Sunday, February 17, 2008

Safe Strip Related Submissions (Rogue) 

Earlier today we received these 4 files from a user at BleepingComputer.com
The detection is extremely low. I started to analyze these in my VM and figured it was worth mentioning these because very little information was available on Google.

The reason I titled this post "Safe Strip Related Submissions" is the url I found in each of these files that takes you to the "Safe Strip" download page.

After running for about 15 minutes I finally started to get the balloon tips:

 Even some pretty error messages:



And of course I can't forget my pretty new desktop background:

Oh yeah and a popup for advanced cleaner:

Hijack This entries associated with these:

O4 - HKLM\..\Run: [SMSERIALWORKSTARTER] "C:\WINDOWS\comsysobj.exe"
O4 - HKLM\..\Run: [SMSERIALWORKERSTART] "C:\WINDOWS\shellexcon.exe"
O4 - HKLM\..\Run: [SMSERIALSTARTER] "C:\WINDOWS\win32st.exe"
O4 - HKLM\..\Run: [SMSERIALWORKERSTARTER] "C:\WINDOWS\winstrse.exe"
Virustotal Scans:
* name: winstrse.exe
* size: 13899
* md5.: ed5db9136e502a87bdc20f36c787a977


Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]


* name: comsysobj.exe
* size: 13477
* md5.: 17195c2104aee64b598aa815332bb6a4


Panda 9.0.0.4/20080217 found [Adware/SpyBurner]
Webwasher-Gateway 6.6.2/20080215 found [Virus.Win32.FileInfector.gen!90 (suspicious)]

* name: shellexcon.exe
* size: 15479
* md5.: 3fe0e32201f34616edb7447e976df470

AntiVir 7.6.0.67/20080215 found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]



* name: win32st.exe
* size: 36864 bytes
* md5.: 7dfb42300357f7b50ba763497e6c41c7

AntiVir 7.6.0.67/20080215 found [HEUR/Malware]
Webwasher-Gateway 6.6.2/20080215 found [Heuristic.Malware]


The files had the following URL's in the strings:

http: //theonlybookmark.com/in.cgi
http: //safe-strip-download.com/soft/in.cgi



Once the files finally started doing their thing I finally got a new IE window that opened to a SystemErrorFixer webpage:
http: //systemerrorfixer.com/clean/?cmpname=swpges31&eai=
swp_ges&eli=3948&eaf=pp_1685211491&eu=http%3A%2F%2F advancedcleaner.com%2F.cleaner%2Findex.php%3Ftmn%3 Dadctmp%26clone_name%3Dswpadcex %26led%3D3948%26afr% 3Dpp_1685211491&ed=0&ex=0&h=10&cmpname=null&mt_info= 4141_0_1556
 and to
https ://www.anonymouschannel.com/home?pin=anzf3e

Which appears to be a fake Virtual Private Network manager.

Thanks to WlkingMan for submitting these files.


Surf Safe,
Dave

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)