When USB drive shortcut is opened, .dll file which is present in the same directory (root directory), is executed. It is also used to update Thumbs.db<\/b> present in the same directory, if internet connection is available. Thumbs.db,<\/b> in turn, is used to create TrustedInstaller.exe<\/b>.<\/p>\n
Fig.1: Snapshot of infected removable drive<\/b><\/p>\n This TrustedInstaller.exe<\/b> is dropped in a new directory in the root drive. Newly created directory would be named as either C:temp or C:MSI .<\/p>\n Components Used for Malware Execution:<\/span><\/b><\/p>\n \u00a0Clean File Scenario:<\/b><\/p>\n 1. USB Drive (.lnk)<\/b>: Removable drive shortcut icon to open respective drive.<\/p>\n Fig.2: Clean drive shortcut icon<\/b><\/p>\n 2<\/b>. desktop.ini<\/b>: This is a hidden file used to customize and adjust settings for the Windows folders in which it is present.<\/p>\n 3<\/b>. Thumbs.db<\/b>: Thumbs.db files are stored in each directory that contains thumbnails on Windows systems. These files are created locally among the images, preventing system wide use of the data.<\/p>\n Our Case:<\/b><\/p>\n 1<\/strong>. USB Drive (.lnk):<\/strong> This is a removable drive shortcut. If you notice, the \u201cinfected drive shortcut icon\u201d displays a specific size (to misguide the user), whereas, the \u201cclean drive shortcut icon\u201d does not.<\/p>\n Fig.3: Infected drive shortcut icon<\/b><\/p>\n When the user clicks this icon in order to explore its contents, at the back end it executes *.dll<\/b> file present in the root of removable drive, by executing the command which can be as follows:<\/p>\n \u201c%homedrive%WINDOWSSystem32rundll32.exe _WHVX.nil, rundll32<\/b>\u201d <\/i><\/p>\n Here,<\/p>\n %homedrive%WINDOWSSystem32rundll32.exe – <\/i>is a<\/i> command used to execute the .dll file.<\/p>\n _WHVX.nil – is <\/i>the name of .dll file which varies.<\/p>\n Rundll32 – <\/i>is the <\/i>name of the export function in above .dll file.<\/p>\n 2<\/strong>. *.dll<\/b>: It is used to decrypt code in Destop.ini and execute the decrypted code.<\/p>\n 3<\/strong>. Desktop.ini<\/b>: The code contained in desktop.ini first tries to download an updated copy of Thumbs.db, replacing the existing file in the USB drive if internet connection is available.<\/p>\n 4<\/strong>. Thumbs.db<\/b>: This is actually an encrypted PE file, which upon decryption, gets copied into TrustedInstaller.exe.<\/p>\n Evolution & Modification:<\/span><\/b><\/p>\n *.dll uses desktop.ini to download TrustedInstaller.exe.<\/p>\n EVOLUTION STAGE 1<\/i><\/b><\/p>\n Initially *.dll & desktop.ini file used to be readable.<\/p>\n Desktop.ini was present in Unicode form.<\/p>\n Fig.4: Stage 1 desktop.ini<\/i> file<\/b><\/p>\n EVOLUTION STAGE 2<\/i><\/b><\/p>\n Later, Dependency information in *.dll & downloaded information in desktop.ini became encrypted.<\/p>\n Fig.5: Stage 2 dll<\/i> file<\/b><\/p>\n Fig.6: Stage 2 desktop.ini<\/i> file<\/b><\/p>\n EVOLUTION STAGE 3<\/i><\/b><\/p>\n \u00a0<\/b>Earlier files (desktop.ini & .dll) were obscured so that decryption could not be easily traced.<\/p>\n Fig.7: Stage 3 dll <\/i>file<\/b><\/p>\n Fig.8: Stage 3 desktop.ini <\/i>file<\/b><\/p>\n Technical Details:<\/span><\/b><\/p>\n Dll file<\/b> is executed with the help of rundll32.exe<\/b><\/p>\n 1<\/strong>. Shellexecute<\/i> is used to open desktop.ini file by passing its handle.<\/p>\n 2<\/strong>. This desktop.ini file is read in memory for further process.<\/p>\n 3<\/strong>. This desktop.ini is decrypted if it is in encrypted form using decryption loop which is present in .dll file.<\/p>\n 4<\/strong>. Desktop.ini contains the code to check internet connection status. Depending on the connection status, it will either download latest thumbs.db or use currently present thumbs.db. This thumbs.db contains TrustedInstaller.exe in encrypted form. Domains from which the file is downloaded may change.<\/p>\n We have gone through various domains from where it is downloaded. Some of the domains are as follows:<\/p>\n hxxp:\/\/sobea.in Fig.9: Contents of destop.ini After Decryption<\/b><\/p>\n 1<\/strong>. This Thumbs.db is in turn decrypted & copied to a newly created folder (C:temp or C:MSI)<\/span> in the root directory as TrustedInstaller.exe.<\/p>\n 2<\/strong>. TrustedInstaller.exe is used to infect removable drive. Removable drive contains shortcut & its (removable drive) contents are put into folder which has hidden property enabled.<\/p>\n 3<\/strong>. On opening this shortcut, it runs a .dll file at back end & opens a hidden folder, so that the user finds contents of the drive without knowing that the malicious file has already been executed.<\/p>\n 4<\/strong>. This dropped TrustedInstaller.exe,<\/b> when runs, performs the following actions:<\/p>\n a)<\/strong> Drops another component of Worm.Gamarue.<\/p>\n b)<\/strong> Writes encrypted data to the following registry entry:<\/p>\n HKCUSOFTWAREe_magic<\/i><\/p>\n [The binary written to HKCUSOFTWAREe_magic is another encrypted version of the TrustedInstaller.exe<\/b> component, which is subsequently used to infect more removable drives.]<\/p>\n c)<\/strong> Writes data into the following registry entry:<\/p>\n HKLMSOFTWAREMicrosoft022FF03<\/i><\/p>\n The data written to the registry entry HKLMSOFTWAREMicrosoft022FF03 is interesting, as it contains what looks like a ZIP header at the start, but is not actually a ZIP archive.<\/p>\n![\"Snapshot_of_infected_removal_drive\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2013\/08\/Snapshot_of_infected_removal_drive.png\")
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n
\nhxxp:\/\/m.deltaheavy.ru
\nhxxp:\/\/suckmycocklameavindustry.in
\nhxxp:\/\/thesecond.in<\/p>\n<\/a><\/p>\n