Update
A few guys asked what are the hashes associated with the samples; here they are:
c483bffc879233d99ba52f05fd100872 skype_02102012_images.exe 393b4c117e15fbcfe56f560a8e6a3f0c skype_04102012_image.exe 98f74b530d4ebf6850c4bc193c558a98 skype_05102012_image.exe e8e2ba08f9aff27eed45daa8dbde6159 skype_06102012_image.exe e3af8159d2f1af293bb43cd41d4171db skype_08102012_image.exe
I just had a very quickly look at the code today and interestingly, there are some ‘funny’ snippets e.g.
- directly reading value at @7FFE002Ch _KUSER_SHARED_DATA.ImageNumberLow and if not equal to IMAGE_FILE_MACHINE_I386 is launching Internet Explorer – its PID is later used by some extra thread which I have not explored yet
- a dead code attempting to wipe out the PhysicalDrive0
- checking if the host’s drive is USB via DeviceIoControl (…(IOCTL_STORAGE_QUERY_PROPERTY…)
- code removing ADS :Zone.Identifier
- seems to be also hooking a few APIs, but need to check that as well
Older post
Info on skype worm does the rounds, so I had a quick look and dumped the strings from the process inject – some are quite interesting and indicative of the functionality described in various blogs. Don’t have time to look at the code today, but it does look interesting enough to come back to it.
Interestingly, while timestamps indicate compilation timestamps from 2012
2012-10-02 19:36:26 .\skype_02102012_images.exe 2012-10-04 15:03:38 .\skype_04102012_image.exe 2012-10-06 06:24:55 .\skype_05102012_image.exe 2012-10-07 01:15:19 .\skype_06102012_image.exe 2012-10-08 12:09:07 .\skype_08102012_image.exe
The compilation time of one of the injects is 2011-05-16 21:46:39, so it seems to be quite an old code.
%s.%s
pdef
%s.%S
brk
dll
exe
DBWIN
\\.\pipe
%s.Protect “%s” against file removal done!!
%s.Protect “%S” against removal of our pc!!
block
bdns
kernel32.dll
CreateFileW
0123456789ABCDEF
i.root-servers.org
%s.Stopped “%s” against removal of file!
%s.Stopped “%S” against moving the file!
%s.MSN-> Done, MSG is sent
%s.MSN-> Succesfully sent to %s!
%s.MSN-> Message Pwned :)!
msnmsg
msnint
baddr
X-MMS-IM-Format:
CAL %d %256s
msnu
Done frst
ssssssssssssss: %d
ssssssssss: %d
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQuerySystemInformation
LdrEnumerateLoadedModules
NtQueryInformationProcess
LdrGetProcedureAddress
NtQueryVirtualMemory
LdrLoadDll
NtQueryInformationThread
LdrGetDllHandle
RtlAnsiStringToUnicodeString
ntdll.dll
\\.\pipe\%s
kernel32.dll
GetNativeSystemInfo
%s_%d
%s_0
%s-Mutex
SeDebugPrivilege
ntdll.dll
NtGetNextProcess
%s-pid
%s-comm
NtResumeThread
Internet Explorer\iexplore.exe
PONG
JOIN #
PRIVMSG #
%s.Stopped “%S” against makin “%S”
%s.Stopped “%S” against makin “%S” – “%s” file deleted successfully!
.exe
autorun.inf
%s.Identified Proc- “%S” sending a suspicious message to %s:%d.
%s.Identified Proc- “%S” as malicious upon checking port %s:%d {Nigger: %s}.
