I got a spam this morning with a subject line of "yahoo send you postcard" from "postcard". Of course all the alarms went off in my head, but there was no attachment and I have a nice little freeware app called PocketKnife Peek that lets you preview an email in plain text, view the html source, the headers and attachments without opening the email. (Minor rant — why doesn’t Outlook 2003 have that feature?!)
The email was simple. Note, I deactivated the link to the infected file.
Hello
You have just received a postcard from www.yahoo.com. If you’d like to see the rest of the message click here (tapshed.co.uk/~info/postcard.gif.exe) to receive your animated postcard!===================
Thank you for using our services !!!
Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !
==================
I was sure that postcard.gif.exe was malware and I started VMware and downloaded the file from the link. The file looks innocent enough with this icon.
I ran the file with InCtrl5 to see exactly what it did. It dropped a file svchost.exe in C:\WINDOWS\System\ — note not where the legitimate Windows file svchost.exe runs from, and it installed an IRC server in the same folder. I’ve seen lots of adware and spyware files and watched what they do, but this was my first time having an IRC server in my machine. There was plenty of activity with many connections using TCP:6667, a known port for IRC and malware. Here’s a portion of the IRC server config file:
n0=2peu.roSERVER:2peu.ro:6667GROUP:Undernet
n1=Lelystad.NL.EU.UnderNet.OrgSERVER:
Lelystad.NL.EU.UnderNet.Org:6667GROUP:Undernet
n2=Ede.NL.EU.UnderNet.OrgSERVER:
Ede.NL.EU.UnderNet.Org:6667GROUP:Undernet
n3=London.UK.Eu.UnderNet.orgSERVER:
London.UK.Eu.UnderNet.org:6667GROUP:Undernet
Apparently Undernet.org (link to whois) has been around for a long time and may be used for a lot of warez file swapping from what I’ve heard.
The installer and svchost.exe files were detected by scanners at Jotti’s online malware scan site as Parite.B and all the IRC files were detected as Backdoor.IRC.Zapchast. You can read a description of Parite.B here (Panda) and Backdoor.IRC.Zapchast here (Sophos). Neither of these are new, but there appear to be some new variants making the rounds.
What’s bad about this scenario is that most users wouldn’t have any clue that they were infected if they don’t have an anti-virus. Most of the connections completely bypassed the firewall running inside the vm. Using Task Manager to view the running processes might clue someone in if they noticed scvhost.exe running from an atypical location.
I started to run my anti-spyware scanners and got a surprise. SpywareDoctor didn’t want to open and gave an error message saying the program had been damaged and should be reinstalled. Spy Sweeper gave a similar error message and opened, but many of the options were grayed out, including the scan option. Ad-Aware and Spybot Search & Destroy both opened normally. I went back to Jotti and scanned the main executable for each app, including the two that opened normally, and they all came back infected with Parite or Parite.B! I suppose if I’d had an anti-virus running inside the vm the same thing might have happened to it.
The other question is what would happen to the machine left infected over a period of time with a backdoor and IRC server running? It might become part of a bot net and spread malware, it might be used for spamming or in a DDoS attack. It would likely have more malware installed, possibly a rootkit and maybe some adware, too. I saved a snapshot of the infected vm, so maybe I’ll find out.
The moral of this story? Don’t click on links in emails from unknown sources, or in even from known sources because the senders can be forged, unless you are sure it’s safe. I know people reading this blog already know that but apparently a lot of people don’t know or don’t care, otherwise the malware pushers wouldn’t continue sending these spams.
