Buzus.GDEF - Mass-Mailing Worm

February 18, 2011

SonicWALL UTM Research team received reports of a new variant of mass-mailing worm propagating in the wild. This worm propagates through emails,P2P applications, network and removable drives.

Process of Infection:

An unsuspecting user may receive an email with the malware attachment. This worm can send emails as follows:

From: invitations@twitter.com
Subject: Your friend invited you to Twitter!
Attachment: Invitation Card.zip

    screenshot

From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order
Attachment: Shipping documents .zip

    screenshot

From: update@facebookmail.com
Subject: You have got a new message on Facebook!
Attachment: Facebook message.zip

    screenshot

From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: Postcard.zip

    screenshot

From: invitations@hi5.com
Subject: Laura would like to be your friend on hi5!
Attachment: Invitation Card.zip

    screenshot

From: resume-thanks@google.com
Subject: Thank you from Google!
Attachment: CV-20100120-112.zip

    screenshot

It may also send a phishing email:

    screenshot

Installation:

Once the user opens and executes the attachment, it will do the following:

Drops a copy of itself:

  • WINDOWSsystem32PCSuite.exe - [ detected as GAV: Buzus.GDEF (Trojan) ]
  • WINDOWSsystem32sta-css.exe - [ detected as GAV: (Cloud) Mufanom.APSW (Trojan) ]
  • WINDOWS{random}.dll - [ detected as GAV: (Cloud) Mufanom.APSW (Trojan) ]
  • WINDOWSsystem32stat-cpe.exe - [ detected as GAV: Twain.A (Trojan) ]

Registry Changes

Adds the following registry entries to ensure that the malware runs on every system startup.

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Nokia Launch Application
    Data: "C:WINDOWSSystem32PCSuite.exe"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: Yravasaxog
    Data: "WINDOWSw3dyu1.dll",Startup""

Added the following registries as part of its installation:

  • Key: HKEY_CURRENT_USERSoftwareNokia4
  • Key: HKEY_LOCAL_MACHINESoftwareNokia4
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer nok01 "11"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer nok01 "24"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUACDisableNotify InNewValue dword:00000001

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
    Value: "C:WINDOWSsystem32PCSuite.exe"
    Data: "C:WINDOWSsystem32PCSuite.exe:*:Enabled:Explorer"

Mutex

Creates this mutex to ensure only a single instance is running in the memory.

  • PCSuite.exeDm28sf0V@XK$NX8hOu

Propagation

Removable Drives

Drops Autorun.inf and copy of itself as redmond.exe on and removable drives.

    [autorun]
    open= RECYCLER S-1-6-21-2434476521-1645641927-702000330-1542redmond.exe
    icon=%SystemRoot%system32SHELL32.dll,4
    action=Open folder to view files
    shellopen=Open
    shellopencommand= RECYCLER S-1-6-21-2434476521-1645641927-702000330-1542redmond.exe
    shellopendefault=1

Peer-2-Peer Application

May copy itself in the following folders using listed filenames below:

Folder:

  • C:program filesicqshared folder
  • C:program filesgrokstermy grokster
  • C:program filesemuleincoming
  • C:program filesmorpheusmy shared folder
  • C:program fileslimewireshared
  • C:program filesteslafiles
  • C:program fileswinmxshared
  • C:Downloads

Filename:

  • Ad-aware 2010.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Illustrator CS4 crack.exe
  • Adobe Photoshop CS5 crack.exe
  • Alcohol 120 v1.9.7.exe
  • Anti-Porn v13.5.12.29.exe
  • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
  • Ashampoo Snap 3.02.exe
  • AVS Video Converter v6.3.1.365 CRACKED.exe
  • BitDefender AntiVirus 2010 Keygen.exe
  • Blaze DVD Player Pro v6.52.exe
  • CleanMyPC Registry Cleaner v6.02.exe
  • Daemon Tools Pro 4.50.exe
  • Divx Pro 7 + keymaker.exe
  • Download Accelerator Plus v9.exe
  • Download Boost 2.0.exe
  • DVD Tools Nero 10.5.6.0.exe
  • G-Force Platinum v3.7.5.exe
  • Google SketchUp 7.1 Pro.exe
  • Grand Theft Auto Episodes From Liberty City 2010.exe
  • Image Size Reducer Pro v1.0.1.exe
  • Internet Download Manager V5.exe
  • Kaspersky AntiVirus 2010 crack.exe
  • K-Lite Mega Codec v5.5.1.exe
  • K-Lite Mega Codec v5.6.1 Portable.exe
  • LimeWire Pro v4.18.3.exe
  • MagicISO Magic ISO Maker v5.5.0276 Cracked.exe
  • McAfee Total Protection 2010.exe
  • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
  • Motorola
  • Mp3 Splitter and Joiner Pro v3.48.exe
  • ms09-067.exe
  • Myspace theme collection.exe
  • Nero 9 9.2.6.0 keygen.exe
  • Norton Anti-Virus 2010 crack.exe
  • Norton Internet Security 2010 crack.exe
  • PCSuite.exe
  • PDF password remover (works with all acrobat reader).exe
  • PDF to Word Converter 3.0.exe
  • PDF Unlocker v2.0.3.exe
  • PDF-XChange Pro.exe
  • Power ISO v4.2 + keygen axxo.exe
  • Rapidshare Auto Downloader 3.8.exe
  • RapidShare Killer AIO 2010.exe
  • Sony Vegas Pro v9.0a incl crack.exe
  • Sophos antivirus updater bypass.exe
  • Starcraft2 battle.net key generator.exe
  • Starcraft2 battle.net keys.txt.exe
  • Starcraft2.exe
  • Starcraft2 REGION-UNLOCKER.exe
  • Starcraft2 SERVER-CHANGER.exe
  • Super Utilities Pro 2009 11.0.exe
  • Total Commander7 license+keygen.exe
  • Trojan Killer v2.9.4173.exe
  • Tuneup Ultilities 2010.exe
  • Twitter FriendAdder 2.1.1.exe
  • Uniblue RegistryBooster 2010.exe
  • VmWare 7.0 keygen.exe
  • VmWare keygen.exe
  • Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
  • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
  • Windows2008 keygen and activator.exe
  • Windows 7 Ultimate keygen.exe
  • Windows XP PRO Corp SP3 valid-key generator.exe
  • WinRAR v3.x keygen RaZoR.exe
  • YouTubeGet 5.4.exe
  • Youtube Music Downloader 1.0.exe

