BannerPortlet

Blogs

Recently, computer networks of Korea banks and broadcasters have been attacked till paralyzed. The virus has been analyzed and evaluated, by Bkav experts, under technical perspective, to be a purely destructive one.

After infecting victim computers, the virus’ duty is to extract different modules to the computers:

   

The files generated by the original malware and put into folder %temp% include: alg.exe, comine.exe, ~pr1.tmp and AgentBase.exe.

AgentBase.exe, the file which does the main task, aims to destroy Master Boot Record (MBR) by overwriting series of strings such as: PRINCPES, HASTATI, PR!NCPES to 0x200 bytes of BMR and hard-disk or USB drives on victim computers.

Searching for PhysicalDrive to overwrite data

The overwriting data are strings fixed in the file

Before destroying MBR, the virus kills processes of security programs:

+ "taskkill /F /IM pasvc.exe" : AhnLab Policy Agent - pasvc.exe

+ "taskkill /F /IM clisvc.exe" : Hauri ViRobot - clisvc.exe

After completing the destruction, it sends shutdown command to system.

shutdown -r -t 0

The two files comine.exe and alg.exe are Putty SSH client and Putty SCP client. After extracting the modules, the virus searches victim computers for configuration files of SSH client and SCP client:

  • Felix Deimel’s mRemote

     

    %sAppData\Local\Felix_Deimel\mRemote\confCons.xml on Windows XP and "%sLocal Settings\\Application Data\\Felix_Deimel\\mRemote\\confCons.xml" on Windows 7

  • VanDyke’s Secure CRT

     

    %sAppData\Roaming\VanDyke\Config\Sessions on Windows XP and "%sApplication Data\\VanDyke\\Config\\Sessions" on Windows 7

In case finding out configuration files, the virus will use 2 Putty clients to access “root” user after modifying access right to system:

"%s -batch -P %s -l %s -pw %s %s %s:/tmp/cups

"%s -batch -P %s -l %s -pw %s %s \"chmod 755 /tmp/cups;/tmp/cups\""

The virus extracts file ~pr1.tmp with the aim to destroy server systems such as SunOS, AIX, HP-UX and Linux

File ~prl.tmp will aim to detect the current-in-use operating system and then destroy it by overwriting bytes 0 into volume in AIX or HP-UX systems, delete important folders such as kernel, usr, etc, home in Linux or SunOS systems.

Pham Tuan Vu

Malware Researcher

Leave a Reply

Name (required)
Mail (hidden) (required)
Website
Text to Identify
Reload-Capcha
CAPTCHA Code *

Popup Date Time Portlet

Blogs Aggregator

Blog Category Portlet

Categories

Store Portlet

Archives

Vote Baby Portlet