Rootkits, Downloaders, and Natalie Portman

Got a round of these in my inbox this morning. These are EXEs being spammed out in e-mail messages to get you to install malware. The names of Hollywood stars used in the emails include Nicole Kidman, Angelina Jolie, and Natalie Portman.

Here’s a sample email:

Subject: Pictures


1 Shown 5 lines Text (charset: ISO-8859-1)

2 19 KB Application


Good evening, man!

Shocking pictures of nude Nicole Kidman. See it in your attachment.


[ Part 2, Application/ZIP 26KB. ]

[ Cannot display this part. Press “V” then “S” to save in a file. ]

The attachment, “”, contains “shocking.exe”.Analyzing the malware reveals that the malware installs a rootkit via a hooked TCP/IP driver:

Object-Type: IRP-hook

Object-Name: DriverTcpip->IRP_MJ_DEVICE_CONTROL

Object-Path: ??C:WINDOWSSystem32driversruntime.sys

Once executed, shocking.exe will delete itself. It will also use Internet Explorer to download files from the following IP addresses (all on TCP port 80):,,,, and It downloads a binary that appears to be used in spamming. It will also install a registry key, RegistryMachineSystemCurrentControlSetServicesip6fw, as one of the means to ensure it runs.

ip6fw rootkit

Detection is weak at this point.

Complete scanning result of “shocking.exe”, processed in VirusTotal at 08/02/2007 15:27:56 (CET).

[ file data ]

* name: shocking.exe

* size: 20992

* md5.: c0c2b29e1bdf9e4b1dcd6be02858c399

* sha1: 3e1f327881d3c9a5d27fff1069860225b5b2c81c

[ scan result ]

AhnLab-V3 2007.8.3.0/20070802 found nothing
AntiVir found nothing
Authentium 4.93.8/20070802 found nothing
Avast 4.7.1029.0/20070802 found nothing
AVG found nothing
BitDefender 7.2/20070802 found nothing
CAT-QuickHeal 9.00/20070801 found nothing
ClamAV 0.91/20070802 found [Trojan.Downloader-12155]
DrWeb 4.33/20070802 found [Trojan.DownLoader.29243]
eSafe found nothing
eTrust-Vet 31.1.5026/20070802 found [Win32/Cutwail!generic]
Ewido 4.0/20070801 found nothing
F-Prot found nothing
F-Secure 6.70.13030.0/20070802 found nothing
FileAdvisor 1/20070802 found nothing
Fortinet found nothing
Ikarus T3.1.1.8/20070802 found [Win32.Outbreak]
Kaspersky found nothing
McAfee 5088/20070801 found nothing
Microsoft 1.2704/20070802 found nothing
NOD32v2 2432/20070802 found nothing
Norman 5.80.02/20070802 found nothing
Panda found nothing
Rising found nothing
Sophos 4.19.0/20070801 found nothing
Sunbelt 2.2.907.0/20070802 found nothing
Symantec 10/20070802 found nothing
TheHacker found nothing
VBA32 found nothing
VirusBuster 4.3.26:9/20070802 found nothing
Webwasher-Gateway 6.0.1/20070802 found nothing

Links around the net:

Comments are closed.