e. delete the file.

Download 23010852235.exe for analysis or testing antimalware software (use zoo as userid and malware as password). Note: You do so at your own risk; this file can infect a system, so only run the program on a test system.

[/security/malware] permanent link

Tue, Jan 08, 2008 12:18 pm

AntiVirus Reconnaissance

In analyzing the backend code associated with the Pushdo Trojan downloader, security guru Joe Stewart found that the malware being distributed would log the hard drive serial number on a victim's computer. He speculates that perhaps the malware is checking the hard drive serial number in order to check whether it is running on a Virtual Machine (VM). If the malware logs the same serial number for what would otherwise appear to be separate machines, then it is likely that it is running on a VM. Since antivirus companies use VM's to analyze malware in controlled environments, the knowledge that the malware is running on a VM might be of interest to the malware developer or distributor for that reason.

Some malware attempts to kill or disable antivirus software processes. Pushdo does not. It merely reports back to its controlling server on which antivirus software it has detected on the victim's sysetm. Pushdo compares all of the processes running on the sysetm with its own list of antivirus and personal firewall process names and then provides a report to its controller listing the ones it has found.

In checking the Pushdo controller server, Stewart found malware samples with rootkit characteristics, which allow malware to hide from antivirus and antispyware software, and also evidence of a spam botnet.

References:

Inside a Modern Malware Distribution System
By Ryan Naraine
December 21, 2007
eWeek.com

[/security/malware] permanent link

•Computer Threats:		1
•Identity Threats:		0
•Annoyance factors:		0

Total threats on this site:		1

•Community Reviews:		5

Sun, Jan 29, 2012 7:59 pm

Tue, Nov 15, 2011 10:40 pm

Wed, Mar 30, 2011 11:59 pm

Tue, Jan 05, 2010 11:00 pm

Tue, Sep 08, 2009 9:52 pm

Sun, Feb 22, 2009 7:11 pm

Sun, Feb 22, 2009 6:56 pm

Tue, Jan 08, 2008 12:18 pm