Matrixalaya

Img807.zip or MsnPoopy

2007-08-14T02:57:00.000-07:00

Yesterday I was receiving some innocuous looking file transfer requests from my friends in MSN Messenger. File was Img807.zip with message like

Did you take this picture?
is that you on the left?
How drunk was I in this picture?
Is that your mom in this picture?
lol, your mom just sent me this picture?

Zip contains a file img807.jpg-www.photoalbums.com which seems like a url. This was actually a worm!

I have written a small removal tool. You can get it here.

It seems to be a variant of worm MsnPoopy.A.

Quick analysis shows that.
1. It creates a batch file c:\a.bat (deleted later) to execute the worm.

2. Stops “Security Center” and any running VNC servers (net1 stop winvnc4)

3. Creates two files c:\windows\vpcrtf.exe and c:\windows\img807.zip. The original .com file and the vpcrtf.exe is same files (MD5 7299c5d5d5761779dfedfbd3808c8ed8)

4. Modifies IE Security Zonemaps and resets IE BypassProxy to enabled. (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap)

5. Creates a startup entry named “Microsoft Visual Application” at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

6. Creates connection to 85.114.143.159 (chat2.ms.com). Excerpt of the TCP stream shows it is creating a chat session to that server with a random name.

Text like this was found inside the exe.

[DDoS]: Flooding %s:%s with %s for %s seconds
[DDoS]: Done with flood (%iKB/sec).

Commands used in chat server are

PASS %s
NICK %s
USER %s * 0 :%s
Leaving
QUIT %s
QUIT
JOIN
PART
QUIT
NOTICE
PRIVMSG
NICK
PING
PONG %s
NOTICE %s :%s
PRIVMSG %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
MODE %s %s
MODE %s %s %s

An instance of communication to chat2.ms.com

PASS letmein
NICK drcdetbkfr
USER drcdetbkfr * 0 :XXXXX
:chat2.ms.com NOTICE AUTH :*** Looking up your hostname...
:chat2.ms.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:chat2.ms.com NOTICE drcdetbkfr :*** If you are having problems connecting due to ping timeouts, please type /quote pong E7514D5C or /raw pong E7514D5C now.
PING :E7514D5C
PONG E7514D5C
:chat2.ms.com 001 drcdetbkfr
:chat2.ms.com 002 drcdetbkfr : M0dded by uNkn0wn Crew
:chat2.ms.com 003 drcdetbkfr
:chat2.ms.com 004 drcdetbkfr : www.uNkn0wn.eu - iD@uNkn0wn.eu
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 005 drcdetbkfr
:chat2.ms.com 422 drcdetbkfr :MOTD File is missing
:drcdetbkfr MODE drcdetbkfr :+iwxG
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
MODE drcdetbkfr -ix
JOIN ##L## torrent
:drcdetbkfr!drcdetbkfr@18BA964C.E3E058E5.86DFE602.IP JOIN :##l##
:chat2.ms.com 332 drcdetbkfr ##l## :.msnstop|.msnstart
:chat2.ms.com 333 drcdetbkfr ##l## C 1186984256
:jmixkwtc!jmixkwtc@adsl-pool-222.123.92-138.tttmaxnet.com JOIN :##l##
:xfjgadoe!nawcggrq@222.111.240.15 JOIN :##l##
:toltsnwg!toltsnwg@0wn3d-5CBFC5F9.adsl.totbb.net QUIT :Ping timeout
PRIVMSG ##l## :MSN Spread Has Been Deactivated.
:xgdpzrej!xgdpzrej@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
:lfysnvlf!lfysnvlf@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:kqeocoup!kqeocoup@0wn3d-E41BFE89.tttmaxnet.com JOIN :##l##
:lyoiwhnz!lyoiwhnz@0wn3d-6F3B1EB.revip2.asianet.co.th JOIN :##l##
:kulbdupj!kulbdupj@aworklan024095.netvigator.com QUIT :Connection reset by peer
:cfpmzenv!cfpmzenv@A634004F.F5AADB4E.2BA61D.IP QUIT :Ping timeout
PRIVMSG ##l## :MSN worm sent to: 0 contacts

