Posted by: Amker
« on: 30. June 2007., 14:47:11 »Downloader-BAI is a trojan that is delivered via a spammed email message. This downloader is designed to download files from websites controlled by the malware author.
History
W32/NuWar@MM used to drop downloader-ARL few weeks ago. Now it has changed its payload by dropping Downloader-BAI. W32/Nuwar@MM creates a copy of itself with a random name followed by ".t" extension. It then infects files in the directories. The infected files are detected as W32/Duel. In the process of infection it is also observed to corrupt the binaries which will get detected as w32/Duel.dam.
Aliases
CME-711
Downloader-BAI
Downloader-BAI.gen
Storm Worm
Trojan-Downloader.Win32.Agent.bet
Trojan-Downloader.Win32.Small.dam
Trojan.Peacomm
Win32/Nuwar.N@MM!CME-711
Characteristics -
To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx
--- Update April 16, 2007 --
Two new variants have been found with the follwing characteristics.
3ti.exe.exe (91,920 bytes, name may vary)
On execution, the following files are created:
%SystemDir%\windev-5004-7504.sys (139,008 bytes) detected as Downloader-BAI.sys.gen.a
%SystemDir%\windev-peers.ini (12,542 bytes, size may vary) configuration file
It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
Imagepath="\??\%SYSTEMDIR%\windev-5004-7504.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
displayname="windev-5004-7504"
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
start="2"
Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "windev-peers.ini" initialization file.
pdp.exe.exe (40,720 bytes, name may vary)
On execution, the following files are created:
%SystemDir%\wincom32.sys (56,064 bytes) detected as Downloader-BAI.sys.gen.a
%SystemDir%\wincom32.ini (12,784 bytes, size may vary) configuration file
It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
displayname="wincom32"
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
start="2"
Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "wincom32.ini" initialization file.
--- Update January 21, 2007 --
There has been several new spammings of this trojan. Newer variants also drop W32/Nuwar@MM and the following files.
% SystemDir %\wincom32.ini
When executed, Downloader-BAI drops the following 2 files:
%SystemDir%\peers.ini (5483 bytes)
% SystemDir %\wincom32.sys (41728 bytes) Detected as Generic Downloader.ab
It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
displayname="wincom32"
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
start="2"
The .sys file is a device driver file hides network traffic for the downloads.
It then downloads "Game0.exe", detected as Downloader-ZQ.a, from the following IP addresses:
http://81.177.3.169/[censored]
http://217.107.217.187/[censored]
--- Update January 21, 2007 --
It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, and Spam-Mailbot.
Symptoms -
Downloader-BAI is currently being spammed using the following email formats. In general the mails fall into two categories.
A subject with a controversial world news event and an attachment pretending to provide more information
A subject indicating romantic love or passion and an attachment pretending to be a greeting or postcard.
To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx
A spam run of this Downloader Trojan is underway. During a spam run, the author of the malware spams the Trojan by email to entice people into executing them.
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
McAfee
History
W32/NuWar@MM used to drop downloader-ARL few weeks ago. Now it has changed its payload by dropping Downloader-BAI. W32/Nuwar@MM creates a copy of itself with a random name followed by ".t" extension. It then infects files in the directories. The infected files are detected as W32/Duel. In the process of infection it is also observed to corrupt the binaries which will get detected as w32/Duel.dam.
Aliases
CME-711
Downloader-BAI
Downloader-BAI.gen
Storm Worm
Trojan-Downloader.Win32.Agent.bet
Trojan-Downloader.Win32.Small.dam
Trojan.Peacomm
Win32/Nuwar.N@MM!CME-711
Characteristics -
To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx
--- Update April 16, 2007 --
Two new variants have been found with the follwing characteristics.
3ti.exe.exe (91,920 bytes, name may vary)
On execution, the following files are created:
%SystemDir%\windev-5004-7504.sys (139,008 bytes) detected as Downloader-BAI.sys.gen.a
%SystemDir%\windev-peers.ini (12,542 bytes, size may vary) configuration file
It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
Imagepath="\??\%SYSTEMDIR%\windev-5004-7504.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
displayname="windev-5004-7504"
Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
start="2"
Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "windev-peers.ini" initialization file.
pdp.exe.exe (40,720 bytes, name may vary)
On execution, the following files are created:
%SystemDir%\wincom32.sys (56,064 bytes) detected as Downloader-BAI.sys.gen.a
%SystemDir%\wincom32.ini (12,784 bytes, size may vary) configuration file
It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
displayname="wincom32"
Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
start="2"
Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "wincom32.ini" initialization file.
--- Update January 21, 2007 --
There has been several new spammings of this trojan. Newer variants also drop W32/Nuwar@MM and the following files.
% SystemDir %\wincom32.ini
When executed, Downloader-BAI drops the following 2 files:
%SystemDir%\peers.ini (5483 bytes)
% SystemDir %\wincom32.sys (41728 bytes) Detected as Generic Downloader.ab
It also creates the following registry entries:
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
displayname="wincom32"
Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
start="2"
The .sys file is a device driver file hides network traffic for the downloads.
It then downloads "Game0.exe", detected as Downloader-ZQ.a, from the following IP addresses:
http://81.177.3.169/[censored]
http://217.107.217.187/[censored]
--- Update January 21, 2007 --
It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, and Spam-Mailbot.
Symptoms -
Downloader-BAI is currently being spammed using the following email formats. In general the mails fall into two categories.
A subject with a controversial world news event and an attachment pretending to provide more information
A subject indicating romantic love or passion and an attachment pretending to be a greeting or postcard.
To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx
A spam run of this Downloader Trojan is underway. During a spam run, the author of the malware spams the Trojan by email to entice people into executing them.
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
McAfee