A new virus is currently being released on Facebook. The malware, the friendly website was promoted for analysis www.safer-internet.gr.. The new virus is encrypted to make analysis difficult and avoid detection by antivirus, αλλά η τεχνική ομάδα του iGuRu.gr κατάφερε να “δει” την λειτουργία του κακόβουλου προγράμματος.
Let's take the things from the beginning.
The virus comes inside a .zip file as shown in the photo below – click to enlarge. His name can be random and come up with a different one each time. The virus must have java installed on your computer to run.
The specific file we examined is called Form_0910.zip.To zip contains an executable .jar file (Java file) which is not recognized by antivirus (we scanned it with two different and it did not "hit"). The jar file contains the following files
Folder .settings
META-INF file
.classpath
.project
and the malicious file (encrypted) DOYUMGEOGFVKNBO.class
If someone runs the file, jar, the malware will create a folder in C: \ with the temp name. When it creates the folder (it's not that fast) it starts downloading a large Windows executable file (.exe). (We ran the jar on a virtual machine with Windows 7).
In our case the file name was QNIDSUE.VZZ, but that does not matter as the name was random (the second time we ran it it was called VEKDGH.CXV). The file size impressed us as it was 3.8MB, big enough for a malicious program.
The malicious exe was recognized by ESET as Win32 / Injector.AZFL trojan, a fairly new malware software for ESET who first recorded it on March 7, 2014.
| Detection created | 2014-03-07 |
Exe contains many subroutines (it is a kind of wrapper), so it can perform many functions. It can send emails, connect with ftps, contains many points with username and passwords, which shows us that it can connect to remote computers and download other files.
One of his most dangerous features is that he can read the cookies of the victim's computer. This means that it can steal all the codes stored on the computer.
But it does not end here.
Υπάρχει άλλο ένα αρχείο, το pthreads.dll. Το συγκεκριμένο .dll, χρησιμοποιείται για να δει κάποιος τι τρέχουν τα Windows. Ο task manager of Windows runs the same dll. This can serve the malicious user for different things.
1. see what the victim's computer is running and adjust the attack accordingly, or
2. to hide the malicious program from Windows processes.
If you've run jar, look for a temp folder on your Windows disk. Delete the folder and scan your entire system with a trusted and up-to-date antivirus. After scanned, change the passwords on webpages and services you use.
Beware of this virus as it is very aggressive and intends to steal your credentials. Although the virus comes in a file that can be run on all platforms, it infects Windows machines.
Thank the friendly website www.safer-internet.gr. for immediate information and our technician and friend Paul Delia, for the "exploration" of the virus.
The check we did with VirusTotal is here. (last) and Real here
And analysis by Malwr
* We also thank our friends from SecNews for further examination of the virus. The opinion of our friends from SecNews is that the virus writer just does not know scheduling.
