* endellion.me.uk


kangozip.com

The executable has a name made up from seven random letters. All of them bring along iaxcfg.dll -- I get the impression that this is not randomly made up. The thing runs from the System32 directory.

It listens on ports 9849 TCP and 11075 UDP.

And it does very strange DNS requests. Here is a small selection with duplicates pruned.

    121 10:55:00.601908 Standard query A gmesxwrxpa.kangozip.com
    129 10:55:02.966353 Standard query A gmesxwrxpa.ikcharhrzksikbchlqef.com
    130 10:55:02.966386 Standard query A azskifnhom.kangozip.com
    224 11:15:00.453596 Standard query A azskifnhom.ikcharhrzksikbchlqef.com
    308 11:35:01.022981 Standard query A mcnpznnijd.kangozip.com
    314 11:35:01.424633 Standard query A mcnpznnijd.ikcharhrzksikbchlqef.com
    403 11:55:01.743224 Standard query A csipqcvwam.kangozip.com
    409 11:55:02.280471 Standard query A csipqcvwam.ikcharhrzksikbchlqef.com
    493 12:15:02.740396 Standard query A atbioosgnd.kangozip.com
    501 12:15:04.444407 Standard query A atbioosgnd.ikcharhrzksikbchlqef.com
    597 12:35:05.700195 Standard query A kujzbknbfk.kangozip.com
    603 12:35:06.348892 Standard query A kujzbknbfk.ikcharhrzksikbchlqef.com
    703 12:55:06.642058 Standard query A eidmryojkn.kangozip.com
    735 12:55:23.615874 Standard query A eidmryojkn.ikcharhrzksikbchlqef.com
    799 13:15:24.884872 Standard query A clisnadmyo.kangozip.com
    810 13:15:28.315194 Standard query A clisnadmyo.ikcharhrzksikbchlqef.com
    893 13:35:28.768889 Standard query A kzbolkyele.kangozip.com
    897 13:35:29.357181 Standard query A kzbolkyele.ikcharhrzksikbchlqef.com
   1019 13:55:29.736036 Standard query A trabejvjbs.kangozip.com
   1029 13:55:46.788346 Standard query A trabejvjbs.ikcharhrzksikbchlqef.com
   1096 14:15:48.110853 Standard query A srizesgoih.kangozip.com
   1104 14:15:50.618757 Standard query A srizesgoih.ikcharhrzksikbchlqef.com
   1203 14:35:51.900275 Standard query A fajwxocyxk.kangozip.com
   1208 14:35:52.574607 Standard query A fajwxocyxk.ikcharhrzksikbchlqef.com
   1318 14:55:52.978277 Standard query A qrnmyxabqh.kangozip.com
   1331 14:56:09.979102 Standard query A qrnmyxabqh.ikcharhrzksikbchlqef.com
   1426 15:16:11.227272 Standard query A qmkmqfuqjl.kangozip.com
   1434 15:16:12.846151 Standard query A qmkmqfuqjl.ikcharhrzksikbchlqef.com

The ones that end in kangozip.com actually resolve to an IP address (68.213.254.139), the others don't.

As soon as this IP is given, a UDP packet with 50 bytes goes out to it from port 11075 to 48742. This always reversely resolves at gmesxwrxpa.kangozip.com

Whois on kangozip:

Domain Name.......... kangozip.com
  Creation Date........ 2006-08-29 01:13:51
  Registration Date.... 2006-08-29 01:13:51
  Expiry Date.......... 2007-08-29 01:13:51
  Organisation Name.... cheng li
  Organisation Address. shang xi
  Organisation Address.
  Organisation Address. shang xi
  Organisation Address. 345678
  Organisation Address. LN
  Organisation Address. CN

Admin Name........... cheng li
  Admin Address........ shang xi
  Admin Address........
  Admin Address........ shang xi
  Admin Address........ 345678
  Admin Address........ LN
  Admin Address........ CN
  Admin Email..........
  Admin Phone.......... +86.2123456789
  Admin Fax............ +86.2112345678

Tech Name............ cheng li
  Tech Address......... shang xi
  Tech Address.........
  Tech Address......... shang xi
  Tech Address......... 345678
  Tech Address......... LN
  Tech Address......... CN
  Tech Email...........
  Tech Phone........... +86.2123456789
  Tech Fax............. +86.2112345678

Bill Name............ cheng li
  Bill Address......... shang xi
  Bill Address.........
  Bill Address......... shang xi   
  Bill Address......... 345678   
  Bill Address......... LN   
  Bill Address......... CN 
  Bill Email...........
  Bill Phone........... +86.2123456789
  Bill Fax............. +86.2112345678
  Name Server.......... ns1.dns.com.cn
  Name Server.......... ns2.dns.com.cn

and the IP address:

[bored@Fedora httpd]# whois 68.213.254.139
[Querying whois.arin.net]
[Redirected to rwhois.eng.bellsouth.net]
[Querying rwhois.eng.bellsouth.net]
[Unable to connect to remote host]

Temporary glitch no doubt.

kangozip.com (24.122.0.161)

[bored@thor 13aprilvirus]# whois 24.122.0.161
[Querying whois.arin.net]
[whois.arin.net]
COGECO Cable Canada Inc. RAPIDUS-02 (NET-24-122-0-0-1)
24.122.0.0 - 24.122.255.255
COGECO Cable Canada Inc. COQB-TR04 (NET-24-122-0-0-2)
24.122.0.0 - 24.122.63.255

# ARIN WHOIS database, last updated 2007-04-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 

Win-Trojan/Agent.19476
Different name Trojan-Downloader.Win32.Agent.bft, Generic.Malware.SWYdld.87D41066 Risk Loftiness
Diffusion risk Lowness width="1" Currently diffusion Lowness
Type With [thu] ear E Infection form Execution file
Infection OS Window Infection course File execution, different malignant cord
Me it is not small Domestic discovery one 2007-02-02
Prosecuting attorney Y Treatment Y
Treatment engine 2007.02.03.00 Specific activity one Specific one activity nil
[Condition]

Win-Trojan/Agent.19476 leads and TCP pot opens it accomplishes hundred door functions. And specific file of user system it flows out with specific FTP servers.

[Contents]

* Propagation path

Is not one elf electronic function and the user the mail, the knock-down road does an execution file from the messenger and, the notice board and the data thread back it executes and from the different malignant cord (with worm, virus and [thu] ear E) it establishes with the fact that.

* After executing condition

[File creation]

It creates the next file in the window system folder.

 - nmsx.exe (19,476 bites)
 - iaxcfg32.dll (840 bites)

Week) the window system folder follows in use window and usual window 95/98/ME C:\Windows\System and window NT/2000 C:\WinNT\System32 and window XP are the C:\Windows\System32 folder.

[Tearoom waitress [su] tree registration]

In order to be executed with the window start hour automatic to add the next price in tearoom waitress [su] tree.

   HKEY_LOCAL_MACHINE \
      SOFTWARE \
         Microsoft \
            Windows \
               CurrentVersion \
                  Run
MSMSGNER = window system folders \ nmsx.exe

   HKEY_LOCAL_MACHINE \
      SYSTEM \
         CurrentControlSet \
            Services \
               SharedAccess \
                  Parameters \
                     FirewallPolicy \
                        StandardProfile \
                           AuthorizedApplications \
                              List
%System% \ nmsx.exe = window system folders \ nmsx.exe: *: enabled: winupd32


Connection the address which is attempted with afterwords is same.

7*.3*.6*.1**
www.n ******** .com

Week) the part address controlled * with.



[Treatment method]

Treatment it is possible with MyV3.