W32/DLoader.ACMAD

 

Summary: B6F7D1AE10A2086579FDA1FDA0D20A8B, this Downloader is a Visual Basic executable. It tries to connect to the links hardcoded in it. These URI’s are prominent torrent sites. The malware seems to originate from the UK, and references the ISP provider BT (British Telecom) as the scam perpetrator in hijacking its users DNS entries. Junk (seemingly) junk bytes are downloaded from a London based server (barefruit.co.uk). It also clears the history and edits the hosts file. Thus it DNS hijacks and downloads.

Aliases:

Kaspersky -Trojan.Win32.Swisyn.jyb

McAfee -Swisyn.s

McAfee-GW-Edition -Heuristic.BehavesLike.Win32.Downloader.A

Microsoft -TrojanDownloader:Win32/Ponmocup.A

NOD32 -Win32/Qhost.NRX

Norman -W32/DLoader.ACMAD

Overall risk – Very High

Malware Type – Downloader/Hijacker

Spreading Mechanism –Internet downloads, (BTISP installers, Share Sites, Torrent Sites.

Detection Date -late October 2010

Spreading Description:

· The original VB executable can be unknowingly downloaded along with installers from BT/ Competitor sites. This is because they are connected with this online malware activity.

· Torrent sites are also a source since many of these files are custom made downloads and may contain this malicious file.

· This does not spread by copying itself to other shares. So manual/social engineered tartgets are the only vectors.

Threat Description:

.No GUI presence is observed. The user wont be visually aware of its execution, unless the process list is checked using any utility.

It edits the hosts file and adds these entries. The hosts file is the file referenced for any DNS reolution locally. Thus this DNS hijacks the localhost for the listed DNS entries which are the download sites..

clip_image002

Under VMWare, DNS caches are investigated to display the connection attempts to these following sites:

clip_image004

And malicious inserts in index.dat with online reports of supposed malicious presence. It refers to the IE cache, but various malware seem to insert this entry with added sub-entries (recently Skype was reported to be using this file entry and its use was debated by the user community).

clip_image006

These .dat files had their entire history deleted.

And makes the following registry updates.

clip_image008

BT infamous:

Recent News Reports of UK based ISP further confirms this as malware:

clip_image010

clip_image012clip_image014

On getting internet connectivity:

A file is downloaded from http://unallocated.barefruit.co.uk over TCP in port range over 1000-3000.

The final account user name + “xplore.exe” is appended and the file (920 bytes) is downloaded to the “Documents and Settings\” system directory.

This payload file is not and executable but just junk bytes (or encrypted):

clip_image016

These sites were connected as the PTR record shows activity when online (DNS Cache).

clip_image018

General information about removal of malicious software

Norman’s antivirus products are in general able to remove all malicious software, but in some scenario, where malware uses hard techniques which are not efficiently removed by our standard product. So, we have therefore developed a free product “Norman Malware Cleaner “. Please use the latest version of this program from the link below – if your Norman antivirus is unable to clean-up the infection.

To minimize infection through removable device, access or open the drive via command prompt or via explore.

Also press SHIFT during insertion of USB/DVD installations, this will disable autoplay, if it is not already done. This is a quick fix only and permanent disabling if required can be done from the control panel/registry.

APPENDIX:

Online Detection by AV vendors:

clip_image020

Index.dat infection:

The original history was cleared and these bytes were overwritten. Cookies, HASH bytes, email-ids and urls of search engines, .txt files + other format data were found. This is the repository of all browsing information, so the purpose becomes automatically malicious.

clip_image022

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s