Tuesday, March 9, 2010

Mar 8 Trojan Win32.Magania from www71625@yahoo.com.tw

The message contains a password protected rar archive with
第一乞丐潮哥.cmd    Size: 284694   MD5:  D84C9278AF1C162AFF8BA617B56BA645  inside.
From: www71625 [mailto:www71625@yahoo.com.tw]
Sent: Monday, March 08, 2010 6:53 PM
To: XXXXX
Subject: 超牛B,中國第一极品帥哥的傳說,蓋過現實明星..壓縮密碼668

咋樣?哥老犀利、老有型了,网絡從沒寂寞過。也不甘寂寞--..壓縮密碼668



Result: 15/42 (35.72%)
AntiVir    8.2.1.180    2010.03.05    TR/Drop.Agen.283856
AVG    9.0.0.787    2010.03.07    PSW.OnlineGames3.AEQN
DrWeb    5.0.1.12222    2010.03.07    Trojan.Packed.1132
F-Secure    9.0.15370.0    2010.03.07    Trojan:W32/Agent.NRR
Fortinet    4.0.14.0    2010.03.07    SPY/Magania
Ikarus    T3.1.1.80.0    2010.03.07    Worm.Win32.Taterf
Kaspersky    7.0.0.125    2010.03.07    Trojan-GameThief.Win32.Magania.cxsb
McAfee    5912    2010.03.06    New Malware.bl
McAfee+Artemis    5912    2010.03.06    New Malware.bl
McAfee-GW-Edition    6.8.5    2010.03.07    Trojan.Drop.Agen.283856
Microsoft    1.5502    2010.03.07    VirTool:Win32/Obfuscator.EX
Panda    10.0.2.2    2010.03.07    Trj/CI.A
Sophos    4.51.0    2010.03.07    Sus/UnkPack-C
Sunbelt    5780    2010.03.07    VirTool.Win32.Obfuscator
Symantec    20091.2.0.41    2010.03.07    Backdoor.Graybird
Additional information
File size: 284694 bytes
MD5...: d84c9278af1c162aff8ba617b56ba645

Symantec and PCtools detect it as Graybird, aka Gray Pigeon, but it is not. It is a classic Magania trojan described here by F- Secure



Threatexpert report

I pasting most of it below as well
      • File MD5: 0xD84C9278AF1C162AFF8BA617B56BA645
      • File SHA-1: 0x92C1FEF49F9FFA2058F463864A1B17E624FF5A19
      • Filesize: 284,694 bytes
      • Alias:
 Technical Details:
  • The new window was created, as shown below: --- no idea who it is, if you do, please enlighten me (M)




















 File System Modifications
  • The following files were created in the system:
#Filename(s)File SizeFile HashAlias
1 %Temp%\RarSFX0\8.sfx.exe 175,488 bytes MD5: 0x4BA3B2CC974F483075E19521B8B0B71F
SHA-1: 0x9DA317C4FB3AF3528CD6730E6999EDC6F46C77A8
Trojan-GameThief.Win32.Magania.cxsb [Kaspersky Lab]
Mal/RarMal-B [Sophos]
2 %Temp%\RarSFX0\su3.jpg 59,384 bytes MD5: 0x89A5DA994FD9BE9EECE1612B7FD1E92E
SHA-1: 0x2E3C8E1516FBADFB3953608B873A08768E15F7FE
(not available)
3 %System%\8.exe 96,002 bytes MD5: 0xF7E1DA20030BD8DB5B5F33584740D282
SHA-1: 0x81067AF434AD1AF3ECF35443CBD80A3B848AFF71
Trojan-GameThief.Win32.Magania.cxsb [Kaspersky Lab]
4 [file and pathname of the sample #1] 84,694 bytes MD5: 0xD84C9278AF1C162AFF8BA617B56BA645
SHA-1: 0x92C1FEF49F9FFA2058F463864A1B17E624FF5A19
Backdoor.Graybird [PCTools]
Trojan-GameThief.Win32.Magania.cxsb [Kaspersky Lab]
    • The following directory was created:
      • %Temp%\RarSFX0

    Memory Modifications
    • There was a new process created in the system:
    Process NameProcess FilenameMain Module Size
    [filename of the sample #1][file and pathname of the sample #1]151,552 bytes
    • Analysis of the file resources indicate the following possible countries of origin:
    Taiwan
    China

    More detailed CW Sandbox Sunbelt report

    ----------------------------------------------------------------------------------------
    Once executed, the above image gets displayed and the files listed below got created

    C:\WINDOWS\system32\ajbpi.exe  - this file is injected in explorer.exe process. Threatexpert reported having a different file name, it is random.


