Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42866
  • Total Topics: 16075
  • Online Today: 1580
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Downloader-BAI!M711  (Read 3372 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
    • SCforum.info
Downloader-BAI!M711
« on: 30. June 2007., 14:47:11 »
Downloader-BAI is a trojan that is delivered via a spammed email message. This downloader is designed to download files from websites controlled by the malware author.

History

W32/NuWar@MM used to drop downloader-ARL few weeks ago. Now it has changed its payload by dropping Downloader-BAI. W32/Nuwar@MM creates a copy of itself with a random name followed by ".t" extension. It then infects files in the directories. The infected files are detected as W32/Duel. In the process of infection it is also observed to corrupt the binaries which will get detected as w32/Duel.dam.
Aliases
CME-711
Downloader-BAI
Downloader-BAI.gen
Storm Worm
Trojan-Downloader.Win32.Agent.bet
Trojan-Downloader.Win32.Small.dam
Trojan.Peacomm
Win32/Nuwar.N@MM!CME-711
Characteristics -


To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

--- Update April 16, 2007 --

Two new variants have been found with the follwing characteristics.

3ti.exe.exe (91,920 bytes, name may vary)

On execution, the following files are created:
%SystemDir%\windev-5004-7504.sys (139,008 bytes) detected as Downloader-BAI.sys.gen.a
%SystemDir%\windev-peers.ini (12,542 bytes, size may vary) configuration file

It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
Imagepath="\??\%SYSTEMDIR%\windev-5004-7504.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
displayname="windev-5004-7504"
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
start="2"

Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "windev-peers.ini" initialization file.

pdp.exe.exe (40,720 bytes, name may vary)

On execution, the following files are created:
%SystemDir%\wincom32.sys (56,064 bytes) detected as Downloader-BAI.sys.gen.a
%SystemDir%\wincom32.ini (12,784 bytes, size may vary) configuration file

It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
displayname="wincom32"
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
start="2"

Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "wincom32.ini" initialization file.

--- Update January 21, 2007 --

There has been several new spammings of this trojan.  Newer variants also drop W32/Nuwar@MM  and the following files.
% SystemDir %\wincom32.ini

When executed, Downloader-BAI drops the following 2 files:
%SystemDir%\peers.ini (5483 bytes)
% SystemDir %\wincom32.sys (41728 bytes) Detected as Generic Downloader.ab

It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
displayname="wincom32"
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
start="2"

The .sys file is a device driver file hides network traffic for the downloads.

It then downloads "Game0.exe", detected as Downloader-ZQ.a,  from the following IP addresses:
http://81.177.3.169/[censored]
http://217.107.217.187/[censored]

--- Update January 21, 2007 --

It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, and Spam-Mailbot.
Symptoms -


Downloader-BAI is currently being spammed using the following email formats.  In general the mails fall into two categories.
A subject with a controversial world news event and an attachment pretending to provide more information
A subject indicating romantic love or passion and an attachment pretending to be a greeting or postcard.
To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

A spam run of this Downloader Trojan is underway. During a spam run, the author of the malware spams the Trojan by email to entice people into executing them.
Removal -


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

McAfee
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info

Downloader-BAI!M711
« on: 30. June 2007., 14:47:11 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising