When is a Damaged Malware NOT a Damaged Malware...

When it is badly named, of course. Below is a perfect example of how to cause confusion by a lack of 'joined-up-thinking' from one of the major anti-virus vendors.

Late last night I started to receive some odd e-mails, these had provocative and/or eye-catching subject lines and when viewed there was no body text, just an attachment. This immediately started my 'malware-sense' tingling!

What made it tingle more was that the attachment was an .EXE [Windows executable file] and I was seeing these coming from a number of random e-mail addresses, a sure sign of either a mass-mailer, or a new malware threat being spammed out via a botnet.

Oh, I better also mention that my Bayesian Filter which I trained to identify malware also flagged it correctly, even though it hadn't seen this variant before.

I immediately started to take a peek inside the attachment, using a hex editor and also a number of tools I've created. Here's the detail on one of the attachments using one of my tools:

FileName: Video.exe
FileDateTime: 18/01/2007 23:00:39
Filesize: 29347
MD5: 8cb9492e06662a7b4a072cbbe03bbffe
CRC32: 714168B3
File Type: PE Executable
Packer: UPX

Hmmm... it is UPX packed, another very strong indicator of it almost certainly being malware.

Next I scanned it with Kaspersky, and this is what it reported:

Trojan-Downloader.Win32.Small.dam

OK, so if I read that right it is a 'damaged' variant of 'Trojan-Downloader.Win32.Small', if so it isn't a viable threat. Just to make sure I scanned it with a number of other AV tools, and none of them were detecting anything in the file, most odd!

However, it seems that this is not a 'damaged' variant after all, but variant 'DAM' of 'Trojan-Downloader.Win32.Small'. The AV industry use the extension 'dam' to normally indicate a damaged file, and they use the extension 'gen' to indicate that the file has been detected using a 'generic' or 'family' signature or algorithm.

So, let me be crystal clear, this is NOT a damaged variant after all, it is a fully-functional malware variant mistakenly given the 'dam' identifier as that was the next alphabetical identifier after variant 'dal'. Nice work guys, you're causing problems for us end-users of your products by not skipping over this extension that you normally only use for 'broken' malware!

Let me now clarify what you may see if you one, or more, of this new malware threat. First the subject lines you may see.

230 dead as storm batters Europe.
A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Naked teens attack home director.
British Muslims Genocide

And here is a list of the attachments seen, so far:

Video.exe
Full Story.exe
Read More.exe
Full Clip.exe
Full Video.exe

Here is a screen-shot of what one of them looks like in Thunderbird:



I managed to get a file tested this morning against about 30 scanners, here are the results:

Scan report of: Video.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender MemScan:Trojan.Agent.AHS
ClamAV Trojan.Downloader-647
Command W32/Downloader.AYDY
Dr Web Trojan.Spambot
eSafe Trojan/Worm [101] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/Tibs!generic
eTrust-VET (BETA) Win32/Pecoan.B
Ewido -
F-Prot W32/Downloader.AYDY
F-Secure Trojan-Downloader.Win32.Small.dam
F-Secure (BETA) Trojan-Downloader.Win32.Small.dam
Fortinet -
Fortinet (BETA) -
Ikarus Trojan-Downloader.Win32.Small.dam
Kaspersky Trojan-Downloader.Win32.Small.dam
McAfee -
McAfee (BETA) Downloader-BAI trojan
Microsoft -
Nod32 Win32/Nuwar.Q worm
Norman W32/Tibs.gen12
Panda -
Panda (BETA) Trj/Alanchum.NX
QuickHeal -
Rising -
Sophos Troj/DwnLdr-FYD
Symantec Trojan.Packed.8
Symantec (BETA) Trojan.Packed.8
Trend Micro TROJ_SMALL.EDW
Trend Micro (BETA) TROJ_SMALL.EDW
UNA -
VBA32 -
VirusBuster Trojan.DL.Tibs.Gen!Pac13
WebWasher Trojan.Dldr.Small.DBX
YY_Spybot Smitfraud-C.,,Installer

As you can see, many anti-virus tools are now detecting this, but only if you have updated this morning, otherwise all bets are off.

F-Secure have also found out that the attachment when run does the following:

Drops the following files upon execution:

* %SysDir%\wincom32.sys - Kernel mode driver component
* %SysDir%\peers.ini - Initialization file component

It also installs itself as a service with the name "wincom32" by creating the following registry keys:

* [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32]
* [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32]

As this is a new threat and seems to be rather complex I would suggest you look at the full description, which is still being updated.

To protect yourself from this, update your AV, and if you do receive any of these e-mails with the attachments, just delete them, and whatever you do then DON'T open the attachment as it contains a so-called 'rootkit' and then proceeds to invite lots of its friends in to party on your hard disk, LAN and Internet connection.

Apart from the confusion caused by Kaspersky with their choice of name, you can see that most other vendors can't agree what to call it either...no change there then! ;-)