Completetala .RAR Infection

This forum is for testing I do with various security settings and tools. Infection infiltration, security lock down among other things. Currently XP Home-w\SP 2 installed

Moderators: Admin Team, Moderators

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

Completetala .RAR Infection

Postby TICTestBox » Wed Oct 29, 2008 2:22 pm

This infection comes to us by way of:
http://down.downloadset.com.cn/winrar.htm

The first hint for me, being in the states is the .cn designation, pointing to China. AFAIC, big red flag.

I'm not sure how popular this site is in China, but anyone in the states ought to stay away from it. I'm assuming it's similar to download.com, it sure is set up to look like it.

First hit via Google:
http://64.233.169.104/search?q=cache:08lJ4jvcDiwJ:forum.cheatengine.org/viewtopic.php%3Ft%3D307590%26start%3D0%26sid%3Dfbc4a4af3c1784086910d226a86c3778+downloadset.com.cn&hl=en&ct=clnk&cd=1&gl=us

You can see someone else also got infected by it. I'll be notifying them over there shortly.

It installed a fake explore.exe and twoother files & 1 folder which I think do all the damage:
  • C:\Documents and Settings\USER\Local Settings\temp\IXP000.TMP\WinRAR.exe 50KB A 9/19/2008 2:43:10 PM
  • C:\WINDOWS\system32\explore.exe 50KB
  • C:\Documents and Settings\USER\Local Settings\temp\IXP000.TMP\wrar382.exe-1,207KB
the fake explor.exe is found and removed by MBAM. But it does not pick up anything else.

It also alters the hosts file as well which adds to the problem, supposedly pointing to a fake MS site:
    O1 - Hosts: 125.67.67.197 http://www.yahoo.com
    O1 - Hosts: 125.67.67.197 http://www.google.com
    O1 - Hosts: 125.67.67.197 http://www.myspace.com
    O1 - Hosts: 125.67.67.197 http://www.youtube.com
    O1 - Hosts: 125.67.67.197 http://www.facebook.com
    O1 - Hosts: 125.67.67.197 http://www.live.com
    O1 - Hosts: 125.67.67.197 http://www.msn.com
    O1 - Hosts: 125.67.67.197 http://www.wikipedia.org
    O1 - Hosts: 125.67.67.197 http://www.ebay.com
    O1 - Hosts: 125.67.67.197 http://www.aol.com
    O1 - Hosts: 125.67.67.197 http://www.craigslist.org
    O1 - Hosts: 125.67.67.197 http://www.blogger.com
    O1 - Hosts: 125.67.67.197 http://www.go.com
    O1 - Hosts: 125.67.67.197 http://www.amazon.com
    O1 - Hosts: 125.67.67.197 http://www.cnn.com
    O1 - Hosts: 125.67.67.197 espn.go.com
    O1 - Hosts: 125.67.67.197 http://www.espn.com
    O1 - Hosts: 125.67.67.197 http://www.photobucket.com
    O1 - Hosts: 125.67.67.197 http://www.microsoft.com
    O1 - Hosts: 125.67.67.197 http://www.comcast.net
    O1 - Hosts: 125.67.67.197 http://www.imdb.com
    O1 - Hosts: 125.67.67.197 http://www.wordpress.com
    O1 - Hosts: 125.67.67.197 http://www.nytimes.com
    O1 - Hosts: 125.67.67.197 http://www.weather.com
    O1 - Hosts: 125.67.67.197 http://www.ask.com
    O1 - Hosts: 125.67.67.197 http://www.aim.com
    O1 - Hosts: 125.67.67.197 http://www.apple.com
    O1 - Hosts: 125.67.67.197 http://www.mapquest.com
    O1 - Hosts: 125.67.67.197 http://www.youporn.com
    O1 - Hosts: 125.67.67.197 http://www.fastclick.com
    O1 - Hosts: 125.67.67.197 http://www.pornhub.com
    O1 - Hosts: 125.67.67.197 http://www.rapidshare.com
    O1 - Hosts: 125.67.67.197 http://www.pogo.com
    O1 - Hosts: 125.67.67.197 http://www.redtube.com
    O1 - Hosts: 125.67.67.197 http://www.doubleclick.com
    O1 - Hosts: 125.67.67.197 http://www.att.com
    O1 - Hosts: 125.67.67.197 http://www.adobe.com
    O1 - Hosts: 125.67.67.197 http://www.vnn.com
    O1 - Hosts: 125.67.67.197 http://www.sportsline.com
    O1 - Hosts: 125.67.67.197 http://www.netflix.com
    O1 - Hosts: 125.67.67.197 http://www.dell.com
    O1 - Hosts: 125.67.67.197 http://www.google.co.uk
    O1 - Hosts: 125.67.67.197 http://www.bbc.co.uk
    O1 - Hosts: 125.67.67.197 http://www.ebay.co.uk
    O1 - Hosts: 125.67.67.197 http://www.bebo.com
    O1 - Hosts: 125.67.67.197 http://www.amazon.co.uk
    O1 - Hosts: 125.67.67.197 http://www.sky.com
    O1 - Hosts: 125.67.67.197 http://www.virginmedia.com
    O1 - Hosts: 125.67.67.197 http://www.aol.co.uk
    O1 - Hosts: 125.67.67.197 http://www.hsbc.co.uk
    O1 - Hosts: 125.67.67.197 http://www.antispyware.com

Users are then prompted to install a rogue, namely AntiSpyware 2008, which was just today added to hpHosts database

On my machine I was also presented with a small dialog box:
ScreenShot011.jpg
(15.25 KiB) Downloaded 43 times


Funny guy.

