Worm/Win32.Brontok.gen undetected by Avast

[Secondmineboy]

This is a very nasty worm. After bootup it displays a message.(Screenshot)

File is detected on Virustotal but not here in my VM: https://www.virustotal.com/de/file/6ad08f344e5825e864fa39dd307b8543bf836b38c39a25d38636129d4e2523e3/analysis/

After restart i got a message of the MS-Dos 16 Bit Subsystem. (Screenshot 2)

Regedit and Task Manager get killed immediatly after opening.

Malwr: https://malwr.com/analysis/MzkwMjMwMjZmZjYyNDNlZWJjOTczYmQ2MmEwNTRiM2I/

[Secondmineboy]

Heres a screenshot of the MS-DOS Error message.

[polonus]

Hi Steven Winderlich,

The file detection is one month old, maybe the malcode now is dead, has been closed down or is no longer available.

polonus

[Secondmineboy]

Could be so.

I got this from the todays virussign samples.

Here is a fresh scan: https://www.virustotal.com/de/file/6ad08f344e5825e864fa39dd307b8543bf836b38c39a25d38636129d4e2523e3/analysis/1386628830/

First submission was 4 months ago.

I dont have .NET or anything installed, maybe thats why it crashes. Its just blank Windows 7.

[polonus]

Hi Steven Winderlich,

Yep, you are right, analyzed here for all of us at: https://malwr.com/analysis/MzkwMjMwMjZmZjYyNDNlZWJjOTczYmQ2MmEwNTRiM2I/
Complicated UPX detection, because of

{u'size_of_data': u'0x00000000', u'virtual_address': u'0x00001000', u'entropy': 0.0, u'name': u'UPX0', u'virtual_size': u'0x00023000'}

  UPX detections always come FP-prone.
Checking the section names of the executable. UPX changes them to UPX0, UPX1, UPX2, is an unreliable method, because

The sections of some (packed/encrypted) images are renamed to "standard"/"traditional" sections names. The names of the sections is never "interpreted" by the Loader. The names of the sections are sometimes even missing (aka removed) by some tools.

Quote credits go to Stackoverflows' mox, and the second quote credits go to Stackoverflow's Willi Ballenthin ->

Running additional packers or obfuscators may further modify the section names; however, by default, the UPX packer will change the section names described above.

* So a valid detection always hangs in the balance, so to say [* note by, me, pol)

But more likely to be malicious, because of:

installs itself for Autorun at Windows startup 

last quote from Malwr analysis results.

polonus

[Secondmineboy]

I can check again with .NET Java and Flash installed tomorrow.

All undetected files are reported to Avast.

[magna86]

Can you send samples to me as well?

[Secondmineboy]

Yep. Just PM me a mail adress or something where i can send them to you.

[polonus]

Hi Steven Winderlich and magna86,

Thanks for helping towards detection, analyzing and eventual cleansing. Great job, folks,

Damian

[Secondmineboy]

Uploaded the files in an password protected 7Zip archive.

Can send you a download link if you want.

[magna86]

Thanks for samples. I shall test it as well. 

[Secondmineboy]

Not on your real system please.

[Michael (alan1998)]

Send me a PM aswell, would like to test stuff as well. Thanks

[magna86]

@Steven Winderlich
You there have an sample for the latest ZeroAccess variant, you know. 





And are you guys interested in my analysis?   

This variant of malware creates the following processes:

C:\Windows\SysWOW64\shell.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\cute.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\imoet.exe
C:\Windows\tiwi.exe
C:\Windows\SysWOW64\IExplorer.exe
C:\Users\Magna\Local Settings\Application Data\WINDOWS\winlogon.exe

Malware uses more then one as its loading point:
I have not written a full registry path, who knows how to manipulate with regedit, then it will also know how to find a full path in the registry for mentioned keys.

Under 32bit Winlogon key, Userinit and Shell value, and malware uses legit userinit.exe and Explorer.exe for loading C:\Windows\system32\IExplorer.exe malicious file.
Under HKCU\...\Run key malware sets tiwi values and loading file is in windows directory as tiwi.exe
Under HKCU\...\Run key malware sets MSMSGS values and loading file is in C:\Users\Magna\Local Settings\Application Data\WINDOWS directory as winlogon.exe

Under 32bit HKLM\...\Run it creates Logon<username> value with point on malicious C:\Users\Magna\Local Settings\Application Data\WINDOWS\imoet.exe file to load.
Same key as above ... creates System Monitoring value with point on malicious C:\Users\Magna\Local Settings\Application Data\WINDOWS\cute.exe file
And in AlternateShell value it create the key for running C:\Windows\tiwi.exe. This I think allows malware to load in safe mode.


Malware sets the following policies (in registry) on system in order to protect itself from begin detected:
disableregistrytools
DisableTaskMgr
NoDispSettingsPage
NoFolderOptions
NoTrayContextMenu
NoFind
NoSetFolders
NoRun

Malware creates the following files:
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 __RSH C:\Windows\tiwi.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 __RSH C:\tiwi.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 ____N C:\Windows\SysWOW64\tiwi.scr
2013-12-10 17:34 - 2013-12-10 17:37 - 00087040 ____N C:\Windows\SysWOW64\IExplorer.exe
2013-12-10 17:34 - 2013-12-10 17:37 - 00000729 ____N C:\present.txt
2013-12-10 17:34 - 2013-12-10 17:37 - 00000000 _RSHD C:\Users\Magna\AppData\Local\WINDOWS
2013-12-10 17:34 - 2013-12-10 17:36 - 00087040 ____N C:\Windows\SysWOW64\shell.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00087040 ____N C:\Tiwi_Cute.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00087040 ____N C:\Data_Rahasia Magna.exe
2013-12-10 17:34 - 2013-12-10 17:34 - 00000000 ____D C:\Users\Magna\Desktop\Brontok&Samples
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\winlogon.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\tiwi.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\smss.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\imoet.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\IExplorer.exe
2013-12-10 17:34 - 2013-12-05 14:26 - 00087040 _____ C:\Users\Magna\AppData\Local\cute.exe
2013-12-10 17:37 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\Registration
2013-12-10 17:36 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT

[Secondmineboy]

Yep.

The VM is completely messed up. Unusable.

Today 3 of the files i send you a download link were detected.

This Worm Brontok is still undetected.