A forum for reverse engineering, OS internals and malware analysis 

 #18382  by EP_X0FF
 Fri Mar 01, 2013 9:57 am
Initially local incident however it is widely discussed in Russia all last week due to huge impact. If you remember Venak and Avenak fakeAV from rootkit.com that is a sort of comeback. But this time well sponsored by corrupt government officials, journalists, fake scientists etc.

About $30k spent to develop and distribute this fake antivirus software. Author denies everything and still claims that his program works as real antivirus. As it was discovered this "antivirus" package include numerous stolen programs, such as Microsoft ProcessViewer, msg.exe, wextract etc -> numbers of them, see below for complete list (highlighted).

Summaries by Sp0Raw, use google to translate.
http://sporaw.livejournal.com/153328.html

More info about fake scientists supporting author of fakeAV
http://www.rosbalt.ru/federal/2013/02/28/1099914.html

Below is analysis of this fakeAV (unfortunately author already removed it from his servers). Why it not detected as malware? Because incident is too local.

Summary

Win32/Immunity is a multi-component family of programs that claim to scan for malware and display fake warnings of "malicious programs, viruses and network attacks".

Symptoms

System changes

The following system changes may indicate the presence of this software:
  • Display of the following fake security program:
    Image
  • The presence of the following directory:
    Code: Select all
    %ProgramFiles%\Immunity
  • Presence of the following files and folders, or similar:
    Code: Select all
    %systemroot%\ImunSVC.exe
    %ProgramFiles%\Immunity\System\
    %ProgramFiles%\Immunity\Tools\
    %ProgramFiles%\Immunity\adxp_1
    %ProgramFiles%\Immunity\cause
    %ProgramFiles%\Immunity\lsad_1
    %ProgramFiles%\Immunity\prfc_1
    %ProgramFiles%\Immunity\prgf_1
    %ProgramFiles%\Immunity\rHKCU1
    %ProgramFiles%\Immunity\rHKLM1
    %ProgramFiles%\Immunity\servc1
    %ProgramFiles%\Immunity\tempfile2
    %ProgramFiles%\Immunity\wind_1
    %ProgramFiles%\Immunity\ws32_1
    %ProgramFiles%\Immunity\wsdr_1
    %ProgramFiles%\Immunity\DInfo.bin
    %ProgramFiles%\Immunity\Hex.bin
    %ProgramFiles%\Immunity\rtl70.bpl
    %ProgramFiles%\Immunity\Active.dll
    %ProgramFiles%\Immunity\base.dll
    %ProgramFiles%\Immunity\comctl32.dll
    %ProgramFiles%\Immunity\comdlg32.dll
    %ProgramFiles%\Immunity\Config.dll
    %ProgramFiles%\Immunity\Confirm.dll
    %ProgramFiles%\Immunity\ControlX.dll
    %ProgramFiles%\Immunity\Core.dll
    %ProgramFiles%\Immunity\Err.dll
    %ProgramFiles%\Immunity\ErrorReport.dll
    %ProgramFiles%\Immunity\Fin.dll
    %ProgramFiles%\Immunity\Flash.dll
    %ProgramFiles%\Immunity\Generic.dll
    %ProgramFiles%\Immunity\ICore.dll
    %ProgramFiles%\Immunity\IFlash.dll
    %ProgramFiles%\Immunity\Immunity.dll
    %ProgramFiles%\Immunity\Imun.dll
    %ProgramFiles%\Immunity\Ip.dll
    %ProgramFiles%\Immunity\Main.dll
    %ProgramFiles%\Immunity\mfc70.dll
    %ProgramFiles%\Immunity\Moon.dll
    %ProgramFiles%\Immunity\Msgbox.dll
    %ProgramFiles%\Immunity\Msgint.dll