By using MBAM, Windows Add\Remove, ATF Cleaner, HJT to edit hosts file and OTMoveIt I was able to fix my machine up and get it back to normal.

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Completata .RAR Infection

Postby TeMerc » Wed Oct 29, 2008 2:32 pm

This site was just created:

Current IP*: 121.198.40.1
IP PTR: ip198.hichina.com

ROID: 20081022s10011s07008968-cn
Domain Status: ok
Registrant Organization: å¼ çŽ²
Registrant Name: å¼ çŽ²
Administrative Email: feixin0092@sina.com
Sponsoring Registrar: 北京万网志成科技有限公司
Name Server:dns27.hichina.com
Name Server:dns28.hichina.com
Registration Date: 2008-10-22 22:49
Expiration Date: 2009-10-22 22:49

Other sites:
down.-times.de
down.136136.net
down.2team2.com
down.36-servers.com
down.4d-box.com
down.51paly.com
down.5ykj.com
down.851733.cn
down.a.hill.corpit.net
down.a.playah.org

Netblock Information:

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 121.196.0.0 - 121.199.255.255
netname: HICHINA
descr: HiChina Web Solutions (Beijing) Limited
descr: No.27 Gulouwai Avenue,Dongcheng District, Beijing 100011,China
country: CN
admin-c: ZX103-AP
tech-c: ZX163-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: hm-changed@apnic.net 20070918
status: ALLOCATED PORTABLE
source: APNIC

person: Zhang Xiangdong
nic-hdl: ZX103-AP
e-mail: maochen@hichina.com
address: 3/F,HiChina Mansion,No.27 Gulouwai Avenue
address: Dongcheng District, Beijing 100011, China
phone: +86-10-64242299-8111
fax-no: +86-10-64242299-8354
country: CN
changed: ipas@cnnic.net.cn 20070917
mnt-by: MAINT-CNNIC-AP
source: APNIC

person: Song Yingqiao
address: 3/F,HiChina Mansion,No.27 Gulouwai Avenue
address: Dongcheng District, Beijing 100011, China
country: CN
phone: +86-10-64242299-6918
fax-no: +86-10-64242299-8354
e-mail: zhangkj@hichina.com
nic-hdl: ZX163-AP
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.net.cn 20070917
source: APNIC

inetnum: 121.196.0.0 - 121.199.255.255
netname: HICHINA
country: CN
descr: 3/F,HiChina Mansion,No.27 Gulouwai Avenue,Dongcheng District, Beijing 100011,China
admin-c: ZX103-CN
tech-c: ZX163-CN
status: ALLOCATED PORTABLE
changed: ipas@cnnic.cn 20070919
mnt-by: MAINT-CNNIC-AP
source: CNNIC

person: Zhang Xiangdong
nic-hdl: ZX103-CN
e-mail: abuse@hichina.com
address: 3/F,HiChina Mansion,No.27 Gulouwai Avenue
address: Dongcheng District, Beijing 100011, China
phone: +86-10-64242299-8602
fax-no: +86-10-64242299-8354
country: CN
changed: ipas@cnnic.net.cn 20050413
mnt-by: MAINT-CNNIC-AP
source: CNNIC

person: Song Yingqiao
address: 3/F,HiChina Mansion,No.27 Gulouwai Avenue
address: Dongcheng District, Beijing 100011, China
country: CN
phone: +86-10-64242299-8328
fax-no: +86-10-64242299-8354
e-mail: songyq@hichina.com
nic-hdl: ZX163-CN
mnt-by: MAINT-CNNIC-AP
changed: ipas@cnnic.net.cn 20050413
source: CNNIC



Not likely notifying anyone will do anything.
Image

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

Re: Completetala .RAR Infection

Postby TICTestBox » Wed Oct 29, 2008 2:40 pm

Forgot to include the file analysis:


File WinRAR.exe received on 10.29.2008 19:52:50 (CET)
Result: 4/36 (11.12%)

Avast 4.8.1248.0 2008.10.29 Win32:Agent-ABYI
BitDefender 7.2 2008.10.29 Dropped:Generic.Malware.Ssp.5EF0F510
F-Prot 4.4.4.56 2008.10.29 W32/VB-Wird-based!Maximus
NOD32 3566 2008.10.29 probably unknown NewHeur_PE

