On December 17 2008, Microsoft released security update MS08-078 to patch a vulnerability found in several versions of Microsoft Internet Explorer. The root cause for this vulnerability was found to be the incorrect handling of certain XML tags in Internet Explorer that references already freed memory in mshtml.dll. Attacks using this vector trigger prior coverage on our CVE-2008-4844 Snort rules.

An example of a payload downloaded through this vulnerability is a file called explore.exe. This executable is surreptitiously pushed to a victim's computer via an exploit at one time found at http://wieyou.com (most exploits are taken down within hours). The file is packed with UPX to make it more difficult to analyze. Dynamic analysis techniques in a controlled environment provide the information below:

Upon execution, explore.exe creates many services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apcdli
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HBKernel32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NsDlRK250
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NsPsDk00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NsPsDk01
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NsPsDk02
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NsPsDk03
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NsPsDk04
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\b1a18a3e
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\b71fe93
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\f28907d
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmpobj

It is worth noting that services NsPsDk0{1..4} point to %system%\NsPsDk0{1..4}.sys which are rootkits. These rootkits create %system%\appmgmts.dll, a Trojan capable of disabling many security software.

Appmgmts.dll modifies the host file. The host file is a file usually found in %System%\drivers\etc and is used as a supplement to DNS to help map host names to IP addresses. The large number of .cn domains and computer security related websites being redirected to 127.0.0.1 leads to believe that this sample is trying to prevent users (mainly Chinese speaking users) from accessing websites that could provide some help in the remediation the infection.

Hijacked host file


Pic.1: Hijacked host file

With appmgmts.dll, the person behind this executable takes advantage of a rarely used registry key to make sure that malicious code is run when other files are invoked. The registry key in question is HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. The original purpose of this registry key is to allow a user to specify a debugger that will be launched when a program is run. For example, in order to call WinDBG and have WinDBG load Windows Media Player every time Windows Media Player is executed, the following key can be added to the registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\\Debugger\\\”C:\Program Files\Debugging Tools for Windows (x86)\windbg.exe”.

The “debugger” specified in all of the numerous “Image File Execution Options” registry keys is “svchost.exe”. Having the workstation run svchost.exe instead of the wanted executable will effectively prevent the desired program from running, since svchost.exe will not in turn call the desired program. Here's a subset of the the programs that are disabled through the use of this registry key:

Some programs disabled by malware


Pic.2: Some programs disabled by malware

Some notable programs are:

360safe.exe
zonealarm.exe
regedit.exe
norton.exe
kav32.exe
kavstart.exe
f-prot95.exe
F-PROT.exe
antivir.exe
BLACKICE.exe
mcafee.exe

Explore.exe loads the module appwinproc.dll in the address space of other processes and has for goal to make sure that McAfee and NOD32 antivirus software are disabled:

Appwinproc.dll hooks into other processes


Pic.3: Appwinproc.dll hooks into other processes

An online game password stealer is also set to run at system startup, as shown by the following registry key that was created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run\\HBService32\\\System.exe

System.exe is located in %System%. Two browser helper objects (BHO) are installed as well:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72C7B634-DEB3-48BD-90C1-6BBBFE171C75}]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}

By referring to the keys below, we can see that these two BHOs are malware:
HKLM\SOFTWARE\Classes\CLSID\{AAB6C1A0-F3A4-4DAC-A922-F82E601E73A8}\InprocServer32 @="C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\OFFICE\\USERDATA\\webbrowser_2234.dll"

HKLM\SOFTWARE\Classes\CLSID\{72C7B634-DEB3-48BD-90C1-6BBBFE171C75}\InProcServer32
@="C:\\Program Files\\Internet Explorer\\JetnNt64.987"

Webbrowser_2234.dll is a Trojan designed to artificially click on advertisement on certain websites in order to generate traffic and revenue for those sites. JetnNt64.987 is yet another online game password stealer.

The online music discovery service Yiqilai is also installed on the infected system.

Yiqilai Music Assistant


Pic.4: Yiqilai Music Assistant

The “Yiqilai Music Assistant” is a Windows Media Player plugin that is used for matching song lyrics. Yiqilai is being forced onto the machine of the infected user through dubious tactics. This is evidenced by the following registry entries found on the target system:

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{7DBC6ADB-5788-4FB9-AEC3-B40A58AC11DF}

HKLM\SOFTWARE\Yiqilai\Lyrics
"fid"="2001"

"foobar"="C:\\Program Files\\foobar2000\\components\\foo_ui_yqllyrics.dll"

"instdir"="C:\\Program Files\\Yiqilai"

"kmplayer"="C:\\Program Files\\The KMPlayer\\PlugIns"

"realplayer"="C:\\Program Files\\Common Files\\Real\\visualizations\\RealYQLyrics.rpv"

"winamp"="C:\\Program Files\\winamp\\Plugins"

The original malware explore.exe was installed via a vulnerability in Microsoft Internet Explorer 7, exploited via an exploit found at http://wieyou.com. The exploit was removed fairly rapidly (most of these exploits have a TTL of less than 3 hours). Over the course of this analysis more than 40 files were downloaded and executed on the infected host. Most of the files were pulled from the following URLs:

count.realuu.com
www-17173.com
u3.www-pconline.com
loader.51edm.net
login.webbrowser.51edm.net
www.126.com

As usual, extreme caution is needed if visiting these sites.

ClamAV has released updated DAT files to detect the Trojans mentioned above:

File Detection
NsPsDk0{1..4}.sys Trojan.Rootkit-117{2..6}
Appmgmts.dll Trojan.KillAV-229
System.exe Trojan.Starter-12
webbrowser_2234.dll Trojan.Clicker-2908
JetnNt64.987 Trojan.OnlineGames-1537

The VRT is monitoring this evolving situation and is updating ClamAV signatures as new payloads are discovered in the wild.