    Virustotal
     File ajbpi.exe received on 2010.03.09 05:00:32 (UTC)
    Result: 17/42 (40.48%)
    a-squared 4.5.0.50 2010.03.09 Worm.Win32.Taterf!IK
    AntiVir 8.2.1.180 2010.03.08 TR/PSW.Magania.cxsb
    AVG 9.0.0.787 2010.03.08 PSW.OnlineGames3.AEQN
    CAT-QuickHeal 10.00 2010.03.08 (Suspicious) - DNAScan
    DrWeb 5.0.1.12222 2010.03.09 Trojan.Packed.1132
    F-Secure 9.0.15370.0 2010.03.09 Trojan:W32/Agent.NRR
    Fortinet 4.0.14.0 2010.03.07 SPY/Magania
    Ikarus T3.1.1.80.0 2010.03.09 Worm.Win32.Taterf
    Kaspersky 7.0.0.125 2010.03.09 Trojan-GameThief.Win32.Magania.cxsb
    McAfee 5914 2010.03.08 New Malware.bl
    McAfee+Artemis 5914 2010.03.08 New Malware.bl
    McAfee-GW-Edition 6.8.5 2010.03.09 Heuristic.LooksLike.Win32.SuspiciousPE.B
    Microsoft 1.5502 2010.03.08 VirTool:Win32/Obfuscator.EX
    Sophos 4.51.0 2010.03.09 Sus/UnkPack-C
    Sunbelt 5797 2010.03.09 VirTool.Win32.Obfuscator
    Symantec 20091.2.0.41 2010.03.09 Suspicious.Insight
    TrendMicro 9.120.0.1004 2010.03.09 TROJ_GAMETHI.FJF
    File size: 96002 bytes
    MD5...: f7e1da20030bd8db5b5f33584740d282

    In user temp directory:


    %Temp%\RarSFX0\8.sfx.exe 
    %Temp%\RarSFX0\su3.jpg

    File 8.sfx.exe received on 2010.03.09 04:40:32 (UTC)
    Result: 15/42 (35.72%)
    AntiVir 8.2.1.180 2010.03.08 DR/PSW.Magania.cxsb
    AVG 9.0.0.787 2010.03.08 PSW.OnlineGames3.AEQN
    DrWeb 5.0.1.12222 2010.03.09 Trojan.Packed.1132
    F-Secure 9.0.15370.0 2010.03.09 Trojan:W32/Agent.NRR
    Ikarus T3.1.1.80.0 2010.03.09 Worm.Win32.Taterf
    Kaspersky 7.0.0.125 2010.03.09 Trojan-GameThief.Win32.Magania.cxsb
    McAfee 5914 2010.03.08 New Malware.bl
    McAfee+Artemis 5914 2010.03.08 New Malware.bl
    McAfee-GW-Edition 6.8.5 2010.03.09 Trojan.Dropper.PSW.Magania.cxsb
    Microsoft 1.5502 2010.03.08 VirTool:Win32/Obfuscator.EX
    Sophos 4.51.0 2010.03.09 Sus/UnkPack-C
    Sunbelt 5797 2010.03.09 VirTool.Win32.Obfuscator
    Symantec 20091.2.0.41 2010.03.09 Suspicious.Insight
    TrendMicro 9.120.0.1004 2010.03.09 TROJ_GAMETHI.FJF
    Additional information
    File size: 175488 bytes
    MD5...: 4ba3b2cc974f483075e19521b8b0b71f

