1

What's in a picture?

Sometimes, nothing that you can look at.
We are analyzing what appears to be a spike in PornClicker activity. The keenly named updater, up.exe, for this software downloads a jpg from smart-browser.com, a “sex browser” software distributor.
Jpeg files normally are a special format of image files commonly used for displaying pictures on the web. But this updater renames the downloaded jpegs to .dll and .exe extensions. They most likely are using the jpg extension on its downloaded executables to evade the simplest firewall and Url filtering schemes.

The delphi-written executable surprises us with a few camouflaging techniques. We are seeing it use multiple plays on Adobe’s trademarked name. For example, when up.exe is run and deletes itself, it uses the unusual suspended process/setthreadcontext technique mentioned in a previous post to start and inject Internet Explorer with its own code. Then, the code running within the IE process creates an “Adobe” directory within the user’s %Application Data% directory. This zombie Internet Explorer process downloads the udpi2.jpg file served from hxxp://smart- browser.com/ updatex/ udpi2.jpg, and renames the phony image file to rundtl.exe. Their code then creates a run registry key so that the app starts every time the machine is booted:
“HKCUSoftware
MicrosoftWindowsCurrentVersionRunAdobeManager”
“C:Documents and SettingspApplication DataAdoberundtl.exe” -sys
Hmm. Is it a pdf reader or Adobe’s download manager? No.

Instead, once running alongside another downloaded .jpg file renamed to an executable component (mdb.dll), the PornClicker connects to Yahoo!Messenger over http and starts spamming out messages like
“I know it’s been a while but check out my webpage and let me know if you wanna talk more”
hxxp://sexmecrazyy .com
It also begins to click on and pull down garbled urls.

Nothing to look at here:

ThreatFire’s name for it is “PuA.SmartBrowser.PornClicker”.
Note- The ThreatFire name has been updated to “Trojan.Injector”.

This entry was posted in Online Fraud. Bookmark the permalink.

One Response to What's in a picture?

  1. kurt wismer says:

    presumably the pua in PuA.SmartBrowser.PornClicker means possibly unwanted application…

    one wonders under what circumstances it wouldn’t be unwanted…

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>