PRIVMSG %255s
JOIN %255s
PRIVMSG
JOIN
cnc
%s:%d
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
NtSetInformationProcess
%s.%s%s
%S%s%s
HKCU\
HKLM\
%s.%S%S
%S%S%S
HKCU\
HKLM\
msn
%s_
aaaaa_%s
off
%s.%s (p=’%S’)
pop3://%s:%s@%s:%d
popgrab
%s:%s@%s:%d
anonymous
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
asdadasdsss
asds
sss
ssssss
ssss
%s-%s-%s
dasdsd
asdsds
Microsoft Unified Security Protocol Provider
%s.ewfewewrtwertwerterfegergwregwergwergretretwerfrr ‘%s’
scr
pif
com
%s.eufhquwefh9wef89qwey8fhqwehf89hqwe89fh8w9ehf89h8e ‘%S’
dddddsds
asdasdsds
234534543324534545445
23423415644556
894848
89234543464554544
345487544
8944451
843456544
298548344565454458449
8344584458495
345234545
8344584544
2854844
81254848484450
sdfdfcs
asdsdsasffsds
ssdasccxzxccefrg
erffssd
eeefiyu
etwegfg
erttergh
ertrtgb
ertgfd
erttrf
rrrr
dfhtrstgthgh
rthfg
ertrtfdgfg
cvbhrthgfgh
dfbbghth
thtrhhgf
dfgdgggbvf
dfgerhrthth
rthhth
dfgrthrtggfgv
rthrtgtrhthrt
dgrthgfhhhg
ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
login[password]
login[username]
*members*.iknowthatgirl*/members*
IKnowThatGirl
*youporn.*/login*
YouPorn
*members.brazzers.com*
Brazzers
clave
numeroTarjeta
*clave=*
*bcointernacional*login*
Bcointernacional
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
Dotster
loginid
*enom.com/login*
Enom
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
1and1
token
*moniker.com/*Login*
Moniker
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
Namecheap
loginname
*godaddy.com/login*
Godaddy
Password
EmailName
*Password=*
*alertpay.com/login*
Alertpay
*netflix.com/*ogin*
Netflix
*thepiratebay.org/login*
Thepiratebay
*torrentleech.org/*login*
Torrentleech
*vip-file.com/*/signin-do*
Vip-file
pas
log
*pas=*
*sms4file.com/*/signin-do*
Sms4file
*letitbit.net*
Letitbit
*what.cd/login*
Whatcd
*oron.com/login*
Oron
*filesonic.com/*login*
Filesonic
*speedyshare.com/login*
Speedyshare
*pw=*
*uploaded.to/*login*
Uploaded
*uploading.com/*login*
Uploading
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
Fileserve
*hotfile.com/login*
Hotfile
*4shared.com/login*
4shared
txtpass
txtuser
*txtpass=*
*netload.in/index*
Netload
*freakshare.com/login*
Freakshare
login_pass
*login_pass=*
*mediafire.com/*login*
Mediafire
*sendspace.com/login*
Sendspace
*megaupload.*/*login*
Megaupload
*depositfiles.*/*/login*
Depositfiles
userid
*signin.ebay*SignIn
eBay
rut
*officebanking.cl/*login.asp*
OfficeBanking
*secure.logmein.*/*logincheck*
LogMeIn
session[password]
session[username_or_email]
*password]=*
*twitter.com/sessions
Twitter
txtPassword
txtEmail
*&txtPassword=*
*.moneybookers.*/*login.pl
Moneybookers
*runescape*/*weblogin*
Runescape
*dyndns*/account*
DynDNS
*&password=*
*no-ip*/login*
NoIP
*steampowered*/login*
Steam
quick_password
quick_username
username
*hackforums.*/member.php
Hackforums
email
*facebook.*/login.php*
Facebook
*login.yahoo.*/*login*
Yahoo
passwd
login
*passwd=*
*login.live.*/*post.srf*
Live
TextfieldPassword
TextfieldEmail
*TextfieldPassword=*
*gmx.*/*FormLogin*
GMX
*Passwd=*
Gmail
FLN-Password
FLN-UserName
*FLN-Password=*
*fastmail.*/mail/*
Fastmail
pass
user
*pass=*
*bigstring.*/*index.php*
BigString
screenname
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
AOL
Passwd
Email
*service=youtube*
*google.*/*ServiceLoginAuth*
YouTube
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
PayPal
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Keep-Alive: 300
Connection: keep-alive
Content-Length: 42
GET
POST
Mozilla/4.0
Connection: Close
X-a: b
\\.\PHYSICALDRIVE0
00100
%d.
SeShutdownPrivilege
NtShutdownSystem
uwifhuewgfhkjhsduyrhdhd
eiueriufjeidj
weiouriweojrioejeicn
eriuioiuerhoiohwefhjidj
ewoueiuroyihehdkjjfbcn
System Issue
shell32.dll
“%s” %S
msg
http
int
httpi
usbi
dnsapi.dll
DnsFlushResolverCache
POST
http://%s/%s
http://%s/
HTTP
Host:
POST /%1023s
.exe
lol
lol.exe
{%s|%s%s}%s
n%s{%s|%s%s}%s
<br>
ERR
2K8
VIS
2K3
admin
isadmin
127.0.0.1
%s|%s|%s
DnS Redir3cted!!!! “%s” to “%s”
disabled
enabled
%s|%s
[Logins]: Cleared %d logins
#user
#admin
#new
removing
exiting
reconnecting
332
433
001
376
MOTD
bsod
disable
POP3 ->
FTP ->
[d=”%s” s=”%d bytes”] Problem Found!: Check ur MD5 (%s != %s)
dlds
http://
R3b00tinG
[Login]: %s
[DNS]: Blocked %d domain(s) – Redirected %d domain(s)
asdasdweifuhwuiefggweihwuerhiiuhwerhueb
Software\Microsoft\Windows\CurrentVersion\Run
%s:Zone.Identifier
lolsup
running
IPC_Check
wininet.dll
secur32.dll
ws2_32.dll
shell\open\command=
shell\explore\command=
icon=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
[autorun]
.lnk
%windir%\system32\cmd.exe
&&%%windir%%\explorer.exe %%cd%%%s
/c “start %%cd%%RECYCLER\%s
RECYCLER
.inf
%s%s
\\.\%c:
%S%S\Desktop.ini
%s\%s
%sautorun.tmp
%sautorun.inf
%c:\
gdkWindowToplevelClass
%0x.exe
comment-text
*bebo.*/c/home/ajax_post_lifestream_comment
bebo Lifestream
*bebo.*/c/profile/comment_post.json
bebo Comment
Message
*bebo.*/mail/MailCompose.jsp*
bebo Message
*friendster.*/sendmessage.php*
Friendster Message
comment
Friendster Comment
shoutout
*friendster.*/rpc.php
Friendster Shoutout
*vkontakte.ru/mail.php
vkontakte Message
*vkontakte.ru/wall.php
vkontakte Wall
message
*vkontakte.ru/api.php
vkontakte Chat
text
*twitter.*/*direct_messages/new*
Twitter Message
*twitter.*/*status*/update*
Twitter Tweet
status
*facebook.*/ajax/*MessageComposerEndpoint.php*
Facebook Message
msg_text
*facebook.*/ajax/chat/send.php*
Facebook IM
-_.!~*'()
Content-Length:
%s.%s hijacked!
