A new crop of Storm (it's that time of year for e-mail pos..

Virus Guy <Virus.RemoveThis@Guy.com> wrote in news:47727E62.6439911C@Guy.com:

> happy-2008.exe
>

No such luck for me. The site won't provide the file now.



--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin.RemoveThis@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

Dustin Cook <bughunter.dustin.DeleteThis@gmail.com> wrote in
news:Xns9A1374DF0B8C3HHI2948AJD832@69.28.186.121:

> Virus Guy <Virus.DeleteThis@Guy.com> wrote in news:47727E62.6439911C@Guy.com:
>
>> happy-2008.exe
>>
>
> No such luck for me. The site won't provide the file now.
>
>
>

Nevermind. I got several variants of it now. Thanks!


--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin.DeleteThis@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

"Dustin Cook" wrote:

>>> happy-2008.exe
>>
>> No such luck for me. The site won't provide the file now.

It's a botnet, so you get a different host/IP every time you resolve
the domain which is currently newyearcards2008.com. The file name has
also changed. Get the index page to find its name.

The exe will drop and install a driver (which also contains a packed
exe) together with a text file of peers for the bot to talk to. The
internal packing and names of these files is always changing.

> Nevermind. I got several variants of it now. Thanks!

There are potentially thousands!
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

"Ant" <not RemoveThis @home.today> wrote in news:XuGdnfrdiOSvQ-
7anZ2dnUVZ8uGdnZ2d RemoveThis @brightview.co.uk:

> "Dustin Cook" wrote:
>
>>>> happy-2008.exe
>>>
>>> No such luck for me. The site won't provide the file now.
>
> It's a botnet, so you get a different host/IP every time you resolve
> the domain which is currently newyearcards2008.com. The file name has
> also changed. Get the index page to find its name.

Yep, got the details.

> The exe will drop and install a driver (which also contains a packed
> exe) together with a text file of peers for the bot to talk to. The
> internal packing and names of these files is always changing.

I noticed this in sandboxie. And your right, it seems they are always
changing by a few bytes or so.

>> Nevermind. I got several variants of it now. Thanks!
>
> There are potentially thousands!

I suspect as much. Ah well, I'll eventually detect what I can.


--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin RemoveThis @gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

Ant wrote:

> The exe will drop and install a driver (which also contains a
> packed exe) ...

Does anyone know of a compiled stand-alone executable decompressor for
zlib files?

Ant?
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

I Hate Stock Spamz <mister.TakeThisOut@ellaneous.cn> wrote in
news:a08eb8b9e297f066586bf89e723a2776@remailer.metacolo.com:

>> Does anyone know of a compiled stand-alone executable decompressor
>> for zlib files?
>
> Will this maybe work for you?
> http://www.eskimo.com/~scottlu/win/cexe.exe
> (I think he has some sort of documentation on his site also)

Your a funny person...
File: cexe.exe
SHA-1 Digest: 3b33379a6178077ba93bde9736baf6e0aec872bb
Size: 78848 bytes
Detected Packer: CExe v1.0a
Status:
Infected or Malware (Confidence 20.00%)
Date Scanned: Fri Dec 28 08:43:26 +0000 2007


Scanner Scanner Version Scanner Engine Scanner Signatures
Result
Scan Time A-Squared 3.0.0.126 N/A 20071228
Trojan-Dropper.Win32.Inflator.b
11.65 secs
Arcavir 1.0.5 N/A 13:50 27-12-2007
Trojan.Dropper.Inflator.B
10.84 secs
avast! 3.0.1 N/A 071227-0
Win32:Trojan-gen
0.45 secs
AVG Anti Virus 7.5.49 442 269.17.11/1200 Clean 17.45
secs
Avira AntiVir 2.1.11-47 7.6.0.46 7.0.1.166 Clean 22.56
secs
CA eTrust N/A 31.03.00 31.03.5408 Clean 1.63 secs
CAT QuickHeal 9.00 N/A 27 December, 2007 Clean 27.54
secs
ClamAV 0.91.2 N/A 5271 Clean 0.04 secs
Dr. Web 4.44.0.10150 4.44.0.9170 281784 Clean
30.10 secs
F-PROT 4.6.8 3.16.16 27 December 2007 Clean 4.00
secs
F-PROT 6 6.2.1 4.4.1.52 20071227220743 Clean 11.77
secs
F-Secure 1.02 5325 2007-12-28_02 Clean 23.75 secs
Kaspersky 5.7.13 466050 28-12-2007 Clean 24.98 secs
NOD32 2.70.6 1068 2751 Clean 13.60 secs
Norman Virus Control 5.70.01 5.91.08 5.90 Clean 43.18
secs
Panda 9.04.03.0001 1271167 14/12/2007 Clean 8.41
secs
Sophos Sweep 4.24.0 2.52.1 4.24 Clean 22.59 secs
Trend Micro N/A 8.500-1001 918 Clean 7.74 secs
VBA32 3.12.2.5 N/A 2007.12.27 Clean 7.94 secs
VirusBuster 2005 1.3.4 4.3.23:9 9.118.7/11.0
Trojan.DR.Horst.OW.Gen
9.74 secs

It's indeed a packer. Has another slightly squished program sitting
inside of it, behind most of it's horrible code.


