W32/Agent.UF!tr.dldr

Alias/esW32/Agent.UF!tr.dldr, W32/Agent.UF-dldr, W32/Agent.UF-tr
Release DateMay 12, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

This Trojan may arrive as an attachment (spammed by a hacker) as the file name "Ebay_Rechnung.pdf.exe". The attachment has an icon resembling a .PDF document.

W32.Agent.UF.dldr.1.jpg

W32.Agent.UF.dldr.2.jpg

Detailed Analysis

This malware comes in the form of an attachement to malicious emails. Such emails mimic the eBay 'look and feel', and seem to come from either bieten@ebay.de or kundensupport@ebay.de, which are of course both spoofed addresses. However, all the links do link back to eBay's site.

See the screenshots above:


The emails text, written in German, resort to typical Social Engineering techniques, in order to bring users to open the attachement: Customers are informed that a payment is due, and praised to follow the procedure which first step is to print the attachment.

This attachment, which is the actual malware, is called Ebay Rechnung.pdf.exe, and its icon mimics the one of a pdf document.

These "seeding" emails come from a spamming engine: W32/Agent.UF-dldr does not embed any mailing engine and doesn't feature replication routines per se.

Analysis:

Upon execution, the malware takes 2 distinct steps:

Step 1: Typical Infection
  • Drops a copy of itself as %System32%\ipwf.exe
  • Adds the following registry entry, pointing to itself, in order to run upon every reboot:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IPFW
  • Terminates the following processes:
    ZAPRO
    zonealarm
    armor2net
    tpfw
    NPROTECT
    MpfService
    kpf4gui
    kpf4ss
    firewall
    ccapp
    amon
  • Authorizes itself (ipwf.exe) to connect to the internet on Windows XP built-in firewall
Step 2: Data retrieval
  • Drops a file called winut.dat in %System32%\drivers
  • This file contains a list of URLs.
  • Tries to download .txt files, at the URLs listed in winut.dat
Step 3: Data decryption & Malware installation
  • The downloaded .txt files behold the following data:

    ----
    jvvr8--ig***-`caiwr,gzg
    jvvr8--hmntcf,***,gzg
    jvvr8--qkvc`mp,amo-***-20,gzg
    jvvr8--qxc`cfcnokic***mpi-q{q,vzv
    jvvr8--uuu,`qcvpclq,***-nmeq-3nm,gzg
    ----

    This is obviously some data encrypted with a simple Caesar's cipher scheme. After decryption, such data appears to be a list of new URLs:

    • http://keraker.hu/***.exe
    • http://jolvad.hu/***.exe
    • http://sitabor.com/***/***/***.exe
    • http://szabadalmikamara.hu/***/***.txt
    • http://www.bsatrans.com/***/***/***.exe

  • The malware then cycles those URLs, download the P2P worm W32/Goldun.A-net from there, and executes it.
Description Last Updated Date: Mar 13, 2007
Reference: ID - 80537