F-Secure Virus Descriptions : Googkle
[Summary] | [Detailed Description] | [Detection]
|
|
|
F-Secure staff has found a malicious website that utilizes a
spelling error when typing the name of the popular search engine
- 'Google.com'. If a user opens a malicious website, his/her
computer gets hijacked - a lot of different malware gets
automatically downloaded and installed: trojan droppers, trojan
downloaders, backdoors, a proxy trojan and a spying trojan. Also
a few adware-related files are installed.
The name of the malicious website is 'Googkle.com'. PLEASE DO NOT
GO TO THIS WEBSITE! Otherwise your computer will get infected! We
have reported the case to the authorities.
Our investigation revealed that the whole infection starts from
the 'googkle.com' website. This website, as well as a few related
websites are owned by people with Russian names. Also several
malicious files that are downloaded from these websites have
Russian texts.
When the 'googkle.com' is opened in a browser, it shows 2 popup
windows that are linked to the following websites:
www.ntsearch.com
toolbarpartner.com
The 'ntsearch.com' website downloads and runs the 'pop.chm' file
and the 'toolbarpartner.com' website downloads and runs the
'ddfs.chm' file. Both files are downloaded using exploits and
they contain exploits themselves to run embedded executable
files. One of the webpages of the 'toolbarpartner.com' website
downloads a file named 'pic10.jpg' using an exploit. This JPG
file is actually an executable that replaces Windows Media Player
application.
In addition these websites launch a stream of webpages with
different exploits than end up in downloading and running 2 files
from the 'daosearch.com' website:
web.exe
classload.jar
See the description of these files below.
As far as the JAR archive is concerned. the actual malware
functionality is in Installer.class, which downloads file from
the same location as the JAR file is being loaded.
First the applet looks for filename to download from Applet
parameter ModulePath (is specified in the HTML tag). If the
parameter is not specified the applet defaults to msxmidi.dat.
After the file is downloaded the applet gets the location of
Windows directory with GetWindowsDirectory() and saves the
downloaded executable as 'web.exe' and executes it.
As said above, two CHM files get downloaded and activated on a
computer. The 'pop.chm' file drops the 'sp.exe' file and runs it.
The dropped 'sp.exe' file is detected as
'Trojan.Win32.Spooner.f'.
The 'ddfs.chm' file drops the 'frame.exe' file and runs it. The
'frame.exe' file is a trojan downloader that is detected as
'Trojan-Downloader.Win32.Small.apf'. It has the functionality to
automatically reply to security questions asked by Windows to
ensure that its process has connection to Internet. This
downloader downloads and runs the following files from the
'toolbarpartner.com' website:
xz.exe
ggl.exe
The 'xz.exe' file is a trojan dropper that is detected as
'Trojan-Dropper.Win32.Small.vv'. It drops a DLL named
'winloadhh.dll', detected as 'Trojan-Downloader.Win32.Small.anu'
to the root folder of C: drive. This DLL is another downloader
that connects to 2 different websites to get the list of files to
download:
toolbarpartner.com
sturfajtn.com
Last time we checked these sites, they contained the following
list of files to download:
The 'sturfajtn.com' website:
next3.exe
next1.exe
next2.exe
The 'toolbarpartner.com' website:
ggl.exe
svchosts.exe
proxyrnd.exe
ldr.exe
toolbar.exe
inst.exe
winran.exe
These files are currently detected as follows:
next1.exe: Trojan-Spy.Win32.Banker.jk
next2.exe: Trojan-Proxy.Win32.Small.bh
next3.exe: Backdoor.Win32.Zins.c
ggl.exe: Trojan-Dropper.Win32.Small.vn
inst.exe: Trojan-Dropper.Win32.Small.wp
ldr.exe: Trojan-Downloader.Win32.Agent.lv
proxyrnd.exe: Backdoor.Win32.Jeemp.c
So as you see, a nice malware package get installed on an
affected computer: 2 backdoors, 2 trojan droppers, a proxy
trojan, a spying trojan (that steals bank-related information)
and a trojan downloader.
The 'winran.exe' file that is downloaded from 'pillz.info'
website is a trojan dropper. It copies itself to Windows System
folder with a random name and drops a DLL also with a random name
to the same folder. The DLL modifies HOSTS file to block
connection to the following websites:
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
download.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
update.symantec.com
The 'svchosts.exe' file is a trojan dropper. It drops a DLL named
'svchosts.dll' into Windows System folder. This DLL places a fake
virus alert on a desktop. The alert looks like that (original
spelling preserved):
VIRUS ALERT!
YOUR PC IS INFECTED!
IT HAS BEEN DETECTED THAT YOUR PC HAS AT LEAST 3 DANGEROUS VIRUSES!
TO KNOW FOR SURE YOU URGENTLY NEED TO RUN AN ANTIVIRUS TEST ON YOUR PC!
The consequences of spyware and virus presence on your pc might belike:
loosing all the data, data might be stolen, your secrets might beexposed.
PROTECT YOUR PC!
REMOVE ALL VIRUSES NOW!
This fake alert is created by placing the HTML file on a desktop,
so a user could click on the alert and go to a pre-defined
website. The link from this fake alert points to the following
website:
topantivirus.biz
This website offers links to different websites that offer
anti-virus and spyware cleaners for download. The motto of this
site is 'Top Antivirus - We help people.'. Unfortunately the way
people are directed to that website is somewhat deceptional.
The 'toolbar.exe' is an adware installer, that installs an adware
toolbar known as 'Perez'.
The 'pic10.jpg' file is a trojan dropper similar to 'frame.exe'.
It also drops a DLL named 'winloadhh.dll' to the root of C:
drive. This DLL has the same functionality as the DLL, detected
as 'Trojan-Downloader.Win32.Small.anu' mentioned above.
The 'web.exe' file is also a trojan downloader that is identical
to the 'pic10.jpg' file described above.
F-Secure Anti-Virus detects most of the malicious programs that
are downloaded from the 'googkle.com' site as well as from
relates websites.
Technical Details:
Alexey Podrezov, Veli-Jussi Kesti and Jarno Niemela, April 26th, 2005;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
