Threat Encyclopedia

W32/Naldem-eml

Analysis

• W32/Naldem-tr is 32bit with a compressed file size of 6,656 bytes
  
• Trojan is introduced to the system by visiting a malicious web page and may exist on an infected system as "DivX.exe"
  
• W32/Naldem-eml was sent by a hacker or group of hackers as spammed emails to various users across the Internet with a spoofed "from" address
  
• The text of the email suggested the user view an electronic greeting card by visiting a hyperlink in the message - the hyperlink was suggested to be 123greetings.com however it is actually a user account within the idownline.com domain
  
• The index page on that user account contains an instruction to open a malicious web page in another browser window
  
• That page (named "p") contains instructions to open three additional malicious web pages in Iframes - the pages are hosted at another web address presumably based in the UK, and the three pages are named "spy", "in" and "s"
  
• The page "spy" is a logging script which logs usage hits to the hosting domain
  
• The page "in" contains various instructions -
  - downloads a Trojan binary named "divx.exe" from a web page
  - implements an "ADODB.Stream" exploit to write "divx.exe" as a file on the local system
  - downloads and executes a Java Applet Trojan in a file named "BlackBox.class"
  - using an Object data tag, downloads and runs an HTA file named "ouch.php"
  
• The page "s" also implements an "ADODB.Stream" exploit to overwrite Notepad.exe in various subfolders to maximize the chance of targeting different operating systems for English Windows - the following files are targets for being overwritten by W32/Naldem-tr -

  c:\winnt\notepad.exe
  c:\windows\notepad.exe
  c:\winnt\system32\notepad.exe
  c:\windows\system32\notepad.exe
  

• The Trojan binary file named "divx.exe" is known as W32/Naldem-tr - if this Trojan is run, it will attempt to connect to the Internet and bind with a randomly chosen TCP port
  

• Periodically the Trojan will send a SYN packet to the IP address 69.36.204.206 and request and acknowledgement from the server
  

• The Trojan may connect with that IP address and use a .CGI script to send data to that server possibly as an attempt to log infection statistics as well as the port number chosen
  

• The Trojan may also auto run by modifying the registry as well as create additional registry keys -

  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "DivX Updater" = C:\WINNT\System32\DivX.Exe

  HKEY_CURRENT_USER\Software\DivX\
  "LastUpd" = (hex values)

  HKEY_CURRENT_USER\Software\DivX\
  "UniqueID" = (hex values)
  

• The "ADODB.Stream" exploit is coded to take advantage of systems not patched against this vulnerability - the exploit is initiated as an ActiveX Object and the code retrieves W32/Naldem-tr as the file "DivX.exe" from a web page and saves it as the following -

  "C:\Program Files\Windows Media Player\wmplayer.exe"
  

• The Java Applet Trojan contains an exploit which targets vulnerable systems into running arbitrary code - the code could be subtle such as changing the Internet Explorer start page
  

• The file "ouch.php" contains HTA code to write encoded data to a file on the target system - the encoded data translates into hex code for a 32bit file
  

• The file is saved locally as "divxupdater.exe" and then it is run
  

Recommended Action

• Block access to the following URLs -
  advertising.co.uk
  69.51.11.87
  69.56.204.206
  
• Add the following to email filters for your FortiGate unit -
  123greetings+view+BS11109150938172
  
• Configure email servers to quarantine "tagged" emails and delete as necessary