    %ProgramFiles%\Immunity\msvcr70.dll
    %ProgramFiles%\Immunity\NetScreen.dll
    %ProgramFiles%\Immunity\Res.dll
    %ProgramFiles%\Immunity\Scan.dll
    %ProgramFiles%\Immunity\Service.dll
    %ProgramFiles%\Immunity\Share.dll
    %ProgramFiles%\Immunity\Shit.dll
    %ProgramFiles%\Immunity\Sndlib.dll
    %ProgramFiles%\Immunity\Updater.dll
    %ProgramFiles%\Immunity\Config.exe
    %ProgramFiles%\Immunity\DevC++.exe
    %ProgramFiles%\Immunity\Fonts.exe
    %ProgramFiles%\Immunity\IDef.exe
    %ProgramFiles%\Immunity\Imun.exe
    %ProgramFiles%\Immunity\ImunSVC.exe
    %ProgramFiles%\Immunity\Uninstall.exe
    %ProgramFiles%\Immunity\Unix.exe
    %ProgramFiles%\Immunity\VersionUpdaterX.exe
    %ProgramFiles%\Immunity\mciconmenu.exp
    %ProgramFiles%\Immunity\config.ini
    %ProgramFiles%\Immunity\mciconmenu.lib
    %ProgramFiles%\Immunity\log.log
    %ProgramFiles%\Immunity\set.log
    %ProgramFiles%\Immunity\vir.log
    %ProgramFiles%\Immunity\Default.mp3
    %ProgramFiles%\Immunity\IPAct.mp3
    %ProgramFiles%\Immunity\Service.mp3
    %ProgramFiles%\Immunity\Virusfound.mp3
    %ProgramFiles%\Immunity\Ecc.msg
    %ProgramFiles%\Immunity\comctl32.ocx
    %ProgramFiles%\Immunity\comdlg32.ocx
    %ProgramFiles%\Immunity\mciconmenu.ocx
    %ProgramFiles%\Immunity\MSCOMCTL.OCX
    %ProgramFiles%\Immunity\msinet.ocx
    %ProgramFiles%\Immunity\MSWINSCK.OCX
    %ProgramFiles%\Immunity\NTSVC.ocx
    %ProgramFiles%\Immunity\RICHTX32.OCX
    %ProgramFiles%\Immunity\SYSINFO.OCX
    %ProgramFiles%\Immunity\XPButton.ocx
    %ProgramFiles%\Immunity\Show.sys
    %ProgramFiles%\Immunity\System\local.bin
    %ProgramFiles%\Immunity\System\Service.bin
    %ProgramFiles%\Immunity\System\visible.conf
    %ProgramFiles%\Immunity\System\config.cpp
    %ProgramFiles%\Immunity\System\Flash.cpp
    %ProgramFiles%\Immunity\System\netconfig.cpp
    %ProgramFiles%\Immunity\System\Scan.cpp
    %ProgramFiles%\Immunity\System\Sys.cpp
    %ProgramFiles%\Immunity\System\sysconfig.cpp
    %ProgramFiles%\Immunity\System\base.info
    %ProgramFiles%\Immunity\System\data.info
    %ProgramFiles%\Immunity\System\disks.info
    %ProgramFiles%\Immunity\System\Obj.info
    %ProgramFiles%\Immunity\System\Public.info
    %ProgramFiles%\Immunity\System\sysfiles.info
    %ProgramFiles%\Immunity\System\Type.info
    %ProgramFiles%\Immunity\System\Update.info
    %ProgramFiles%\Immunity\Tools\Tabel.Bass
    %ProgramFiles%\Immunity\Tools\TestAll.bass
    %ProgramFiles%\Immunity\Tools\TestBEST.bass
    %ProgramFiles%\Immunity\Tools\Immunity.dll
    %ProgramFiles%\Immunity\Tools\Sndlib.dll
    %ProgramFiles%\Immunity\Tools\CVTest.exe
    %ProgramFiles%\Immunity\Tools\PowerMaster.exe
    %ProgramFiles%\Immunity\Tools\ProcViev.EXE
    %ProgramFiles%\Immunity\Tools\Твикер.exe
    %ProgramFiles%\Immunity\Tools\config.ini
    %ProgramFiles%\Immunity\Tools\IPAct.mp3
    %ProgramFiles%\Immunity\Tools\Service.mp3
    %ProgramFiles%\Immunity\Tools\Virusfound.mp3
    %userprofile%\username\Start Menu\Programs\Startup\Immunity.lnk
Note: comctl32.ocx, comdlg32.ocx, comctl32.dll, comdlg32.dll, mfc70.dll and several others are legitimate copies of Microsoft Windows files.

