Have to finally say something about this blighter. Technically this is not a virus, since it is not contagious. To my knowledge, the only way to get this little bastard installed is by clicking on one of those enticing links where someone has sent you a “Happy New 2008″ greeting card or some such. Well, there were many variants before doing something different but this was one of the ones I obtained. It is like a confidence trickster: of course it’s evil what they do, but I sometimes can’t help but admire the effort and dedication that goes in to it. And these victims… So gullible… Ditto here, no clickus no virus. But I am reminded of this survey, can’t find the link anymore, where they sent IT personnel emails with clickable, (fake-, but they didn’t know that) virus-laden links, and half of these silly sods clicked anyway. Despite being an “IT professional”. (Can I have a job now?)
Basically people can’t help themselves, they click links in emails. This is what makes the world wide web go round. And good for them, because imagine all the things you’d be missing out on if you didn’t click. And what could be nicer than a nice greeting card.
The worm itself is infuriating. As noted by many, all traffic is encrypted. And there is a lot of traffic, both TCP and UDP. When installed, the worm is given a list of IP addresses which it contacts, and this list gets updated.
Installation is unusual. More and more virii are now running as a service, but this thing installs itself as a hardware device. At one point, whilst I’m trying to remove it, Windows pops up an angry little window telling me that I ought to be using the “Safely Remove Hardware” dialog to unplug this device instead of merely yanking it!– but of course it is hidden from this utility. The “driver” even gets loaded in safe mode!
Modified registry entries:
HKLM\SYS\CS001\Services\Ohe43 (Image Path system32\drivers\ohe43.sys)
Where CS001 = Control Set 001, and the same entries can also be found in CS002 and Current Control Set. These entries are modification-resistant. Best bet is to boot off an installation CD or anything that boots and gives read/write access to NTFS files, and delete the Ohe43 (or clean3f4c-7a69.sys, or whatever else these things may be called). When booting the OS again, there is a complaint about the missing Ohe thing, but at least it’s not there. Whilst you’re at it, you want to replace the defiled svchost.exe with a good one off the installation disk too.
In actual matter of fact this still leaves remnants and loose ends, and it may on the whole be more worthwhile to re-install the operating system and consider that a good lesson against CLICKING ON LINKS IN EMAILS! This thing is absolutely evil. Even after I stopped it running, I was DDoS’ed by the other botnet participants on my former port, kicking me off the net for a good 5 minutes, during which time something like 6 – 800 (big) packets a second were coming in, leaving me with a 5 GB packet capture file… Normally a day’s worth of hostile traffic is under a 100 MB.
After clicking on the greeting.exe a http GET request goes out to 22.214.171.124 (McColo Corporation) for a file called 40e8000bc8f7756c0000003c660000000176000000003. This downloads 249611 bytes worth of mailer program, followed by dns queries for mxs.mail.ru. Then there is another HTTP GET, this time on port 2518. The same mailer comes in. “Poshel-ka ti na hui drug aver” is in the visible strings, whatever that means.
Svchost.exe is modified by this worm to be listening on what appears to be a random high port, but to me it is utterly unclear what this thing might want to do. Apart from the download and execution of this mailer program, which wasn’t encrypted at all, no doubt to send out Happy Easter greetings, it’ll be there before you know it.