     

     Virustotal su3.jpg
    File su3.jpg received on 2010.03.09 04:41:24 (UTC)
    Result: 2/41 (4.88%)
    AntiVir 8.2.1.180 2010.03.05 TR/Drop.Agen.283856
    McAfee-GW-Edition 6.8.5 2010.03.07 Trojan.Drop.Agen.283856
    Additional information
    File size: 59384 bytes
    MD5...: 89a5da994fd9be9eece1612b7fd1e92e

    DNS queries and TCP traffic 
    chidoule.com = 205.209.180.114
    ymymym.com = 61.152.96.121













    information from Robtex.com
    1. 456.com, screenma.com, exprexss.com, chidoule.com, www.li456.com and at least one other host point to 205.209.180.114. It is blacklisted in one list










    http://www.robtex.com/ip/61.152.96.121.html#graph



     0100.cc, hyqk.com, x127.com, qmzp.net, mb52.com and at least 100 other hosts point to 61.152.96.121. It is blacklisted in seven lists.






















    205.209.180.114
    OrgName: Managed Solutions Group, Inc.
    OrgID: MSG-48
    Address: 45535 Northport Loop East
    City: Fremont
    StateProv: CA
    PostalCode: 94538
    Country: US

    ReferralServer: rwhois://rwhois.managedsg-inc.com:4321

    NetRange: 205.209.128.0 - 205.209.191.255
    CIDR: 205.209.128.0/18
    NetName: NET-MANAGED
    NetHandle: NET-205-209-128-0-1
    Parent: NET-205-0-0-0-0
    NetType: Direct Allocation
    NameServer: RDNS1.MANAGEDSG-INC.COM
    NameServer: RDNS2.MANAGEDSG-INC.COM
    Comment:
    RegDate: 2004-04-15
    Updated: 2006-03-17


    Found a referral to rwhois.managedsg-inc.com:4321.
    %rwhois V-1.5:003eff:00 rwhoisd (by Network Solutions, Inc. V-1.5.9.5)
    network:Auth-Area:205.209.128.0/18
    network:Class-Name:network
    network:Network-Name:NET-MSG
    network:IP-Network:205.209.180.114/32
    network:IP-Network-Block:205.209.180.114
    network:Organization-Name:Fei Xu
    network:Organization-City:ShangHai
    network:Organization-State:ShangHai
    network:Organization-Zip:200437
    network:Organization-Country:CN
    network:Description-Usage:customer
    network:Created:20100308
    network:Updated:20100308
    network:Updated-By:abuse@managedsg-inc.com





    61.152.96.121
    inetnum: 61.152.96.120 - 61.152.96.126
    netname: LIN-CHUN-SHENG
    descr: LIN CHUN SHENG
    country: CN
    admin-c: WQ58-AP
    tech-c: WL371-AP
    mnt-by: MAINT-CHINANET-SH
    changed: wanglin@shaidc.com 20040413
    status: ASSIGNED NON-PORTABLE
    source: APNIC

    person: Wang Qing
    address: 6F,380 Fushan Road,Shanghai 200122
    country: CN
    phone: +86-21-68761255-807
    fax-no: +86-21-68761255-805
    e-mail: wanglin@shaidc.com
    nic-hdl: WQ58-AP
    mnt-by: MAINT-CN-SHTELE-XINCHAN
    changed: wanglin@shaidc.com 20021007
    source: APNIC

    person: Wang Lin
    address: 6F,380 Fushan Road,Shanghai 200122
    country: CN
    phone: +86-21-68761255-807
    fax-no: +86-21-68761255-805
    e-mail: wanglin@shaidc.com
    nic-hdl: WL371-AP
    mnt-by: MAINT-CN-SHTELE-XINCHAN
    changed: wanglin@shaidc.com 20021007
    source: APNIC

    route: 61.152.0.0/16
    descr: PNAP-SEA
    CHINAnet
    origin: AS4134
    mnt-by: INAP-MAINT-RADB
    changed: hollyb@internap.com 20000507
    source: RADB


    No comments:

    Post a Comment