Email Propagation

Harvests email addresses from files with the following extensions:

  • asp
  • dbx
  • doc
  • htm
  • log
  • lst
  • nfo
  • php
  • rtf
  • txt
  • wab
  • wpd
  • wps
  • xls
  • xml

It avoids sending email with addresses having the following strings:

  • .com
  • .gov
  • .mil
  • abuse
  • acd-group
  • acdnet.com
  • acdsystems.com
  • acketst
  • admin
  • ahnlab
  • alcatel-lucent.com
  • anyone
  • apache
  • arin.
  • avg.comsysinternals
  • avira
  • badware
  • berkeley
  • bitdefender
  • bluewin.ch
  • borlan
  • bpsoft.com
  • bsd
  • bugs
  • buyrar.com
  • ca
  • certific
  • cisco
  • clamav
  • contact
  • debian
  • drweb
  • eset.com
  • example
  • f-secure
  • fido
  • firefox
  • fsf.
  • ghisler.com
  • gimp
  • gnu
  • gold-certs
  • gov.
  • help
  • honeynet
  • honeypot
  • iana
  • ibm.com
  • icrosoft
  • idefense
  • ietf
  • ikarus
  • immunityinc.com
  • info
  • inpris
  • isc.o
  • isi.e
  • jgsoft
  • kaspersky
  • kernel
  • lavasoft
  • linux
  • listserv
  • mcafee
  • me
  • messagelabs
  • mit.e
  • mozilla
  • mydomai
  • no
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • novirusthanks
  • ntivi
  • nullsoft.org
  • page
  • panda
  • pgp
  • postmaster
  • prevx
  • privacy
  • qualys
  • quebecor.com
  • rating
  • redhat
  • rfc-ed
  • root
  • ruslis
  • sales
  • samba
  • samples
  • secur
  • security
  • sendmail
  • service
  • site
  • slashdot
  • soft
  • somebody
  • someone
  • sopho
  • sourceforge
  • spam
  • spm
  • ssh.com
  • submit
  • sun.com
  • support
  • suse
  • syman
  • tanford.e
  • the.bat
  • unix
  • usenet
  • utgers.ed
  • virus
  • virusbuster
  • webmaster
  • websense
  • winamp
  • winpcap
  • wireshark
  • www.ca.com
  • www
  • you
  • your

Queries available Mail-Exchange Server to send the email:

    screenshot

Other System Modification:

Delete files from the following directories:

  • Program Filesprevx

Delete files related to the following registry entry:

  • HKEY_LOCAL_MACHINESOFTWAREMcAfeeAVEngine szInstallDir = "mcshield.exe"
  • HKEY_LOCAL_MACHINESOFTWAREMalwarebytes' Anti-Malware InstallPath = *.*"

Terminates the following services related to AV security softwares:

  • AVP
  • AntiVirSchedulerService
  • Arrakis3
  • CSIScanner
  • CaCCProvSP
  • ERSvc
  • Ehttpsrv
  • Emproxy
  • FPAVServer
  • GWMSRV
  • K7EmlPxy
  • K7RTScan
  • K7TSMngr
  • LIVESRV
  • LiveUpdate Notice Service
  • MBAMService
  • MCNASVC
  • MPFSERVICE
  • MPS9
  • McAfee HackerWatch Service
  • Norton AntiVirus
  • PANDA SOFTWARE CONTROLLER
  • PAVFNSVR
  • PAVPRSRV
  • PAVSVR
  • PSHOST
  • PSIMSVC
  • PSKSVCRETAIL
  • RSCCenter
  • RSRavMon
  • SAVScan
  • SUM
  • Savadminservice
  • Savservice
  • Sophos Agent
  • Sophos Autoupdate Service
  • Sophos Certification Manager
  • Sophos Management Service
  • Sophos Message Router
  • Symantec Core LC
  • TPSRV
  • ThreatFire
  • VSSERV
  • WerSvc
  • WinDefend
  • XCOMM
  • antivirservice
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • avg8emc
  • avg8wd
  • bdss
  • ccEvtMgr
  • ccproxy
  • ccpwdsvc
  • ccsetmgr
  • ekrn
  • liveupdate
  • mcODS
  • mcmisupdmgr
  • mcmscsvc
  • mcpromgr
  • mcproxy
  • mcredirector
  • mcshield
  • mcsysmon
  • msk80service
  • navapsvc
  • npfmntor
  • nscservice
  • sbamsvc
  • scan
  • sdauxservice
  • sdcodeservice
  • sndsrvc
  • spbbcsvc
  • wscsvc

C&C Server

Sends information to the following remote server:

    153.26.137.241

Anti-debugging Technique

Checks for the following SoftIce Debugger driver:

  • \.SICE
  • \.NTICE
  • \.SIWVIDSTART

Anti-VMware:

Checks if its running in VMWare

  • \.VMDRV

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Buzus.GDEF (Trojan) (Trojan)
GAV: Twain.A (Trojan)
GAV: Mufanom.APSW (Trojan)
GAV: (Cloud) Mufanom.APSW (Trojan)

screenshot