new variant of the VBS/Inor trojan

Discussion in 'Windows Desktop Systems' started by tdinc, Jul 15, 2004.

  1. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    The browser will prompt the users whether they want to perform actions such as writing and executing files. This is a multi-stage attack; several scripts/programs used in the attack are known malware specimens, and are likely to be recognized by up-to-date anti-virus software.

    1. The victim receives an HTML-based unsolicited e-mail message, which contains an IFRAME link that retrieves link.html from the malicious site.

    2. The link.html page downloads the link.php page from the same site via the following HTML code snippet: '<object data="link.php">'. Contents of the link.php file are obfuscated using Windows Script Encoder. Most anti-virus tools recognize the manually-decoded version of link.php as VBS/Inor; however, they do not presently recognize the encoded version of link.php as malicious code.

    3. The link.php file contains VBScript code that attempts to create a small executable on the victim's system in c:\x.exe using 'CreateObject("Scripting.FileSystemObject")'. The x.exe file is embedded into link.php as a string of binary digits. Most anti-virus tools recognize x.exe as malware, using names such as "TrojanDownloader.Win32.Small.ar" (Kaspersky) and "Proxy-Hino.dldr" (McAfee).

    4. The link.php file uses x.exe to retrieve ss.exe from the malicious site, which x.exe launches. Kaspersky recognizes ss.exe as "Trojan.Win32.Genme.a". Several other anti-virus tools that I tried did not recognize ss.exe as malicious code. Among other actions, ss.exe connects to the originating server to "register" the infected system with the index.php script via URI such as 'index.php?Client='. I have not had a chance to analyze ss.exe,