Additionally

Alert notifications from Windows firewall may be the only symptoms.


Technical Information (Analysis)

Win32/Immunity is a multi-component family of programs that claim to scan for malware and display fake warnings of "malicious programs, viruses and network attacks".

Installation

During installation Win32/Immunity creates the following files and folders on an affected computer:
  • Code: Select all
    %systemroot%\ImunSVC.exe
    %ProgramFiles%\Immunity
    %ProgramFiles%\Immunity\System\
    %ProgramFiles%\Immunity\Tools\
    %ProgramFiles%\Immunity\adxp_1
    %ProgramFiles%\Immunity\cause
    %ProgramFiles%\Immunity\lsad_1
    %ProgramFiles%\Immunity\prfc_1
    %ProgramFiles%\Immunity\prgf_1
    %ProgramFiles%\Immunity\rHKCU1
    %ProgramFiles%\Immunity\rHKLM1
    %ProgramFiles%\Immunity\servc1
    %ProgramFiles%\Immunity\tempfile2
    %ProgramFiles%\Immunity\wind_1
    %ProgramFiles%\Immunity\ws32_1
    %ProgramFiles%\Immunity\wsdr_1
    %ProgramFiles%\Immunity\DInfo.bin
    %ProgramFiles%\Immunity\Hex.bin
    %ProgramFiles%\Immunity\rtl70.bpl
    %ProgramFiles%\Immunity\Active.dll
    %ProgramFiles%\Immunity\base.dll
    %ProgramFiles%\Immunity\comctl32.dll
    %ProgramFiles%\Immunity\comdlg32.dll
    %ProgramFiles%\Immunity\Config.dll
    %ProgramFiles%\Immunity\Confirm.dll
    %ProgramFiles%\Immunity\ControlX.dll
    %ProgramFiles%\Immunity\Core.dll
    %ProgramFiles%\Immunity\Err.dll
    %ProgramFiles%\Immunity\ErrorReport.dll
    %ProgramFiles%\Immunity\Fin.dll
    %ProgramFiles%\Immunity\Flash.dll
    %ProgramFiles%\Immunity\Generic.dll
    %ProgramFiles%\Immunity\ICore.dll
    %ProgramFiles%\Immunity\IFlash.dll
    %ProgramFiles%\Immunity\Immunity.dll
    %ProgramFiles%\Immunity\Imun.dll
    %ProgramFiles%\Immunity\Ip.dll
    %ProgramFiles%\Immunity\Main.dll
    %ProgramFiles%\Immunity\mfc70.dll
    %ProgramFiles%\Immunity\Moon.dll
    %ProgramFiles%\Immunity\Msgbox.dll
    %ProgramFiles%\Immunity\Msgint.dll
    %ProgramFiles%\Immunity\msvcr70.dll
    %ProgramFiles%\Immunity\NetScreen.dll
    %ProgramFiles%\Immunity\Res.dll
    %ProgramFiles%\Immunity\Scan.dll
    %ProgramFiles%\Immunity\Service.dll
    %ProgramFiles%\Immunity\Share.dll
    %ProgramFiles%\Immunity\Shit.dll
    %ProgramFiles%\Immunity\Sndlib.dll
    %ProgramFiles%\Immunity\Updater.dll
    %ProgramFiles%\Immunity\Config.exe
    %ProgramFiles%\Immunity\DevC++.exe
    %ProgramFiles%\Immunity\Fonts.exe
    %ProgramFiles%\Immunity\IDef.exe
    %ProgramFiles%\Immunity\Imun.exe
    %ProgramFiles%\Immunity\ImunSVC.exe
    %ProgramFiles%\Immunity\Uninstall.exe
    %ProgramFiles%\Immunity\Unix.exe
    %ProgramFiles%\Immunity\VersionUpdaterX.exe
    %ProgramFiles%\Immunity\mciconmenu.exp
    %ProgramFiles%\Immunity\config.ini
    %ProgramFiles%\Immunity\mciconmenu.lib
    %ProgramFiles%\Immunity\log.log
    %ProgramFiles%\Immunity\set.log
    %ProgramFiles%\Immunity\vir.log
    %ProgramFiles%\Immunity\Default.mp3
    %ProgramFiles%\Immunity\IPAct.mp3
    %ProgramFiles%\Immunity\Service.mp3
    %ProgramFiles%\Immunity\Virusfound.mp3
    %ProgramFiles%\Immunity\Ecc.msg
    %ProgramFiles%\Immunity\comctl32.ocx
    %ProgramFiles%\Immunity\comdlg32.ocx
    %ProgramFiles%\Immunity\mciconmenu.ocx
    %ProgramFiles%\Immunity\MSCOMCTL.OCX
    %ProgramFiles%\Immunity\msinet.ocx
    %ProgramFiles%\Immunity\MSWINSCK.OCX
    %ProgramFiles%\Immunity\NTSVC.ocx
    %ProgramFiles%\Immunity\RICHTX32.OCX
    %ProgramFiles%\Immunity\SYSINFO.OCX
    %ProgramFiles%\Immunity\XPButton.ocx
    %ProgramFiles%\Immunity\Show.sys
    %ProgramFiles%\Immunity\System\local.bin
    %ProgramFiles%\Immunity\System\Service.bin
    %ProgramFiles%\Immunity\System\visible.conf
    %ProgramFiles%\Immunity\System\config.cpp
    %ProgramFiles%\Immunity\System\Flash.cpp
    %ProgramFiles%\Immunity\System\netconfig.cpp
    %ProgramFiles%\Immunity\System\Scan.cpp
    %ProgramFiles%\Immunity\System\Sys.cpp
    %ProgramFiles%\Immunity\System\sysconfig.cpp
    %ProgramFiles%\Immunity\System\base.info
    %ProgramFiles%\Immunity\System\data.info
    %ProgramFiles%\Immunity\System\disks.info
    %ProgramFiles%\Immunity\System\Obj.info
    %ProgramFiles%\Immunity\System\Public.info
    %ProgramFiles%\Immunity\System\sysfiles.info
    %ProgramFiles%\Immunity\System\Type.info
    %ProgramFiles%\Immunity\System\Update.info
    %ProgramFiles%\Immunity\Tools\Tabel.Bass
    %ProgramFiles%\Immunity\Tools\TestAll.bass
    %ProgramFiles%\Immunity\Tools\TestBEST.bass
    %ProgramFiles%\Immunity\Tools\Immunity.dll
    %ProgramFiles%\Immunity\Tools\Sndlib.dll
    %ProgramFiles%\Immunity\Tools\CVTest.exe
    %ProgramFiles%\Immunity\Tools\PowerMaster.exe
    %ProgramFiles%\Immunity\Tools\ProcViev.EXE
    %ProgramFiles%\Immunity\Tools\Твикер.exe
    %ProgramFiles%\Immunity\Tools\config.ini
    %ProgramFiles%\Immunity\Tools\IPAct.mp3
    %ProgramFiles%\Immunity\Tools\Service.mp3
    %ProgramFiles%\Immunity\Tools\Virusfound.mp3
    %userprofile%\%username%\Start Menu\Programs\Startup\Immunity.lnk
Note: comctl32.ocx, comdlg32.ocx, comctl32.dll, comdlg32.dll, mfc70.dll and several others are legitimate copies of Windows files.

