Troj/WowSpy-A

Xylitol wrote:Targeting World of Warcraft people.
http://us.battle.net/wow/en/forum/topic ... 892?page=1

Troj.WowSpy-A:
https://www.virustotal.com/en/file/850d ... 388771269/

I cant unpack these with UPX -d .. something I'm doing wrong?

Code: Select all

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: wow_1031_v2_done!.exe: NotPackedException: not packed by UPX

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: DOMAIN EXE.EXE: NotPackedException: not packed by UPX

but I can see sections UPX0 and UPX1 - dead giveaway ?

Does this run without WoW installed? I don't see anything checking the registry..and error messages on Malwr.
How are victims targeted? (Maybe BitTorrent, as a name looks to be a WoW related file "wow_1031_v2" ?? )

Anyone seen any C&C traffic for this campaign?

Username

patriq

Posts

109

Joined

Fri Jun 28, 2013 8:11 pm

Re: Troj/WowSpy-A

#21858 by Win32:Virut
Sat Jan 04, 2014 8:47 am

patriq wrote:How are victims targeted? (Maybe BitTorrent, as a name looks to be a WoW related file "wow_1031_v2" ?? )

It is dropped by:

_hxxp://www.curse.pw/
_hxxp://www.curse.pw/setup.exe

(the links are dead now)

Another file: https://www.virustotal.com/file/6b654c5 ... 388824597/

Attachments

w_64.rar

(94.57 KiB) Downloaded 52 times

Username

Win32:Virut

Posts

324

Joined

Sat Jun 02, 2012 2:22 pm

Re: Troj/WowSpy-A

#21862 by Xartrick
Sat Jan 04, 2014 4:37 pm

patriq wrote:I cant unpack these with UPX -d .. something I'm doing wrong?

Don't bother with the loader, you can directly look into w_win.dll and w_64.dll, they contains the full payload.

patriq wrote:Does this run without WoW installed? I don't see anything checking the registry..and error messages on Malwr.

It will hook wow.exe (World of Warcraft) if present, but also target iexplorer.exe (Internet Explorer) as well.
The DLL add an entry into registry to be run at every startup.

Code: Select all

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Disker => rundll32.exe X:\[..]\w_win.dll,DW

Username

Xartrick

Posts

4

Joined

Thu Dec 08, 2011 8:37 pm

Location

France

Re: Troj/WowSpy-A

#21863 by patriq
Sat Jan 04, 2014 9:48 pm

Win32:Virut wrote:
patriq wrote:How are victims targeted? (Maybe BitTorrent, as a name looks to be a WoW related file "wow_1031_v2" ?? )
It is dropped by:

_hxxp://www.curse.pw/
_hxxp://www.curse.pw/setup.exe

(the links are dead now)

Another file: https://www.virustotal.com/file/6b654c5 ... 388824597/

Cool, thanks. The links seem fine to me?

There is an advert on the page about this "addon manager" for gamers. I dunno, not very interesting.

false positive?

Username

patriq

Posts

109

Joined

Fri Jun 28, 2013 8:11 pm

Re: Troj/WowSpy-A

#21864 by patriq
Sat Jan 04, 2014 9:50 pm

Xartrick wrote:
patriq wrote:I cant unpack these with UPX -d .. something I'm doing wrong?
Don't bother with the loader, you can directly look into w_win.dll and w_64.dll, they contains the full payload.

patriq wrote:Does this run without WoW installed? I don't see anything checking the registry..and error messages on Malwr.
It will hook wow.exe (World of Warcraft) if present, but also target iexplorer.exe (Internet Explorer) as well.
The DLL add an entry into registry to be run at every startup.
Code: Select all
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Disker => rundll32.exe X:\[..]\w_win.dll,DW

Check. Thanks.

(also, did you really register in 2011 and just post first right now? )

Username

patriq

Posts

109

Joined

Fri Jun 28, 2013 8:11 pm

Re: Troj/WowSpy-A

#21865 by Xartrick
Sat Jan 04, 2014 11:48 pm

patriq wrote:Check. Thanks.

(also, did you really register in 2011 and just post first right now? )

I always get an interest into malware, but never go deeper.

Username

Xartrick

Posts

4

Joined

Thu Dec 08, 2011 8:37 pm

Location

France

Re: Troj/WowSpy-A

#21867 by rinn
Sun Jan 05, 2014 8:52 am

Hello.

It's really UPX. Just a bit scrambled. In attach unpacked, all interesting dll's inside in rsrc section. Even if upx -d failed you still can unpack it manually.

Best Regards,
-rin

patriq wrote:I cant unpack these with UPX -d .. something I'm doing wrong?

Code: Select all

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: wow_1031_v2_done!.exe: NotPackedException: not packed by UPX

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: DOMAIN EXE.EXE: NotPackedException: not packed by UPX

but I can see sections UPX0 and UPX1 - dead giveaway ?

Attachments

Trojan.Siggen5.64266.rar

infected
(198.88 KiB) Downloaded 56 times

Username

rinn

Posts

91

Joined

Thu Nov 15, 2012 6:14 am

Location

Japan

Re: Troj/WowSpy-A

#21869 by Xartrick
Sun Jan 05, 2014 10:49 am

rinn wrote: It's really UPX. Just a bit scrambled. In attach unpacked, all interesting dll's inside in rsrc section. Even if upx -d failed you still can unpack it manually.

Did you figure what makes upx -d failing?

Username

Xartrick

Posts

4

Joined

Thu Dec 08, 2011 8:37 pm

Location

France