Trojan.Delf.ADS

This describes the reversing of Trojan.Delf.ADS. Although I wont look into too much detail the characteristics of this worm. That's what the AV vendors are for *grin* and should provide a much more detailed characteristic of the worm for your scrutiny.

IMG34814.pif

This is really a windows executable file with an MZ magic byte at 0x20000h. Entry point is at 0x39A50h. Similar to the ecard worm described in Bojan's diary entry, http://isc.sans.org/diary.html?storyid=3190, this binary checks for a VM Virtual machines using the priveleged 'in'

mov eax, 564D5868h
mov ebx, 0
mov ecx, 0Ah
mov edx, 5658h
in eax, dx
cmp ebx, 564D5868h

as well as ensuring no strings retrieved by GetUserNameA matches any of these

sandbox
honey
vmware
currentuser
nepenthes

msnmsg.exe

The new file entry point begins at 0x00401000 unlike its creator. This is essentially an IRC Bot that listens for commands from the nick domain @nsa.gov. It's capabilities includes downloading new files through http, as well as spread through MSN. The messages sent include

  • Hey :-), I just took this picture, sexy isnt it :-P?
  • What do you think of my photo editing skills?
  • Which one do you like in this pic, the black one or the blue one?
  • This is what happens when you eat to many chips :-P
  • Look what i made out of cans!! haah :-P!
  • :-p this was halarious at that party a while back
  • Hey I have a new pic, what do ya think?
  • Check this out this pic is so freaking cool
  • Hahahaha, do you remember this picture?
  • :-O Check this out! Nearly laughed my ass off!!
  • hey wats up.. have you seen this pic of harry potter?

The library called is proxy friendly, such as HttpOpenRequestA and FtpGetFileA, the header used is just Mozilla/4.0 (compatible). It does not appear at this stage that the spread is automated, but it does report the number of contacts the worm has sent back to the requestor

MSN worm sent to : x contacts

Various other drops include the pic.zip file created in %windir% with the IMG34814.pif in the archive. A few batch files are also created to tidy up the machine against detecting its presence, commands such as net stop Security Center as well as disabling vnc service. On startup, there is a registry to ensure it is executed disguised under the value ' Microsoft Genuine Logon' in the run key.

More commands used by the bot

  • login
  • l
  • logout
  • lo
  • rm
  • download
  • update
  • gone
  • rmzerm3b1tch
  • threads
  • t
  • r.getfile
  • r.new
  • r.update
  • r.upd4te
  • msnstart
  • msnstop
  • msn

> Posted by Karma on Friday, 3 August 2007
Design Folks Logo

SECURITY

Trojan.Delf.ADS
 ifkxaor.exe and salbhfd.exe

 

CLIENT SECTION
Our Design Process
Helpful Tips
Helpful Resources


MISCELLANEOUS
Sketchy
Security
Dharma
Urban Buddha T-shirt

t: 02 9945 0229
m: 0414557110
Contact Us
or email us on info at designfolks.com.au