Components

During work Win32/Immunity may drop and create additional files on disk. Here is short overview of main components.
  • Active.dll - VB6 compiled executable packed with UPX and renamed to dll. Contains popup dialog used to display fake warnings. During execution drops file named "warning.dll" which is JPEG image used as background image for popup window.
  • base.dll - configuration text file, include masked "suspicious" file names and incomplete or broken CRC hashes.
  • Config.dll - VB6 compiled executable packed with UPX and renamed to dll. Contains Win32/Immunity configuration dialog, various configurations reads from %ProgramFiles%\Immunity\System\config.cpp, %ProgramFiles%\Immunity\System\netconfig.cpp, %ProgramFiles%\Immunity\System\sysconfig.cpp, %ProgramFiles%\Immunity\System\Sys.cpp. Note: config.cpp is pretend to be C++ source file but due to numerous errors in that "source code" it is invalid.
  • Config.exe - VB6 compiled executable packed with UPX. Contains Win32/Immunity configuration information dialog, include runtime code of Janarayson VB6 AquaButton component.
  • Confirm.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Executes %systemroot%\confirm.bat which purpose - depending on current google.com IP address simulate "ECC error" by playing to user "warning" mp3 file %ProgramFiles%\Immunity\Ecc.msg
  • ControlX.dll - VB6 compiled executable packed with UPX and renamed to dll. Contains Win32/Immunity "Control Center" dialogs, registration checking, AquaButton VB6 runtime and "virus", "ecc errors" fake popups generation algorithms. During work may also drop multiple files on disk.

