[rough_spear]

Hi All,

New 8 files of worm:Win32/Vobfus.

list of md5s

0378295CAA597C03C4AB03E0D05376E8
20258E9E021332B4C2635E559E6A3571
2419DB8237D6019D7976D90F576C03DA
51AE659C5179AFD3FE4D4AB7268889D0
5A47F39A008B1E3791F72CA4BA8F4F66
601C34861B00C0EFB016692EAAEAC5B0
7D9EF029DC86D15E6364E6F18EAA9DE9
CA1A4DB825A65B2B978A3B56C396B51F

Regards,

rough_spear. ;)

[Blaze]

Saw more of these recently as well, annoying autorun worm. Spreads via shares, hides folders and creates new .exe files with the folder name in attempt to spread. Drops these:
Porn.exe
Sexy.exe
Secret.exe
Passwords.exe

Also known as Symmi or Pronny:
http://www.welivesecurity.com/2012/12/0 ... s-to-turn/

Code: Select all

MD5 	                            Filename
b6956c8b95c1b530e8251d62b2f28ef5	Passwords.exe.vir
113c73235765c700ae19847bab54bf17	Porn.exe.vir
7e2094566f42c8d7e34b6bf772601346	Secret.exe.vir
a7294e6cea234ad43f9e0893d9e23765	Sexy.exe.vir
789ba12bc437581780099df820270d32	autorun.inf.vir
edce76ab703980fd9d3b7e5e9f317073	koiluod.exe.vir 

Samples attached.

[KoalaBear]

I see tons of Vobfus binaries, Vobfus is indeed very annoying.
Current C&C domains (bot talks to port 443 and 7004):

Code: Select all

<random-number>.dns8q.net
ns1.boxonline1.com
ns1.boxonline1.net
ns1.boxonline2.com
ns1.boxonline2.net
ns1.boxonline2.org
ns1.boxonline3.com
ns1.datetoday1.com
ns1.datetoday1.org
ns1.datetoday2.net
ns1.datetoday2.org
ns1.helpupdated.net
ns1.player1352.net

Most of them are registered through Chinese domain registrars.
At the monent, they are all pointing to 46.254.18.148 (IHC.RU - Russia):

Code: Select all

inetnum:        46.254.18.0 - 46.254.19.255
netname:        IHC-NET
descr:          IHC.RU network in Eserver.ru
country:        RU
admin-c:        IHC4-RIPE
tech-c:         IHC4-RIPE
status:         ASSIGNED PA
mnt-by:         IHC-MNT
mnt-routes:     ESERVER-MNT
source:         RIPE # Filtered

role:           Internet-Hosting Ltd
address:        Internet-Hosting Ltd
                Pokrovka str., 1/13/6, bld. 2, of. 35
                101000 Moscow
                Russia
phone:          +7 495 648-60-33
remarks:        ---------------------------------------------------
                SPAM and Network security issues: abuse@ihc.ru
                Customer support:                 support@ihc.ru
                General information:              info@ihc.ru
                ---------------------------------------------------
mnt-by:         IHC-MNT
abuse-mailbox:  abuse@ihc.ru
admin-c:        RSV24-RIPE
tech-c:         RSV24-RIPE
nic-hdl:        IHC4-RIPE
source:         RIPE # Filtered

% Information related to '46.254.18.0/23AS42244'

route:          46.254.18.0/23
descr:          IHC.RU network in eServer.ru
origin:         AS42244
mnt-by:         ESERVER-MNT
source:         RIPE # Filtered

[rough_spear]

Absolutely correct my friend Blaze.

Saw more of these recently as well, annoying autorun worm. Spreads via shares, hides folders and creates new .exe files with the folder name in attempt to spread. Drops these:
Porn.exe
Sexy.exe
Secret.exe
Passwords.exe

Also known as Symmi or Pronny:
http://www.welivesecurity.com/2012/12/0 ... s-to-turn/

Code: Select all

MD5 	                            Filename
b6956c8b95c1b530e8251d62b2f28ef5	Passwords.exe.vir
113c73235765c700ae19847bab54bf17	Porn.exe.vir
7e2094566f42c8d7e34b6bf772601346	Secret.exe.vir
a7294e6cea234ad43f9e0893d9e23765	Sexy.exe.vir
789ba12bc437581780099df820270d32	autorun.inf.vir
edce76ab703980fd9d3b7e5e9f317073	koiluod.exe.vir 

Samples attached.

[rough_spear]

Hi,
one more observation by me is that it adds secret.exe into every .zip and .rar file to increase it attack surface.

Absolutely correct my friend Blaze.

Saw more of these recently as well, annoying autorun worm. Spreads via shares, hides folders and creates new .exe files with the folder name in attempt to spread. Drops these:
Porn.exe
Sexy.exe
Secret.exe
Passwords.exe

Also known as Symmi or Pronny:
http://www.welivesecurity.com/2012/12/0 ... s-to-turn/

Code: Select all

MD5 	                            Filename
b6956c8b95c1b530e8251d62b2f28ef5	Passwords.exe.vir
113c73235765c700ae19847bab54bf17	Porn.exe.vir
7e2094566f42c8d7e34b6bf772601346	Secret.exe.vir
a7294e6cea234ad43f9e0893d9e23765	Sexy.exe.vir
789ba12bc437581780099df820270d32	autorun.inf.vir
edce76ab703980fd9d3b7e5e9f317073	koiluod.exe.vir 

Samples attached.

