antivirus2010, userinit and then some more
There is a new rogue variant making rounds going by the name Antivirus2010. The malware copies itself to the System32 directory with a name similar to commonly used Windows file present in same directory.
If looked through naked eye, there seems to exist two userinit.exe though one has a unique icon and the other doesn’t. We traversed through the System32 directory in command prompt and the non-english character in the malicious userinit.exe came out quite easily.
The malware registers itself as a service to start automatically with Windows.
On execution, the malware extracts and builds PE file on memory with the name lz32.dll, and makes a remote connection to download another dll component.
Remote address connections established are
Analysing the HTML file, in the INSTALL.HTML we can notice a url which is currently inactive. Incidentally the IP in the url is the same one that the malware uses to download malicious file.
The front end of the IP if visited presents a website with adult content.
Looking the registry modification we found some more informations about the rogue product and we decided to do some more research.
A simple dns information on hxxp://www.webtopbilling.com revealed
Domain Name: WEBTOPBILLING.COM
Nick Besmark (firstname.lastname@example.org)
P.O. Box 2494
Creation Date: 04-May-2010
Expiration Date: 04-May-2011
Domain servers in listed order:
Not specifically suspicious about an website registered by someone residing in Mahe, Seychelles and which currently gives a 403 Forbidden message. We then looked at unitedplatform.com and the first thing we noticed about it is that we actually land at domaincontext.com which is a domain registrar website.
But we didn’t want to leave unitedplatform.com yet, and we stumbled upon http://www.malwareurl.com/ns_listing.php?ns=ns2.unitedplatform.com. The malware domains listed there shows more than one instance of malicious activity and maybe coincidence again that all are recently created domains. There maybe a distant connection we can assume, which proves again the inter-relationship between various rogue security products and exploits in the web. It is more than a billion dollar industry out there, but we are always more than a step ahead from them.
Fake Facebook worm spreading through Yahoo, IRC