Runouce Trojan with IRC bot spreads via .eml files

A Trojan that spreads via .eml files. The Trojan contains IRC functionality and also has the ability to infect pre-installed system executable files with malicious code:
Infection Cycle:
The Trojan makes the following DNS queries:
On our test system the following files were created:
  • %USERPROFILE%\kuelio.exe
  • %SYSTEM32%\runouce.exe ("runonce" with "n" changed to "u" (patched)) 
  • %SYSTEM32%\runonce.exe (patched)
The following files were also created:
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\tabs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\changelogs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\tabs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions
    mmhkkegccagdldgiimedpiccmgmieda\0.1.1.0_0\html\readme.eml
  • %USERPROFILE%\Local Settings\Temp\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\B4ZWX2C9\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\FATM9A7M\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\HE7GL0WO\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\MDJBB39W\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\HTML\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\VS Runtime\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\Smart Tag\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\Stationery\readme.eml
  • %PROGRAMFILES%\Common Files\System\ado\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\1033\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\AccessWeb\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms3\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms4\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms5\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Stationery\1033\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Templates\12\MseNewFileItems\readme.eml
  • %PROGRAMFILES%\NetMeeting\readme.eml
  • %PROGRAMFILES%\WinRAR\readme.eml
  • %PROGRAMFILES%\Wireshark\readme.eml
The Trojan writes the following keys to the registry to enable continued infection activity after reboot:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kuelio "%USERPROFILE%\kuelio.exe /y"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Runouce "%SYSTEM32%\runouce.exe"
If there are shared folders or external drives attached the following file will be written to it:
The Trojan disables the ability to kill kuelio.exe.
NOTHING-6A527FE.eml and readme.eml are email files that contain an attachment called pp.exe :
The Trojan infects %SYSTEM32%\runonce.exe with additional malicious code. It modifies the PE section headers to extend the rsrc section and inject code. It then changes the OEP (entrypoint) so that the infected executable runs the malicious code first:
The Trojan joins an IRC server hosted at ircd.zief.pl and awaits further instructions:

So, please update your gateway security and/or endpoint security to prevent from this Trojan.

Source: Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)

Post a Comment