New TDSS variants install plenty of software

We have analyzed a recent TDSS sample and we have noticed that during the infection, it has installed plenty of software and backdoors in the infected system. Other than installing rogue security software, this time named Antivirus Scan, it has installed also other software like FLVTube Player, Sweetim Pack, Vista Cookies Collector, OfferBox, DataMngr, SweetIE, SweetIM, Fun4IM. That TDSS installs FLVTube Player is nothing new, but it is the first time we have noticed it has installed also all the other Instant Messenger related software.

Image

One of the first software that was installed by the TDSS is named Antivirus Scan and it is another rogue security software that alerts the user with false security alerts and false detected files.

Image

Network traffic:

GET /percer.php?login=ODQuMA== HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: afantispy .com
 
GET /check?pgid=8 HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: afantispy .com

FLVTube Player is downloaded from:

GET /FLV/FLVTubePlayerSetup.exe HTTP/1.1
Host: download.feelviatubbo .biz

Image

Image

This POST query:

POST / HTTP/1.0
Host: gbsup .com

Generated a MySQL connection error in:

C:\Documents and Settings\kjjdhhht\My Documents\Programs\apache\htdocs\cyserv\includes\functions.php

Fake security alerts:

Image

Rootkit activity:

Image

Kernel driver is located at:

C:\WINDOWS\system32\drivers\zeljqasas.sys

Image

Rootkit detections:

a-squared 19/12/2010 5.0.0.20 Gen.Variant.Taterf!IK
Avira AntiVir 19/12/2010 7.6.0.59 TR/Crypt.ZPACK.Gen
BitDefender 19/12/2010 7.0.0.2555 Gen:Variant.Taterf.21
Ikarus T3 19/12/2010 1001084 Gen.Variant.Taterf

AppInit_DLLs:

Image

Files in Temp Folder:

Image

OfferBox installed files:

Image

Fun4IM installed files:

Image

Searchqu MediaBar installed files:

Image

Drvmsdll46 folder content:

Image

Regedit is disabled:

Image

Ring3 Hooks:

Image

Hosts file is hijacked:

Image

HKCU Run:

Image

HKLM Run:

Image

Running processes:

Image

From this last image of running processes we can see that the process of Internet Explorer IEXPLORE.EXE is running and it has been executed by one of the active malware to open various porn related webpages, in particular:

Image

Image

There is also a non stable executable that keeps running:

Image

System hijacks:

Value: DisableRegistryTools
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
Value: DisableSR
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
 
Value: LowRiskFileTypes
Data: .exe
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
 
Value: ShowSuperHidden
Data: 0
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
 
Value: FirstRunDisabled
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
 
Value: Enabled
Data: 0
Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
 
Value: CheckExeSignatures
Data: no
Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
 
Value: RunInvalidSignatures
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download

Browser Helper Objects:

Value: juaw98rajewifhausihuggdd
Data: C:\WINDOWS\system32\fha6whi4fx.dll
CLSID: {B1B220C1-A503-59BD-F413-02B53A2C8954}
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

TCP connections during analysis:

afantispy .com – 93.158.114.164
sy2.perfectexe .com – 222.170.127.203
config.perfectexe .com – 122.224.6.48
perfectexe.com – –
026ac50bb7a03a66 .net – 109.196.143.72
gbsup .com – 204.45.118.202
justnewleft .ru – 91.217.162.97
flvtube .net – 174.137.179.7
vmnatf .com – 95.211.108.162
loudmo.go2jump .org – 69.89.87.59
download.feelviatubbo .biz – 74.206.252.108
feelviatubbo .biz – 174.137.179.7

Strange network traffic:

POST /+10740.html HTTP/1.1
CB2: 1
User-Agent: Mozilla
Host: 92.115.96.123
 
HTTP/1.0 200 OK
 
YES