%s=
MSG %d %s %d
MSG %d %1s
SDG %d %d
Reliability:
From:
Content-Length: %d
X-MMS-IM-Format:
SDG %d
bmsn
%s_0x%08X
winlogon.exe
explorer.exe
RegCreateKeyExW
RegCreateKeyExA
advapi32.dll
URLDownloadToFileW
URLDownloadToFileA
urlmon.dll
PR_Write
nspr4.dll
DnsQuery_W
DnsQuery_A
dnsapi.dll
InternetWriteFile
HttpSendRequestW
HttpSendRequestA
GetAddrInfoW
send
CreateFileA
MoveFileW
MoveFileA
DeleteFileW
DeleteFileA
kernel23.dll
CopyFileW
CopyFileA
NtQueryDirectoryFile
NtEnumerateValueKey
%s\%s.exe
%08x
OPEN
lsass.exe
Ft7
DnsFree
DnsQuery_A
DNSAPI.dll
FreeContextBuffer
InitializeSecurityContextW
FreeCredentialsHandle
DeleteSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleW
EncryptMessage
DecryptMessage
InitializeSecurityContextA
ApplyControlToken
Secur32.dll
SHGetSpecialFolderPathW
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
HttpQueryInfoW
InternetQueryOptionW
WININET.dll
PathAppendW
StrStrIA
PathAppendA
PathFindExtensionA
SHLWAPI.dll
WS2_32.dll
memset
wcsstr
strstr
wcsrchr
??3@YAXPAX@Z
atoi
sscanf
_strcmpi
printf
_snprintf
sprintf
strncpy
_memicmp
_wcsnicmp
_vsnprintf
_stricmp
strtok
strchr
_snwprintf
??2@YAPAXI@Z
_strnicmp
isxdigit
memmove
strncmp
toupper
strrchr
vsprintf
isalnum
strncat
MSVCRT.dll
lstrcpyA
MoveFileExA
lstrcmpA
WideCharToMultiByte
MoveFileExW
lstrcmpW
ExitThread
MultiByteToWideChar
GetFileAttributesA
SetFileAttributesW
GetFileAttributesW
LoadLibraryW
CloseHandle
SetFileTime
CreateFileW
GetFileTime
GetSystemTimeAsFileTime
WriteFile
GetModuleHandleW
GetLastError
ReadFile
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
lstrlenA
Sleep
WriteProcessMemory
ReadProcessMemory
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
SetEvent
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
DisconnectNamedPipe
GetOverlappedResult
WaitForMultipleObjects
CreateFileA
VirtualFreeEx
VirtualAllocEx
IsWow64Process
CreateRemoteThread
OpenProcess
WaitForSingleObject
ReleaseMutex
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
InterlockedIncrement
UnmapViewOfFile
CreateMutexA
GetVersionExA
GetModuleFileNameW
InterlockedCompareExchange
CreateThread
GetWindowsDirectoryW
DeleteFileW
GetTempFileNameW
lstrcatW
lstrcpynW
DeleteFileA
SetFileAttributesA
lstrcpyW
LocalFree
LocalAlloc
lstrcpynA
SetFilePointer
DeviceIoControl
VirtualAlloc
CreateProcessW
ExitProcess
lstrcatA
GetVolumeInformationW
GetLocaleInfoA
FlushFileBuffers
CopyFileW
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
LockFile
GetFileSize
CreateDirectoryA
GetLogicalDriveStringsA
OpenMutexA
GetModuleFileNameA
GetWindowsDirectoryA
KERNEL32.dll
MessageBoxA
wvsprintfA
wsprintfW
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
USER32.dll
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
CoCreateInstance
CoInitialize
ole32.dll
w,a
jp5
IOCTL_STORAGE_QUERY_PROPERTY