Sunday, February 17, 2008

Safe Strip Related Submissions (Rogue)

Earlier today we received these 4 files from a user at
The detection is extremely low. I started to analyze these in my VM and figured it was worth mentioning these because very little information was available on Google.

The reason I titled this post "Safe Strip Related Submissions" is the url I found in each of these files that takes you to the "Safe Strip" download page.

After running for about 15 minutes I finally started to get the balloon tips:

 Even some pretty error messages:

And of course I can't forget my pretty new desktop background:

Oh yeah and a popup for advanced cleaner:

Hijack This entries associated with these:

O4 - HKLM\..\Run: [SMSERIALWORKSTARTER] "C:\WINDOWS\comsysobj.exe"
O4 - HKLM\..\Run: [SMSERIALWORKERSTART] "C:\WINDOWS\shellexcon.exe"
O4 - HKLM\..\Run: [SMSERIALSTARTER] "C:\WINDOWS\win32st.exe"
Virustotal Scans:
* name: winstrse.exe
* size: 13899
* md5.: ed5db9136e502a87bdc20f36c787a977

Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

* name: comsysobj.exe
* size: 13477
* md5.: 17195c2104aee64b598aa815332bb6a4

Panda found [Adware/SpyBurner]
Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

* name: shellexcon.exe
* size: 15479
* md5.: 3fe0e32201f34616edb7447e976df470

AntiVir found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]

* name: win32st.exe
* size: 36864 bytes
* md5.: 7dfb42300357f7b50ba763497e6c41c7

AntiVir found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]

The files had the following URL's in the strings:

http: //
http: //

Once the files finally started doing their thing I finally got a new IE window that opened to a SystemErrorFixer webpage:
http: //
swp_ges&eli=3948&eaf=pp_1685211491&eu=http%3A%2F%2F Dadctmp%26clone_name%3Dswpadcex %26led%3D3948%26afr% 3Dpp_1685211491&ed=0&ex=0&h=10&cmpname=null&mt_info= 4141_0_1556
and to
https ://

Which appears to be a fake Virtual Private Network manager.

Thanks to WlkingMan for submitting these files.

Surf Safe,

No comments: