The activities of an “in-the-wild” malware


Today, out of boredom, I decided to check the kind of spam I receive in my Gmail inbox. Since all the spam emails had the the same kind of spammy-attractive titles, I decided to check the first one, succulently titled “Video Paris Hilton Nude !”. The email had a conspicuous hyperlink with an H1 anchor text to a file “video-paris-hilton.avi.exe“.(Notice the .exe at the last).

Like an unsuspecting average Joe, I decided to download the file and see what it has in store for me. I scanned the downloaded file with Kaspersky Antivirus and it failed to detect any rogue code in it. So, I decided to run it and see what it does. It’s actions seemed innocuous at first. Double clicking it generated an error :

Feeling kind of dissatisfied, I continued with my work. After a few minutes, suddenly, my wallpaper changed to this :

And I got a warning from KIS that the malware was trying to access the internet. I promptly blocked it.

Now, my first action was to try and change the wallpaper. But I found the ‘Desktop’ and ‘Screensaver’ tabs missing from the Display properties window.

But I’m not the one to easily give up. I did some research and found out that the malware had disabled the Desktop and Screensaver tabs by modifying some registry entries, namely ‘NoDispBackgroundPage’ and ‘NoDispScrSavPage’ from ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\System’. It had modified it’s value from 0 to 1; which had disabled them.

I re-modified the entries to their default values and got back the Desktop and Screensaver tabs in the Display properties window. Then I changed my wallpaper to the previous one.

On the next reboot, I found that the malware copies itself to the ‘C:\Windows\System32’ as lphcvtmj0ejdn.exe, and creates an autoloading entry in the registry which will run the malware on every reboot. I removed the entry from ”HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache” and deleted the file from the ‘system32’ folder.

I’ve already sent the malware to Kaspersky Labs for analysis. I’ll update this post when I hear from them.

Update : Response from Kaspersky Labs :

Hello,

video-paris-hilton.avi.exe_ – Trojan-Downloader.Win32.Small.aboa

New malicious software was found in this file. It’s detection will be included in the next update. Thank you for your help.

Please quote all when answering.


Best regards, Vyacheslav Zakorzhevsky
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

All’s well that ends well!