> You can also use the dll and write a pretty wrapper with VC++ or VB.
> Also exists somewhere python and ruby ports of the library if you are
> inclined to use a unix or windows command line based solution and have
> ruby or python installed.

What dll?

It will drop three executables. disguised as temp files in the directory
you run it from; in this case, the vm.....and modify the winlogon shell
key from Explorer.exe to x

The tmp files themselves are packed, and likely do even more annoying
things. heh.

Virus Guy, I wouldn't say this has any dll or that its a self extractor;
it sure didnt want to extract anything useful inso far as what your
looking for.


--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin.TakeThisOut@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

Dustin Cook <bughunter.dustin RemoveThis @gmail.com> wrote in
news:Xns9A1429C8D2007HHI2948AJD832@69.28.186.121:

> I Hate Stock Spamz <mister RemoveThis @ellaneous.cn> wrote in
> news:a08eb8b9e297f066586bf89e723a2776@remailer.metacolo.com:
>
>>> Does anyone know of a compiled stand-alone executable decompressor
>>> for zlib files?
>>
>> Will this maybe work for you?
>> http://www.eskimo.com/~scottlu/win/cexe.exe
>> (I think he has some sort of documentation on his site also)

It's a win32 packer, not a decompressor; and it seems to rely heavily on
temp files...

>
>> You can also use the dll and write a pretty wrapper with VC++ or VB.
>> Also exists somewhere python and ruby ports of the library if you are
>> inclined to use a unix or windows command line based solution and
>> have ruby or python installed.
>
> What dll?

You must have meant the source code itself, the cexe.exe file you can
download doesnt decompress zlib files.







--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin RemoveThis @gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

I Hate Stock Spamz wrote:

> > Does anyone know of a compiled stand-alone executable
> > decompressor for zlib files?
>
> Will this maybe work for you?
> http://www.eskimo.com/~scottlu/win/cexe.exe

Have you seen the VT profile for it?

http://www.virustotal.com/resultado.html?309466ac944926647a93eb247350af7d

It's ID'd as a trojan dropper by a few AV's.
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

I Hate Stock Spamz wrote:

> > Does anyone know of a compiled stand-alone executable
> > decompressor for zlib files?
>
> Will this maybe work for you?
> http://www.eskimo.com/~scottlu/win/cexe.exe

"Cexe Executable Compressor v1.0b"

"Compresses inputexe into a smaller executable. If outputexe is not
specified, inputexe is replaces with the smaller executable."

That is a compressor - not a de-compressor.

It's a command-line program, and it says it doesn't run on win-9x (but
it appeared to run ok on my system).
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

"Virus Guy" wrote:

> Ant wrote:
>> The exe will drop and install a driver (which also contains a
>> packed exe) ...

That's not quite correct. The embeded executables were not packed but
were sometimes obfuscated. It looks like only the peers list is packed
in the initial exe.

> Does anyone know of a compiled stand-alone executable decompressor for
> zlib files?

You would need one that can find and extract zlib compressed sections
in files.

The following strings appear in the exe (which was NOT packed in my
samples) embeded in the driver:
"deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly"
"inflate 1.2.3 Copyright 1995-2005 Mark Adler"

Those strings, and the code around them, matches what's in the zlib
dll [1]. I think they've included it so that the exe can pack or unpack
other files. I can't see evidence of its use on data that file.

[1]
http://www.zlib.net/
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

Ant wrote:

> > Does anyone know of a compiled stand-alone executable
> > decompressor for zlib files?
>
> You would need one that can find and extract zlib compressed
> sections in files.

Why is it so hard to find a stand-alone decompressor for zlib files?

> The following strings appear in the exe

> embeded in the driver:
> "deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly"
> "inflate 1.2.3 Copyright 1995-2005 Mark Adler"

Yes I saw those, which makes me think that the file (happy-2008.exe)
was compressed using zlib.

(which was NOT packed in my samples)

What do you mean by that?

Your version of happy-2008.exe was not packed? Or was not packed
using zlib?

> Those strings, and the code around them, matches what's in
> the zlib dll [1]. I think they've included it so that the
> exe can pack or unpack other files. I can't see evidence of
> its use on data that file.

When you've got a compressed, self-unpacking exe, and there is very
little readable text in the file, and that text identifies a
particular compression method then can't you assume that the file was
packed using that compression method?

