リージョナルトレンドラボでは、毎日たくさんのマルウェアの解析を行なっています。解析した結果はウイルス情報などの形で公開したり、問合せをいただいたお客様に個別に回答したりしますが、解析結果を得るまでにはそこに至る過程があります。解析の結果ではなく、解析の過程で解析エンジニアが感じたことに焦点をあてる本ブログのこのシリーズ。第1回目はお蔭様で好評をいただくことができましたので、同じ形で進めていくことにします。さて、第2回目は・・・ (さらに…)
続きを読むWe received reports of a malware url link being spammed via email. The content of the email looks like a legitimate Symantec web site which is offering a virus cleaner tool for w32.aplore@mm. However, the hyperlink found in the supposed to be cleaner tool points to a malicious software
(http://westkoast.{blocked}.fr/norton/freevirusfix.exe).
We have forwarded this to the Service Team for detection and analysis. Standby for updates and for the time being, provided is a snapshot of the spammed email. BTW, all other hyperlinks found in the spammed email are legitimate except for the said cleaner tool.
Click on the image for a larger view.
Update(JoneZ, 05 May 2006 10:00:25)
Initial analysis of the malware:
- adds entries to the host that routes several antivirus sites and updates to incorrect ip addresses
- has keylogger feature
- DDOS capability
- Remote Command prompt via IRC
- possible data destruction
- can propagate via instant messenger
- drops a text file in the root folder containing the text : “rBot owned you!”
- Displays a message box: “VMM32.VXD: Missing/Unable to Load
BTW, this will be detected as WORM_RBOT.AHS.
続きを読む
And just as we expected, a malware that utilizes this exploit follows!
The malware behaves as a backdoor. It installs itself as a service with the name ‘Windows UDP Communication’. To be able to notify the author of the malware, it connects the infected system to particular IRC server/s then only that the attacker can gain control of the affected system. In effect, it registers the affected system as member of a botnet.
Just as other bots, this malware can perform Distributed Denial of Service (DDOS) such as SYN and UDP flood attacks. And the reason why I posted this malware is that it carries an exploit on its body as part of its malicious activites. It exploits the newly published vulnerability abovementioned as one of the commands that the attacker can issue to the affected system remotely!
The malware has been given the detection name BKDR_MOCBOT.A. So, be sure that you have patched up your system to lessen the impact of this kind of malware!
続きを読む