Posted on Tuesday, October 14th, 2008 | Bookmark on del.icio.us

Haxdoor is Not a Microsoft Patch

by Jose Nazario

The Haxdoor malcode family is not an official Microsoft patch. Users who get mails that look like the one below should know that they are not updates, not from Microsoft, and not anything but malicious software, despite the “PGP Signature”.

FakeMSPatchHaxdoor.png

That file - KB589770.exe - has these characteristics:

MD5: 1ffcb1ea024c228ade6d8dad681c6ed7
SHA1: f665f9a30e72d3d5f994993a6a7649d98b5a2686
File type: application/x-ms-dos-executable
File size: 33398 bytes

Should be easy to stop with a simple bock on the SMTP gateway. It’s also UPX packed.

This variant does the following:

  • Drops the following files: 
    gzipmod.dll
vbagz.sys
C:\WINDOWS\system32\k86.bin

    It then uses rundll32.exe to launch gzipmod.dll using the entry point function gzipmod.

  • Changes the following registry keys: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod "" = [REG_EXPAND_SZ, value: gzipmod.dll]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod "" = gzipmod
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod "" = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod "" = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod "" = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod "" = D1C4A2F35C8104F76
  • It then drops the following files: 
    C:\WINDOWS\system32\vbagz.sys
C:\WINDOWS\system32\tremir.bin

    It also deletes C:\Documents and Settings\All Users\Start Menu\Programs\Startup\newrnj.exe

  • Changes some more registry keys: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache "" = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vbagz.sys "" = Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\vbagz.sys "" = Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "" = C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32

    This file, vbagz.sys, is used as part of the fake “VBA PnP Driver” service as a driver file.

  • It then calls out to two websites: 
    http://social-bos.biz/jerken2/data.php?trackid=70617....
http://ulm-haafeulm-haa.com/blotch/0610.bin

    That “trackid” parameter may vary by installation and has been truncated here.

At this point the malcode is mostly done and the user is hosed.

Even with a fake PGP signature, this one is junk. Don’t fall for it. It was started last week to coincide with the MS patch Tuesday (today).

This entry was posted on Tuesday, October 14th, 2008 at 7:19 pm and is filed under ATLAS, Malware, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses | Add your own



Comment Post by: Haxdoor malware circulating via fake Microsoft patch | Security in Mind — October 16th, 2008 @ 3:19 pm EST  Reply

[...] coincide with the release of the latest set of updates from the software giant yesterday. Known as Haxdoor, the malware arrives in an email designed to look like an official communication from Microsoft, [...]

Comment Post by: Haxdoor malware circulating via fake Microsoft patch — Security Bytes — October 21st, 2008 @ 9:25 am EST  Reply

[...] coincide with the release of the latest set of updates from the software giant yesterday. Known as Haxdoor, the malware arrives in an email designed to look like an official communication from Microsoft, [...]

Leave a Comment