win32:morto.p

[zebracomputers]

@polonus and anyone else that is interested:
I just submitted the infected file to Virustotal, with the following results:
https://www.virustotal.com/file/59daa8b0c29595975f78ea531e2e9acd68d18dff9a27f19cca06c7dcc88fd744/analysis/1344033225/

[Pondus]

seems to be new......

First seen by VirusTotal
2012-08-03 22:33:45 UTC ( 1 time, 2 minutter ago )




Sigcheck
publisher................: Adobe Systems Incorporated
product..................: Adobe PDF Broker Process for Internet Explorer
internal name............: AcroBroker.exe
copyright................: Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights reserved.
original name............: AcroBroker.exe
file version.............: 9.0.0.2008061200
description..............: Adobe PDF Broker Process for Internet Explorer

[polonus]

Hi Pondus,

Acrobroker.exe is developed by Adobe Systems Incorporated. It’s a system and hidden file. Acrobroker.exe is usually located in the %PROGRAM_FILES% sub-folder and its usual size is 279,952 bytes.
Well, here the executable is treated as generally safe: http://www.computer-support.nl/Systeemtaken/taakinfo/21678/AcroBroker.exe/
but then it should be in the C:\Windows\System32 folder. As malicious it is related to spyware. From the VT results I see that avast detects this now as
Win32:Morto-R [Trj]. Well in that case we have detection, I think this played an importal role initially to flag it: Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)  (also flagged in Utorrents). But in this case the executable has been remotely infected by a file-infector that turns the running executable into Win32:Morto-R [Trj] malware. Read a description of the malware here: http://www.infosecurity-magazine.com/view/27277/  (link author = Edgardo Diaz Jr. from
Microsoft Malware Protection Center)

polonus

[Pondus]

Virus:Win32/Morto.A
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Morto.A


so according to the info here, this is a file infector that inject code in to valid executables
so i guess that is why it show on the VT scan with that adobe sigcheck ?

[polonus]

Hi zebracomputers,

Can you check this executable against this free software, Agics Hashscan, and give back the results? Link to download here: http://www.backgroundtask.eu/Software/AHC/Setup.exe (to see if the original Acrobroker.exe has been resource engineered into a Fraudtool by malcreants)?
See info on new file-infector that turned this executable into this new malware:
http://www.infosecurity-magazine.com/view/27277/ (link article author = Microsoft Malware Protection Center's Edgardo Diaz Jr. )

polonus

[Left123]

Hi all,what also seems interesting is that this variant uses anti-debugging technique.It tries to detect debugger VIA IsDebuggerPresent function.

[[KERNEL32.dll]]
GetCurrentThreadId, InterlockedIncrement, InterlockedDecrement, SetEvent, MultiByteToWideChar, SizeofResource, LoadResource, FindResourceW, LoadLibraryExW, WideCharToMultiByte, GetFileSize, CreateFileW, GetFileAttributesW, SetEndOfFile, ReadFile, WriteFile, DeleteFileW, GetLongPathNameW, RemoveDirectoryW, CreateDirectoryW, GetModuleHandleW, FindClose, FindFirstFileW, SetFileAttributesW, CopyFileW, FindNextFileW, LocalFree, LocalAlloc, GetProcAddress, lstrlenA, GetTempPathW, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, CreateEventW, CreateThread, Sleep, GetModuleFileNameW, GetUserDefaultLCID, LoadLibraryW, lstrcmpiW, WaitForSingleObject, CloseHandle, FreeLibrary, GetLastError, DeleteCriticalSection, InitializeCriticalSection, RaiseException, SetFilePointer, lstrlenW, GetStartupInfoW, InterlockedCompareExchange, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange, GetSystemTimeAsFileTime, GetFullPathNameW, GetDriveTypeW, SwitchToThread, LeaveCriticalSection, EnterCriticalSection, TlsSetValue, CreateSemaphoreA, TlsAlloc, TlsGetValue, TlsFree

[polonus]

Found this analysis in the Google cache: http://webcache.googleusercontent.com/search?q=cache:pR_ce8hxPRAJ:xml.ssdsandbox.net/view/98a8d4b8e3ee85b1e045ea9a4b7868f8+Global%5C_PPIftSvc&cd=8&hl=nl&ct=clnk&gl=nl
So a heap file creates scmpreload. The dropper is : _isdel.ini  (temp); wmicuclt.exe (is worm Molto created), this is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers -> Get File Attributes: %SystemRoot%\system32\wmicuclt.exe Flags: (SECURITY_ANONYMOUS). Mutexes:

Like earlier memory resident viruses, Morto's payload and infection routine is executed in the context of other processes (svchost.exe (here) and/or lsass.exe – the target of process injection). To avoid multiple injections in the same process (or running multiple copies of the virus), a mutex called "Global\_PPIftSvc" is created

