ProperBlog

Security for the masses

Skip to: Content | Sidebar | Footer

Fake Facebook email with link to “Update tool.exe” download

16 November, 2009 (22:38) | Diagnosis, Prognosis, Treatment. | By: Blogkeep

A short while ago I received an email requestng that I update my Facebook account, which was strange since I don’t have one. I followed the link in the email and downloaded a file called “Update Tool.exe”. I submitted the file to an online virus scanning service which at the time did not identify the file as any kind of malware. I thought I had found a new virus or trojan so I decided I would run the file on a virtual machine to analyse its behaviour, Unfortunately I have been having stability issues with VMware and due to other demands on my time it was four days before I had a new XP VM running under Sun’s Virtual box. Anyhow this is what I discovered.

update tool.exe information:
Size: 106496 bytes
Version: 0.9.43.1881
CRC-32: 5BE44D1A
MD5: E27A6F692F801D038906B32F32960CD5
SHA1: C08678BF59CE1665BDE29337068042EC8084ACAD

These modifications were made to the file system.
Created:
C:\windows\sytem32\sdra64.exe
C:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds

Various modifications were made to the registry including the following Registry key: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit:”C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,” so that the file it created “sdra64” would execute on reboot.

At this stage I scroogled “sdra64.exe” and discovered that this was infact a Zbot variant, it had just been renamed “update tool.exe”. There has been much analysis of Zbot and it’s behaviour so I did not feel inclined to pursue this analysis further. However out of curiosity I ran the file sdra64.exe after starting up wireshark.

sdra64 connected to 193.104.27.42 Port 80 and attempted to download (via http get) files ip2.exe which was not found and ip2.gif which did exist. ip2.gif is not a valid gif image and opening the file in notepad gave no indication of the type of file it is. I think it is encrypted, although what it is and what encryption scheme is in use I do not know. I shall investigate this further, but recognising an encryption scheme from what appears to be random ascii will be a challenge with my limited experience of encryption.

Removal of sdra64.exe:
1 – Download MS Process Explorer
2 – Download MS Autoruns
3 – Run Process Explorer and press ctrl+F
4 – Type sdra64.exe in box and click search
5 – Double click the item that is shown in the list “winlogon…”
6 – On the upper toolbar again, select ‘Handle’ then ‘Close Handle’
7 – Go to c:\windows\system32 and delete sdra64.exe
8 – Run Autoruns.exe and go to the Logon tab. Under the ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit’, uncheck the sdra64.exe entry.
9 – Restart your computer. Winlogon is a critical processes so you will probably have to force the OS to reboot.

Write a comment