VirusW32/Naldem-eml
Analysis
- W32/Naldem-tr is 32bit with a compressed file size
of 6,656 bytes
- Trojan is introduced to the system by visiting
a malicious web page and may exist on an infected
system as "DivX.exe"
- W32/Naldem-eml was sent by a hacker or group of
hackers as spammed emails to various users across
the Internet with a spoofed "from" address
- The text of the email suggested the user view an
electronic greeting card by visiting a hyperlink in
the message - the hyperlink was suggested to be 123greetings.com
however it is actually a user account within the idownline.com
domain
- The index page on that user account contains an
instruction to open a malicious web page in another
browser window
- That page (named "p") contains instructions
to open three additional malicious web pages in Iframes
- the pages are hosted at another web address presumably
based in the UK, and the three pages are named "spy",
"in" and "s"
- The page "spy" is a logging script which
logs usage hits to the hosting domain
- The page "in" contains various instructions
-
- downloads a Trojan binary named "divx.exe" from a web page
- implements an "ADODB.Stream" exploit to write "divx.exe" as a file on the local system
- downloads and executes a Java Applet Trojan in a file named "BlackBox.class"
- using an Object data tag, downloads and runs an HTA file named "ouch.php"
- The page "s" also implements an "ADODB.Stream"
exploit to overwrite Notepad.exe in various subfolders
to maximize the chance of targeting different operating
systems for English Windows - the following files
are targets for being overwritten by W32/Naldem-tr
-
c:\winnt\notepad.exe
c:\windows\notepad.exe
c:\winnt\system32\notepad.exe
c:\windows\system32\notepad.exe
-
The Trojan binary file named "divx.exe" is known as W32/Naldem-tr - if this Trojan is run, it will attempt to connect to the Internet and bind with a randomly chosen TCP port
-
Periodically the Trojan will send a SYN packet to the IP address 69.36.204.206 and request and acknowledgement from the server
-
The Trojan may connect with that IP address and use a .CGI script to send data to that server possibly as an attempt to log infection statistics as well as the port number chosen
-
The Trojan may also auto run by modifying the registry as well as create additional registry keys -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"DivX Updater" = C:\WINNT\System32\DivX.ExeHKEY_CURRENT_USER\Software\DivX\
"LastUpd" = (hex values)HKEY_CURRENT_USER\Software\DivX\
"UniqueID" = (hex values)
-
The "ADODB.Stream" exploit is coded to take advantage of systems not patched against this vulnerability - the exploit is initiated as an ActiveX Object and the code retrieves W32/Naldem-tr as the file "DivX.exe" from a web page and saves it as the following -
"C:\Program Files\Windows Media Player\wmplayer.exe"
-
The Java Applet Trojan contains an exploit which targets vulnerable systems into running arbitrary code - the code could be subtle such as changing the Internet Explorer start page
-
The file "ouch.php" contains HTA code to write encoded data to a file on the target system - the encoded data translates into hex code for a 32bit file
-
The file is saved locally as "divxupdater.exe" and then it is run
Recommended Action
- Block access to the following URLs -
advertising.co.uk
69.51.11.87
69.56.204.206
- Add the following to email filters for your FortiGate
unit -
123greetings+view+BS11109150938172
- Configure email servers to quarantine "tagged" emails and delete as necessary