Have you unpacked happy-2008.exe, and if so what unpacker did you use?
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

"Virus Guy" wrote:

> Ant wrote:
>>> Does anyone know of a compiled stand-alone executable
>>> decompressor for zlib files?
>>
>> You would need one that can find and extract zlib compressed
>> sections in files.
>
> Why is it so hard to find a stand-alone decompressor for zlib files?

It's not a 'zlib' file. Parts of it may have been packed using the
zlib library but certainly not the whole file. There would be code
in the exe to call the unpack function at some arbitrary point. An
external unpacker would have to discover where it was or somehow find
the start of the compressed data. There's no reason to assume there
would be standard headers to look for.

>> embeded in the driver:
>> "deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly"
>> "inflate 1.2.3 Copyright 1995-2005 Mark Adler"
>
> Yes I saw those, which makes me think that the file (happy-2008.exe)
> was compressed using zlib.
>
> (which was NOT packed in my samples)
>
> What do you mean by that?
>
> Your version of happy-2008.exe was not packed? Or was not packed
> using zlib?

I mean that file and the files inside it weren't compressed with
anything. You snipped the bit where I corrected myself. Only the text
of the peers list was compressed and I don't know what with. I let
the debugger take care of it.

>> Those strings, and the code around them, matches what's in
>> the zlib dll [1]. I think they've included it so that the
>> exe can pack or unpack other files. I can't see evidence of
>> its use on data that file.
>
> When you've got a compressed, self-unpacking exe,

You haven't. It's a dropper with a bit of internal compressed data.
Some examples are obfuscated with an XOR mask, and in those cases you
don't see the strings.

> and there is very
> little readable text in the file, and that text identifies a
> particular compression method then can't you assume that the file was
> packed using that compression method?

No, because I couldn't see anything in the final extracted file (it
contains the zlib code) which looks compressed. However, I might have
missed something but there are enough visible strings to see it's up
to no good (e.g. spamming).

> Have you unpacked happy-2008.exe, and if so what unpacker did you use?

There's no magic tool for this one. It takes some work with a
debugger/disassembler, knowledge of the PE (Portable Executable)
format and typical obfuscation tricks.
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos.. 

"Ant" <not.RemoveThis@home.today> wrote in
news:ffedncxfjvuaGejanZ2dnUVZ8u6dnZ2d@brightview.co.uk:

> "Virus Guy" wrote:
>
>> Ant wrote:
>>>> Does anyone know of a compiled stand-alone executable
>>>> decompressor for zlib files?
>>>
>>> You would need one that can find and extract zlib compressed
>>> sections in files.
>>
>> Why is it so hard to find a stand-alone decompressor for zlib files?
>
> It's not a 'zlib' file. Parts of it may have been packed using the
> zlib library but certainly not the whole file. There would be code
> in the exe to call the unpack function at some arbitrary point. An
> external unpacker would have to discover where it was or somehow find
> the start of the compressed data. There's no reason to assume there
> would be standard headers to look for.
>
>>> embeded in the driver:
>>> "deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly"
>>> "inflate 1.2.3 Copyright 1995-2005 Mark Adler"
>>
>> Yes I saw those, which makes me think that the file (happy-2008.exe)
>> was compressed using zlib.
>>
>> (which was NOT packed in my samples)
>>
>> What do you mean by that?
>>
>> Your version of happy-2008.exe was not packed? Or was not packed
>> using zlib?
>
> I mean that file and the files inside it weren't compressed with
> anything. You snipped the bit where I corrected myself. Only the text
> of the peers list was compressed and I don't know what with. I let
> the debugger take care of it.
>
>>> Those strings, and the code around them, matches what's in
>>> the zlib dll [1]. I think they've included it so that the
>>> exe can pack or unpack other files. I can't see evidence of
>>> its use on data that file.
>>
>> When you've got a compressed, self-unpacking exe,
>
> You haven't. It's a dropper with a bit of internal compressed data.
> Some examples are obfuscated with an XOR mask, and in those cases you
> don't see the strings.
>
>> and there is very
>> little readable text in the file, and that text identifies a
>> particular compression method then can't you assume that the file was
>> packed using that compression method?
>
> No, because I couldn't see anything in the final extracted file (it
> contains the zlib code) which looks compressed. However, I might have
> missed something but there are enough visible strings to see it's up
> to no good (e.g. spamming).
>
>> Have you unpacked happy-2008.exe, and if so what unpacker did you use?
>
> There's no magic tool for this one. It takes some work with a
> debugger/disassembler, knowledge of the PE (Portable Executable)
> format and typical obfuscation tricks.

And a little time.


--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin.RemoveThis@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt
 >> Stay informed about: A new crop of Storm (it's that time of year for e-mail pos..