    Registration scheme implemented in two files:
    %systemroot%\wusa.dll - keep number of days remaining before the expiration of the license;
    %systemroot%\inf\usbimu.inf - keep registration number and license user name.

    If number of days = 950 program will display offensive message to user.
    In order to check license ControlX.dll may contact server.double-a.ru. Keeps opened connection at port 1036.

    Periodically display message about ready to install update even if no network connection present.
  • Core.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Contains inside several batch scripts implementing file/folder/registry scans, system parameters force recovery, output to various logs and special script used to generate fake network "intrusion alerts" using random values of IP addresss and port. Scripts execution set on timer.
  • Err.dll - modified version of Microsoft Windows CAB Extract executable. Win32/Immunity author removed several resources from file and changed version info, however he left original pdb string inside executable "wextract.pdb" and initial debug information.
  • ErrorReport.dll - another modified version of Microsoft Windows CAB Extract executable. Contains apprx 100 KB of zero data as overlay, most likely file was damaged during changing resources and copyrights.
  • Fin.dll - modified version of PEiD v0.95, renamed to dll. Redesigned main window to hide origin of this file.
  • Flash.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Executes batch script %systemroot%\flash.bat which attempts to remove several files from root directories of C, D, E, F, G, H, J drives, e.g. "autorun.inf". Plays sounds and logs found objects to various log files, e.g. "vir.log". Additionally contains list of files to ignore, e.g. "MSDOS.sys", hiberfil.sys", "pagefile.sys", "IO.sys".
  • Fonts.exe - WinRAR SFX archive with several fonts used by Win32/Immunity. Attempts to silently install fonts to %systemroot%\Fonts folder.
  • Generic.dll - JPEG image with file extension changed to "dll".
  • ICore.dll - VB6 compiled executable packed with UPX and renamed to dll. Update notification dialog.
  • IDef.exe - modified version of Microsoft Windows Cacls program. Resources and copyrights information changed.
  • IFlash.dll - VB6 compiled executable packed with UPX and renamed to dll. Due to the same functionality it is probably earlier variant of Active.dll component.
  • Immunity.dll - modified version of Microsoft Visual Basic 6.0 runtime library MSVBVM60.DLL. Resources and copyrights information changed.
  • Imun.dll - VB6 compiled executable packed with UPX and renamed to dll. Contains several dialogs, including about box.
  • Imun.exe - VB6 compiled executable packed with UPX. Launcher for Core.dll
  • ImunSVC.exe - VB6 compiled executable packed with UPX. Win32/Immunity registers it as a service called "Immunity Service" so that the service runs each time Windows starts. Dummy service, internal name "NT Service Project" that does nothing.
  • Ip.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Used to display fake dialog about "network intrusion" attempts self generated by other Win32/Immunity components.
  • Main.dll - JPEG image with file extension changed to "dll".
  • Moon.dll - VB6 compiled executable packed with UPX and renamed to dll. Pretend to be command interpreter. Does nothing.
  • msgbox.dll - modified version of Microsoft Windows msg.exe (Network messaging) tool. Resources changed.
  • msgint.dll - copy of msgbox component.
  • NetScreen.dll - packed with UPX. Batch-To-Exe converted Netscreen.bat. Executed batch script runs Microsoft Windows net/netsh/netstat commands: "netsh show helper", "netstat -r", "netstat -a", "netstat -a -n", "net view", using ping command as a delay.
  • Res.dll - renamed to dll 16 bit MS-DOS executable. Display rectangle in command line window.
  • Scan.dll - executable packed with UPX and renamed to dll. Contains copy of MSVBVM60.DLL and Scan.cmd used from Windows Explorer context menu scan.
  • Service.dll - VB6 compiled executable packed with UPX and renamed to dll. Displays popup dialog if detects new service installed in system. Operates with services list located in "system\service.bin" file. Include runtime code of Janarayson VB6 AquaButton component.
  • Share.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Executes %systemroot%\share.bat. Attempts to enumerate files on shared disks/folders and compare their filenames with "known" viruses filenames.
  • Shit.dll - VB6 compiled executable packed with UPX and renamed to dll. This component expects to be only launched with "-Immunity" command. Pretends to be part of firewall. Sets shell tray icon.
  • Show.sys - VB6 compiled executable packed with PECompact and renamed to sys. This component used to communicate with ftp server located at IP address 31.186.128.22. Contains login credentials for accessing ftp server - user name: Mefistofell, password: ImmunitySUP. While working connects with ftp and transfers affected computer information such as: IP address, user name, computer name, dump of environment variables.
  • Sndlib.dll - modified version of madplay 0.15.0 (beta) executable, additionally renamed to dll. PE sections renamed as if it was developed by Win32/Immunity author.
  • Updater.dll - VB6 compiled executable packed with UPX and renamed to dll. Used to download and install Win32/Immunity updates. Connects to following servers: falconix.com, double-a.ru, server.falconix.com, immunity.double-a.ru, and the following IP: 83.246.149.99.
  • Unix.exe - VB6 compiled executable packed with UPX. Pretend to be Wine emulation compatible version of Win32/Immunity. Reassembles many other components inside itself.
  • XPButton.ocx - modified version of XP Button Visual Basic 6 runtime component. PE sections renamed as if it was developed by Win32/Immunity author.
  • %ProgramFiles%\Immunity\Tools\ProcViev.EXE - modified version of Microsoft Process Viewer, resources and copyrights information changed.
  • %ProgramFiles%\Immunity\Tools\Твикер.exe - modified version of Microsoft TweakUI, additionally packed by NPack, resources and copyrights information changed.
Payload