  Quote taken from the Spykiller, article author = Jeong Wook (Matt) Oh MMPC;
randomized \PIPE\lsarpc executable deleter and setup boot, Open Service Manager - Name: "SCM" used in generic trojans,
UDP Connections on port 53 for  8.8.4.4, 208.67.222.12, 205.171.3.65, The IP 205.171.3.65 is also a known IP for a Zlob downloader,

polonus

[zebracomputers]

Keep in mind that this is just one of approximately 144 infected executables on this system.
This file infector will infect any running processes, unless the path includes certain variables, such as Windows, or Outlook etc.  as in the documentation.
So to disinfect this one, registry entries, running process needs to be killed/removed, then a scan with something that will detect it, so far AVAST just quarantines the infected files, while Eset will actually move the infected file to quarantine, and disinfect and leave the original executable in place.
Most of the machines we cleaned up with AVAST had to have the missing executables replaced with clean ones to restore program function.
BTW, the hash tool crashed on my Windows 7 Pro 32 bit machine.  Will try again.
Bottom line, this is a nasty bugger!
Thanks again to all for interest and help.

[Left123]

Hi all,this is indeed a file infector,but it's weak,just weak compared to other file infectors we've seen.
Morto is just a "standard" project,packed by UPX etc.Nothing customized,pretty typical.
https://www.virustotal.com/file/25db59c54887b1c74c896c1298188535f15b8f6a2f1a982ee5bad8d4026716c2/analysis/

UPX0                   4096         49152         0     0.00  d41d8cd98f00b204e9800998ecf8427e
UPX1                  53248         24576     23040     7.87  953f4a69dedc3b84917a631dbae840db

Also found packed by Armadillo
https://www.virustotal.com/file/10849e13ccc8d3c958ac408084f47da2f1283b2a0e84458d13893733f797d85f/analysis/
PEiD packer identifier
Armadillo v1.xx - v2.xx
More UPX here :
https://www.virustotal.com/file/f632bb539c9c11f46b90de8cd9a9a805bbfef8b22830340f45825953a5851489/analysis/
Opened mutexes...
Global\_PPIftSvc  confirms our friend Polonus
Also :
TCP connections...
198.40.53.4:80
59.188.25.20:80
UDP communications...
8.8.4.4:53
<MACHINE_DNS_SERVER>:53
208.67.222.123:53




Another sample here,found unpacked :
https://www.virustotal.com/file/042e1c3f189dd281705349b75647138ec87cb05fe3da2496ad4357a16e89c742/analysis/
Note that it uses the function SetWindowsHookEx .Unfortunately,i don't know what parameters are used so i can't tell its purpose,dynamic would help but i am too bored at the moment,in most cases it is used to monitor keyboard,keylogger activities.

205.171.3.65 was not only connected to Zlob,but also Google redirects and possibly TDDS infections.

Regards,
Philip

[polonus]

Hi Left123,

This tool might come in handy to cleanse this fileinfector : http://support.kaspersky.com/viruses/solutions?qid=208287055
This is a special utility for curing an active Worm.Win32.Fipp.a infection.

Good I found this analysis via Google cache: http://webcache.googleusercontent.com/search?q=cache:t12riY-TPI4J:xml.ssdsandbox.net/view/2abea6b604122425c7fb17a5ef92a660+2abea6b604122425c7fb17a5ef92a660&cd=2&hl=nl&ct=clnk&gl=nl
 
After visiting the site, the script modified our PIPE\lsarpc Windows file and created a Mutex for itself.
The file rasacd.sys is a device driver. It is included as part of the standard Windows file set from Microsoft.
While infecting host system: When the malware runs for the first time, it searches for %system32%\wmicuclt.exe and %system32%\wscript.exe..
Host IP address: 59.188.25.20
And through this analysis and that IP, Left123, we will land here: http://minotauranalysis.com/search.aspx?q=7ee000408df8594c0c3f1293125dadf5
OK, Quod erat demonstrandum ...malware family characteristics of±
 Win32/Morto
TR/Dropper.Gen
Win32:Morto-R [Trj]
Win32/Serpip
Win32.Morto.A
W32.Fipp.A
W32.Virus.Morto
Heur.Suspicious
Win32.Morto.1
W32/Morto.H.gen!Eldorado
Virus.Win32.Heur
Worm.Win32.Fipp.a
W32/Pift
Heuristic.LooksLike.Win32.SuspiciousPE.F
Virus:Win32/Morto.A
W32/Morto.SPZ
W32/Morto.D
Win32.Cisig.a
W32/Fipp-A
W32.Morto.B
PE_MUSTAN.A
BScope.Trojan.SvcHorse.01643
Win32.Fipp.A
Virus.Win32.Heur!IK
Virus
Virus.Win32.Morto.a (v)

pol