Trojan.Peed.JVL( Peed, Zhelatin, Nuwar, Peacomm )
SYMPTOMS: Computer slow-downsIncreased network activity. Presence of the specified files and registry entries. TECHNICAL DESCRIPTION: When started, the malware copies itself to the following location:%windows%\[malware_name].exe It creates the following registry entry: HKCU\Microsoft\Windows\CurrentVersion\Run\"[malware_name]" = "%windows%\[malware_name].exe" A few examples of [malware_name] are: "msserv" "msssecurity" It synchronizes the current computer time by executing the following commands: w32tm.exe /config /synffromflags:manual /manualpeerlist:time.windows.com,time.nist.gov w32tm.exe /config /update The malware adds itself as a Windows Firewall exception by executing the following command: netsh firewall set allowedprogram %windows%\[malware_name].exe The virus registers the compromised computer as a peer in its malware network and uses a randomly chosen UDP port to communicate with the other peers. It also sends to its network an unique ID for the compromised computer from the registry key: HKLM\Microsoft\Windows\ITStorage\Finders\"config" It drops a list of the initial peers to the configuration file: %windows%\[malware_name].config The malware updates this list by communicating with url-s like: cadeaux-avenu[hide]/getbackup.php The malware also has backdoor capabilities and can perform actions like: - send spam emails by using its SMTP engine - send system information from the compromised computer - download and execute other malware - update itself It searches email addresses from files with the following extensions: ".wab" ".txt" ".msg" ".htm" ".shtm" ".stm" ".xml" ".dbx" ".mbx" ".mdx" ".eml" ".nch" ".mmf" ".ods" ".cfg" ".asp" ".php" ".pl" ".wsh" ".adb" ".tbb" ".sht" ".xls" ".oft" ".uin" ".cgi" ".mht" ".dhtm" ".jsp" ".dat" ".lst" It does not send spam emails to email addresses that contain the following strings: "@microsoft" "rating@" "f-secur" "news" "update" "anyone@" "bugs@" "contract@" "feste" "gold-certs@" "help@" "info@" "nobody@" "noone@" "kasp" "admin" "icrosoft" "support" "ntivi" "unix" "bsd" "linux" "listserv" "certific" "sopho" "@foo" "@iana" "free-av" "@messagelab" "winzip" "google" "winrar" "samples" "abuse" "panda" "cafee" "spam" "pgp" "@avp." "noreply" "local" "root@" "postmaster@" Examples of sent emails: Subject: Well done 4th! Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit American Independence Day http://69.251.[hide]/ Subject: Amazing Independence Day show Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Stars and Strips forever http://68.90.195.[hide]/ Some of sent emails' subjects are: Amazing firework 2008 Amazing Independence Day salute Amazing Independence Day show America for You and Me America the Beautiful American Independence Day Bright and joyful Fourth of July Celebrate Independence Celebrate the spirit of America Celebrate with Pride Celebrating Fourth of July Celebrating the Glory of our Nation Celebrating the spirit of our Country Celebrations have already begun Fabulous Independence Day firework God bless America Happy Birthday, America! Happy Fourth of July Happy Independence Day Home of the Brave Independence Day firework broke all records Just You Light up the sky Long Live America Proud to be an American S America the Beautiful S Happy Fourth of July S Stars and Strips forever Sparkling Celebration of Independence Day Spectacular fireworks show Stars and Strips forever Super 4th! The best firework you've ever seen The best of 4th of July Salute Time for Fireworks Well done 4th! You Stay In My Heart Some of the ip-s used in the email body: 12.173.3.17 12.206.167.119 166.82.212.39 206.174.87.86 206.74.70.49 207.244.171.96 208.126.51.68 216.137.135.74 216.255.59.26 24.0.122.81 24.13.166.252 24.13.97.222 24.130.139.182 24.147.15.92 24.152.149.120 24.165.150.180 24.17.174.193 24.182.235.74 24.205.232.114 24.238.99.243 24.242.213.72 24.249.135.214 24.33.244.139 24.33.89.242 24.4.23.176 24.6.219.159 24.7.77.216 24.92.177.76 24.99.230.65 4.248.91.239 63.78.247.132 64.179.170.8 64.252.164.229 64.53.204.29 65.185.105.8 65.185.32.14 65.190.171.249 65.25.89.233 65.26.141.252 65.33.188.214 66.108.212.234 66.176.27.185 66.176.38.218 66.190.179.222 66.207.80.239 66.245.42.63 66.31.118.34 66.65.85.219 67.149.166.122 67.160.102.118 67.167.223.69 67.167.51.11 67.176.18.50 67.181.66.114 67.185.246.151 67.191.111.202 67.33.240.209 67.36.178.103 67.38.31.104 67.65.218.142 68.118.224.81 68.123.103.252 68.123.111.68 68.179.134.99 68.186.95.152 68.32.95.182 68.34.130.92 68.51.239.72 68.61.116.164 68.62.190.121 68.72.110.46 68.73.159.167 68.83.187.175 68.91.83.15 69.0.75.77 69.14.241.85 69.141.230.19 69.153.15.97 69.225.5.209 69.230.217.93 69.234.41.107 69.237.236.202 69.251.31.74 69.253.205.240 70.118.103.166 70.126.163.86 70.131.107.42 71.138.48.93 71.14.77.216 88.73.16.57 Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Dan Anton, virus researcher |
