Blog
Figure 1: The message used to deceive users to download a worm
The worm has evolved for several generations, and its file name can be "flash.exe", "adobe_flash.exe" or "get_flash_update.exe". These seem like legitimate software from Adobe, Inc., but they are not. This worm is so widespread that we have found thousands of infected Web sites so far. Please check the details in Figure 2.
Figure 2: The popularity of the new spam worm
Let's examine a sample worm. The following sample is packed with a known packer, maybe written by the virus author. After a series of time-consuming decryptions, the packer decodes every section except ".rsrc". It uses the TEA/N algorithm. As shown in Figure 3, the TEA algorithm uses a 128-bit key for decryption. With another decryption, the packer covers the original section with decoding data. At last the packer fixes the import and relocation table and then transfers the console to the malware.
Figure 3: TEA algorithm
After executing, the worm copies itself to the system directory and registers itself as a service named CbEvtSvc. It then collects system information, like geographic location, hardware profile, and especially operation system version. See Figure 4. It tries to send this information to a predefined server using the HTTP protocol, and the server responds with a malicious URL list when connected. See Figure 5. The worm then downloads all the viruses in the URL list and executes them.
Figure 4: Customer information
Figure 5: URL list that the server returns
Based on a reverse engineering of the virus, we can see that all the URLs the server sends are terminated with a special GUID D7EB6085-E70A-4f5a-9921-E6BD244A8C17 and they update very quickly. We suspect the server can receive requests from other Trojans as well. In this way, an infected system downloads viruses from the server silently and forms a big network for publishing the viruses. We will continue to monitor the development of this threat.
Security Researcher: Ulysses Wang