Additional information
File size: 1233920 bytes
MD5...: 5aed17593ca46b529539545dfbd007ba
SHA1..: 4f5a138f4bb7ecc77e07a73a6bc4245f252769b8
SHA256: 084960b97b32447e8c69d8923efabc91879b489b29359b6ecce3c578324f413c
SHA512: b9dea3c29d993819127c848cea58041bab4f578a44988f90a0e820f5ecf1687c
53d16ae3dfadbe38f4b8c9261c33108ba081eeb2775d0dfae12a6ffd628b97d1
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (63.0%)
Win32 Executable MS Visual C++ (generic) (27.7%)
Win32 Executable Generic (6.2%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100645c
timedatestamp.....: 0x480251cd (Sun Apr 13 18:32:45 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x99c8 0x9a00 6.58 771e81b77e3bc3a726dd011a31947b8c
.data 0xb000 0x1be4 0x400 4.25 99858e86526942a66950c7139f78a725
.rsrc 0xd000 0x124000 0x123200 7.99 f0073b0d9d7d0eab538f9d6e0078b5a5

( 6 imports )
> ADVAPI32.dll: FreeSid, AllocateAndInitializeSid, EqualSid, GetTokenInformation, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueA, RegCloseKey, RegDeleteValueA, RegOpenKeyExA, RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegQueryInfoKeyA
> KERNEL32.dll: LocalFree, LocalAlloc, GetLastError, GetCurrentProcess, lstrlenA, GetModuleFileNameA, GetSystemDirectoryA, _lclose, _llseek, _lopen, WritePrivateProfileStringA, GetWindowsDirectoryA, CreateDirectoryA, GetFileAttributesA, ExpandEnvironmentStringsA, lstrcpyA, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, IsDBCSLeadByte, GetShortPathNameA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcmpiA, RemoveDirectoryA, FindClose, FindNextFileA, DeleteFileA, SetFileAttributesA, lstrcmpA, FindFirstFileA, FreeResource, GetProcAddress, LoadResource, SizeofResource, FindResourceA, lstrcatA, CloseHandle, WriteFile, SetFilePointer, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, SetCurrentDirectoryA, GetTempFileNameA, ExitProcess, CreateFileA, LoadLibraryExA, lstrcpynA, GetVolumeInformationA, FormatMessageA, GetCurrentDirectoryA, GetVersionExA, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, GetTempPathA, GetSystemInfo, CreateMutexA, SetEvent, CreateEventA, CreateThread, ResetEvent, TerminateThread, GetDriveTypeA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, ReadFile, LoadLibraryA, GetDiskFreeSpaceA, MulDiv, EnumResourceLanguagesA, FreeLibrary, LockResource
> GDI32.dll: GetDeviceCaps
> USER32.dll: ExitWindowsEx, wsprintfA, CharNextA, CharUpperA, CharPrevA, SetWindowLongA, GetWindowLongA, CallWindowProcA, DispatchMessageA, MsgWaitForMultipleObjects, PeekMessageA, SendMessageA, SetWindowPos, ReleaseDC, GetDC, GetWindowRect, SendDlgItemMessageA, GetDlgItem, SetForegroundWindow, SetWindowTextA, MessageBoxA, DialogBoxIndirectParamA, ShowWindow, EnableWindow, GetDlgItemTextA, EndDialog, GetDesktopWindow, MessageBeep, SetDlgItemTextA, LoadStringA, GetSystemMetrics
> COMCTL32.dll: -
> VERSION.dll: GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

( 0 exports )

packers (Kaspersky): PE_Patch
packers (F-Prot): CAB, RAR

http://www.virustotal.com/analisis/112c ... bfed4ae452

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Completetala .RAR Infection

Postby TeMerc » Wed Oct 29, 2008 2:58 pm

Interestingly enough, a user reg'd with the name:
Completetala

And they were just now posting to a HJT thread, but apparently decided not to as they've disappeared
Image

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

Re: Completetala .RAR Infection

Postby TICTestBox » Wed Oct 29, 2008 3:03 pm

Just got back the Threat Expert analysis:

http://www.threatexpert.com/report.aspx ... 5dfbd007ba

User avatar
TeMerc
Site Admin
Site Admin
Posts: 15995
Joined: Fri Jan 28, 2005 5:16 pm
Area Of Expertise: Security
experience: I know the functions, OS settings, registry tweaks and more
PC time: What else is there in life?
Location: PHX, AZ
Contact:

Re: Completetala .RAR Infection

Postby TeMerc » Wed Oct 29, 2008 3:13 pm

TeMerc wrote:Interestingly enough, a user reg'd with the name:
Completetala

And they were just now posting to a HJT thread, but apparently decided not to as they've disappeared
Whoops..they did post:
viewtopic.php?f=12&t=6013&p=3434149#p3434149
Image


Return to “TeMerc Test Box”

Who is online

Users browsing this forum: No registered users and 1 guest