Cali.A

Cali is packed with Yoda and UPX. It's packed size is 51270 bytes. Once unpacked it grows up to 100KiB.

The executable was compiled with Microsoft's Visual C++ compiler with the stack protection option enabled. It's possible to appreciate in the code this feature, which protects the stack by placing a 'canary' value between the function's local variables and the return address. In this scenario if a buffer overflow would occur, it would be detected before the function returns, making the exploitation of an overflow a non trivial task.

The stack protection is enabled with the /GS option. More documentation on its implementation can be found from "Compiler Security Checks In Depth":

https://go.microsoft.com/fwlink/?Linkid=7260

It's worth mentioning that some older worm could be taken over because of a buffer overflow in its networking code. It's interesting that malware writers are also paying attention to security related issues.

Once executed it creates a a mutex named:

"4D36E64A-W325-121E-BFC1-080C2BE11318"
 

in order to avoid being run more than once. And copies itself to:

%WinDir%\system\services.exe
 

A registry key will be set to point to the dropped file, the name of the key will be randomly chosen from:

BuildLab
RegDone
ccApps
Microsoft Visual SourceSafe
TEXTCONV
FriendlyTypeName
.Prog
WMAudio
 

therefore, the registry key might look as follows:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"WMAudio" = "%WinDir%\system\services.exe"
 

Where %WinDir% is the main Windows folder.

email spreading

When massmailing, it will attach itself with names such as:

office.exe
notes.exe
doom3demo.exe
resume.exe
files.exe
request.exe
info.exe
details.exe
result.exe
results.exe
install.exe
setup.exe
test.exe
google.exe
se_files.exe