Skip to main content

Runouce Trojan with IRC bot spreads via .eml files

By
A Trojan that spreads via .eml files. The Trojan contains IRC functionality and also has the ability to infect pre-installed system executable files with malicious code:
Infection Cycle:
The Trojan makes the following DNS queries:
On our test system the following files were created:
  • %USERPROFILE%\kuelio.exe
  • %SYSTEM32%\runouce.exe ("runonce" with "n" changed to "u" (patched)) 
  • %SYSTEM32%\runonce.exe (patched)
The following files were also created:
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.9_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\enacoimjcgeinfnnnpajinjgmkahmfgb\0.65.0_0\tabs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\changelogs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions\focgpgmpinbadijfcdimbdkgnpndjnkl\0.54_0\tabs\readme.eml
  • %APPDATA%\Google\Chrome\User Data\Default\Extensions
    mmhkkegccagdldgiimedpiccmgmieda\0.1.1.0_0\html\readme.eml
  • %USERPROFILE%\Local Settings\Temp\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\B4ZWX2C9\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\FATM9A7M\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\HE7GL0WO\readme.eml
  • %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\MDJBB39W\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\HTML\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\OFFICE12\VS Runtime\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\Smart Tag\1033\readme.eml
  • %PROGRAMFILES%\Common Files\Microsoft Shared\Stationery\readme.eml
  • %PROGRAMFILES%\Common Files\System\ado\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\1033\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\AccessWeb\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms3\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms4\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms5\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Stationery\1033\readme.eml
  • %PROGRAMFILES%\Microsoft Office\Templates\12\MseNewFileItems\readme.eml
  • %PROGRAMFILES%\NetMeeting\readme.eml
  • %PROGRAMFILES%\WinRAR\readme.eml
  • %PROGRAMFILES%\Wireshark\readme.eml
The Trojan writes the following keys to the registry to enable continued infection activity after reboot:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kuelio "%USERPROFILE%\kuelio.exe /y"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Runouce "%SYSTEM32%\runouce.exe"
If there are shared folders or external drives attached the following file will be written to it:
The Trojan disables the ability to kill kuelio.exe.
NOTHING-6A527FE.eml and readme.eml are email files that contain an attachment called pp.exe :
The Trojan infects %SYSTEM32%\runonce.exe with additional malicious code. It modifies the PE section headers to extend the rsrc section and inject code. It then changes the OEP (entrypoint) so that the infected executable runs the malicious code first:
The Trojan joins an IRC server hosted at ircd.zief.pl and awaits further instructions:

So, please update your gateway security and/or endpoint security to prevent from this Trojan.

Source: Dell SonicWall Security Center

Have a good time.
(Be knowledgeable, pass it on then)
Labels:

Comments

Post a Comment

Popular posts from this blog

Fortigate guide for Begineer - 6

By
I would like to explaine how to troubleshoot the Fortigate Unit configured by Transparent Mode in step by step this time. Let's assume, you have one Fortigate Unit that configured as Transparent Mode. But devices from Internal/Private Network unable to access Internet/Public Network through your Fortigate Unit. OK. Let's troubleshoot with following steps, 1) Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. 2) Check the router and ISP-supplied equipment to make sure it is operating correctly. 3) Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the Internal network. From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on a
Post a Comment
Read more

Solving the "A general system error occured:Invalid fault" error in vSphere 4

By
Below error was come out when you try to migrate VM to other host for some reason. Below error was come out when you try to edit VM setting. Below error was come out when you power on the VM. How to solve those error? Here is how I resolve the error! Login to the Host that errored VM exist by using Terminal or Direct Console. Enter below command and press enter. services.sh restart Wait until all VMware Services are restarted. After that try to Power On/Edit Settings or Migrate the errored VM and you will see all you can do without any error pop-up. This kind of errors can occur if you shutdown/restart VM unproperly or shutdown/restart the Host unproperly that VM exist. You can check log file deeply if you willing to know precisely on this. May you all be happy. (Be knowledgeable, pass it on then)
1 comment
Read more

Why do we need network virtualization?

By
We need to think about Server Virtualization first if we want to talk about Network Virtualization. In the era of cloud computing, servers are virtualized and used in Data Centers. We are facing a lot of problem when we virtualized our Servers, 1) Routing and Switching Problem Routing become the issue when we create Virtual Switch and VLANs according to production requirement. Network Team might need some time to change on their end to meet with Server Virtualization Team changes on their end. ၂) Firewall Services Physical Firewall are difficult to manage due to the large number of rules needed to satisfy business requirements. New applications, new projects, and new networks all come with potential security requirements, which impact centralized firewall management. ၃) Load Balancing Let's say your company deploys a new physical load balancer for each tenant, resulting in increased capital expenditures. Once a tenant reaches their maximum capacity, it ca
146 comments
Read more