Contacts remote host

Win32/Immunity may contact remote host at server.falconix.com using port 21. Commonly, may contact a remote host for the following purposes:
  • To report a new installation to its author
  • To receive configuration or other data
  • To upload data taken from the affected computer
Additional Information
  • Registers itself as a service called "Immunity Service" so that the service runs each time Windows starts.
  • Registers Windows Explorer context menu handler:
    HKEY_CLASSES_ROOT\*\shell\Иммунитет: Проверить на вирусы\command with the path to installed program %ProgramFiles%\Immunity\Scan.dll and parameter "%1"
The following project file paths have been identified:
Code: Select all
D:\1111\Immunity\Active.dll\<removed unreadable symbols>.vbp
W:\1111\Immunity\Core.bat compiler\Project1.vbp
D:\1111\Immunity\Starter\Project1.vbp
C:\Users\<removed unreadable symbols>\Desktop\inf\NTService.vbp
D:\1111\Immunity\ip.dll\<removed unreadable symbols>.vbp
W:\1111\Immunity\Moon.dll\<removed unreadable symbols>.vbp 
D:\1111\Immunity\Service.dll\<removed unreadable symbols>.vbp
W:\1111\Immunity\Share.bat compiler\Project1.vbp
W:\1111\Immunity\Shit.dll\INet().dll\Project1.vbp
D:\1111\Immunity\Updater.dll\<removed unreadable symbols>.vbp
This malware description was produced using examination of file SHA1 a80b8bf729780a84cee691c496eac684f51107ad
For download use this link -> https://mega.co.nz/#!oR1zSKCC!NYr49X4LF ... osDpvuXwCg
 #18387  by EP_X0FF
 Fri Mar 01, 2013 4:05 pm
Well Sergey must be just really wanted to say something. Turned out he said BS, yep, Dr.Web PR division fckuped again, doubt Komarov saw this fakeav in work. I hope that someday Dr.Web will give a word to their virus analysts in such cases, and not to incompetent people.

Someone told they added this fakeav under "Program Unwanted" category to their database :)