[EP_X0FF]

For everyone who interested they are Beebone/Pronny downloaders with VB run pe, anti-forensics, USB autorun and WinRAR usage for self-distribution.

Dump of strings from inside

Code: Select all

???  ☻ 2     ♦  /  ☻   ☻ c ☻ q $ GetModuleFileNameW  ► advapi32  ▬ CloseHandle
♫ connect 0 CreateToolhelp32Snapshot  & GetDiskFreeSpaceExW → GetDriveTypeW $ G
etFileAttributesW    GetLogicalDrives  . GetLogicalDriveStringsW ☻ / ☻ o ↑ Crea
teMutexW    GetModuleHandleW  ↑ GetUserNameW  ▬ ExitProcess ◙ htons & InternetC
loseHandle   InternetOpenUrlW  → InternetOpenW   InternetReadFile  ► kernel32
▬ OpenProcess ∟ Process32First  ◘ recv  ♫ shell32 ☻ [ ☻ ]   → ShellExecuteW . S
HGetSpecialFolderPathW ◙ Sleep ♀ socket    TerminateProcess  ♀ user32  ♫ winine
t $ WriteProcessMemory  ¶ WSAStartup  ♀ ws2_32  ▲ RegCreateKeyExW ∟ RegSetValue
ExW  ▬ RegCloseKey ♫ action= ◙ open= ☻   ☻ \ \ Software\Microsoft\Windows\Curre
ntVersion\Run\  x Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
 ▲ ShowSuperHidden ▬ autorun.inf ◘ .exe  ♦ &h  n Mozilla/4.0 (compatible; MSIE
7.0; Windows NT 5.1; SV1) ↕ [autorun] ♠ exe   → useautoplay=1 h abcedfghijklmno
pqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ  ◙ aeiou * bcdfghjklmnpqrstvwxyz ♠ ico ◘
task  ◘ proc  ♀ x.mpeg  ♀ Secret  ◘ Sexy  ◘ Porn  ↕ Passwords ( BeginUpdateReso
urceW  ▲ UpdateResourceW ☻ : ☻ . $ EndUpdateResourceW  ◘ .scr  ▲ CsrGetProcessI
d ▲ TerminateThread ∟ SetWindowLongW  ¶ OpenMutexW  → Process32Next ◙ ntdll $ N
tTerminateProcess  → gethostbyname $ SetFileAttributesW  ▬ DeleteFileW ↕ CopyFi
leW ▲ RegDeleteValueW   h SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
 * cmd /c tasklist&&del  ? mp3,avi,wma,wmv,wav,mpg,mp4,doc,txt,pdf,xls,jpg,jpe,
bmp,gif,tif,png ☻ , ► RECYCLER  ► SetTimer  ∟ GetProcAddress  → RtlMoveMemory ▬
 RegOpenKeyW ◘ .org    ∟ RegisterClassW  ▲ CreateWindowExW ∟ DefWindowProcW  ▬
GetMessageW ¶ ShowWindow  ↑ ReleaseMutex  ↑ NoAutoUpdate  & GetForegroundWindow
 ∟ GetWindowTextW  h Software\Microsoft\Windows NT\CurrentVersion\Windows  ◘ .c
om  ◘ .net  ☻ = ◙ runme T 8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3  ► <PATCH1
>  ► <PATCH2>  ∟ FindFirstFileW  → FindNextFileW ↕ FindClose " GetShortPathName
W ♠ zip ♠ rar ☻ * ▲ \WinRAR\Rar.exe    a -y -ep -IBCK   ♫ sbiedll ♫ dbghelp Wri
te ◙ snxhk N SYSTEM\ControlSet001\Services\Disk\Enum ↕ *VIRTUAL* ► *VMWARE*  ♀
*VBOX*  ♀ *QEMU*    RegQueryValueExW  ◙ icon= , IMAPI2.MsftDiscMaster2  4 IMAPI
2.MsftDiscFormat2Data  0 IMAPI2.MsftDiscRecorder2  8 IMAPI2FS.MsftFileSystemIma
ge    RemoveDirectoryW  * GetVolumeInformationW ◘ CDFS  ♠ UDF ▬ ♦ ☺    u??☺ ☻ 0
 ♦
  ♦ ,0  Item  InitializeDiscRecorder  Recorder  ClientName  IsRecorderSupported
 MediaHeuristicallyBlank MultisessionInterfaces  ImportFileSystem  ChooseImageD
efaults FreeSectorsOnMedia  FreeMediaBlocks FileSystemsToCreate Root  AddTree C
reateResultImage ImageStream ????????Count VolumePathNames ☺?♦     ♦   ??????

Classic VB crap. VT of unpacked https://www.virustotal.com/en/file/9cc8 ... 376277142/

[Win32:Virut]

Microsoft: TrojanDownloader:Win32/Beebone

SHA256: 430d1450c027e197c46c302e7156be733d9673ff90d62fe2d3f6a9c15ed49b94
SHA1: f0aa4cee2fdf5f8ce3a7ec631a232f5a86afe078
MD5: 4f51a3c9d6f31927593ec931f7e60053
File size: 84.0 KB ( 86016 bytes )
File name: idd.exe
Detection ratio: 23 / 45
Analysis date: 2013-08-12 18:26:08 UTC ( 0 minutes ago )
https://www.virustotal.com/en/file/430d ... 376331968/