Summary: B6F7D1AE10A2086579FDA1FDA0D20A8B, this Downloader is a Visual Basic executable. It tries to connect to the links hardcoded in it. These URI’s are prominent torrent sites. The malware seems to originate from the UK, and references the ISP provider BT (British Telecom) as the scam perpetrator in hijacking its users DNS entries. Junk (seemingly) junk bytes are downloaded from a London based server (barefruit.co.uk). It also clears the history and edits the hosts file. Thus it DNS hijacks and downloads.
Overall risk – Very High
Malware Type – Downloader/Hijacker
Spreading Mechanism –Internet downloads, (BTISP installers, Share Sites, Torrent Sites.
Detection Date -late October 2010
· The original VB executable can be unknowingly downloaded along with installers from BT/ Competitor sites. This is because they are connected with this online malware activity.
· Torrent sites are also a source since many of these files are custom made downloads and may contain this malicious file.
· This does not spread by copying itself to other shares. So manual/social engineered tartgets are the only vectors.
.No GUI presence is observed. The user wont be visually aware of its execution, unless the process list is checked using any utility.
It edits the hosts file and adds these entries. The hosts file is the file referenced for any DNS reolution locally. Thus this DNS hijacks the localhost for the listed DNS entries which are the download sites..
Under VMWare, DNS caches are investigated to display the connection attempts to these following sites:
And malicious inserts in index.dat with online reports of supposed malicious presence. It refers to the IE cache, but various malware seem to insert this entry with added sub-entries (recently Skype was reported to be using this file entry and its use was debated by the user community).
These .dat files had their entire history deleted.
And makes the following registry updates.
Recent News Reports of UK based ISP further confirms this as malware:
On getting internet connectivity:
A file is downloaded from http://unallocated.barefruit.co.uk over TCP in port range over 1000-3000.
The final account user name + “xplore.exe” is appended and the file (920 bytes) is downloaded to the “Documents and Settings\” system directory.
This payload file is not and executable but just junk bytes (or encrypted):
These sites were connected as the PTR record shows activity when online (DNS Cache).
General information about removal of malicious software
Norman’s antivirus products are in general able to remove all malicious software, but in some scenario, where malware uses hard techniques which are not efficiently removed by our standard product. So, we have therefore developed a free product “Norman Malware Cleaner “. Please use the latest version of this program from the link below – if your Norman antivirus is unable to clean-up the infection.
To minimize infection through removable device, access or open the drive via command prompt or via explore.
Also press SHIFT during insertion of USB/DVD installations, this will disable autoplay, if it is not already done. This is a quick fix only and permanent disabling if required can be done from the control panel/registry.
Online Detection by AV vendors:
The original history was cleared and these bytes were overwritten. Cookies, HASH bytes, email-ids and urls of search engines, .txt files + other format data were found. This is the repository of all browsing information, so the purpose becomes automatically malicious.