:koopoxxg!koopoxxg@59.44.43.155 JOIN :##l##
:ztuxqkph!ztuxqkph@0wn3d-B63C2A2.hinet-ip.hinet.net QUIT :Connection reset by peer
PRIVMSG ##l## :MSN Spread Has Been Activated.
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:chat2.ms.com 404 drcdetbkfr ##l## :You must have a registered nick (+r) to talk on this channel (##l##)
:zmqtlvgt!zmqtlvgt@B1CADB.3F468E44.D7B2BA0C.IP JOIN :##l##
:ldsjwlel!ldsjwlel@0wn3d-5269B4BC.totbb.net JOIN :##l##

Removal tool simply kills vpcrtf.exe ,remove two files windows\vpcrt.exe and windows\img807.zip and the registry startup entry.

Hiding a file (a simple way)

2007-07-04T06:18:00.000-07:00

Go to command prompt and enter following command

C:\>notepad visible.txt:hidden.txt

Enter text in the new notepad window and save it.
A new file visible.txt will be created but it will be blank!!
You can not find ‘C:\visible.txt:hidden.txt’ but its there along with its content you have just typed!!

To prove it enter the same command

C:\>notepad visible.txt:hidden.txt

Note:
1) You canchoose some secret filename after visible.txt: so others can’t guess.
2) You can add any number of hidden files corresponding to one visible file.
e.g.
visible.txt:hide
visible.txt:hello
visible.txt:secrete
3) If file content of visible file is modified or deleted all the hidden files will be deleted :(.
Well, that's a big problem. Simplicity comes with price anyways.

Filename con

2007-07-04T06:02:00.000-07:00

Can you rename any of your file or folder to filename con?
Try the same with filename aux or nul. Try saving this webpage as con.html.

Quick googling will tell that these are the reserved filenames (character devices).
Do you remember using ‘copy con’ command in old DOS world as copy con test.txt?
con is for console and it simply copies ‘console input file’ to test.txt.
so,
copy test.txt con
is equivalent to
type test.txt

Another filename nul behaves like a file which is not.
It’s like a black hole :-) It swallows everything and nothing comes out.

e.g.
dir>nul
type nul
copy con nul
type nul

List of reserved filenames from wiki:

CON, PRN, AUX, CLOCK$, NUL
COM0, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9
LPT0, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.

View Certificates

2007-04-06T04:41:00.000-07:00

I have written a small tool ShowCert (88KB) to view certificate content without importing it in to the personal certificate store. Get it here .

Currently it supports

X.509 files (*.cer;*.crt)

PKCS #7 files (*.p7b)

ASN raw certificate files (*.bin)

and password protected PFX files. (*.pfx,*.p12)

(Update Oct07)
File open dialog box and
Base64 encoded pfx/cer files (*.txt) support

e.g. Save following text in a txt file and open with ShowCert.

-----BEGIN CERTIFICATE-----
MIIDAjCCAmsCEB9CKF88iA+OPImzhLOrHxwwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMiBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCniAEhdCznGgPwmOGXPA8hCPGc25fpmvzCBAYTvl9SyMwe
LBJWLLgBaSzMmR+tsJaueQTyEznBe5i6CCzowoQTLKpp6Qn0x6kCpELCI09K2PAO
ovsxbMnmb5knB/Xm9Ex4nm3rRob6uYbJVPKyxK/URhxayRUw/w1s9S0Obc5/dwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBABFFqKR/8eNzIMq97t/1hyORPY2sR0Ua3m3b
VCHODoMO+NzlQ9XrLmGRI+JyADRV98TPETPdweQiI1xQUxn4ZOf3CQ9FUaBXK9+8
Imb+MXB7JToPxYp+w7tyAczwvU1SgaQbWFhT1VM69Q5q2umvxOFY80JvVGJHrDGU
0Q3O7x0x
-----END CERTIFICATE-----

Hacked By GNUlihd???

2007-04-02T04:28:00.000-07:00

One day I was analyzing code of a simple worm “VBS/Solow-A” for educational purpose. I had explained to my friends that how it was exploiting the VB script host to spread itself from removable drive. I was surprised to be informed that same thing was modified to include my email address. I noticed that only when my brother’s friend informed me about that.

I told them not to worry as it simply modifies some common registry keys and nothing more. I am not that stupid to put my email address that way anyway. Who wants to help spammers ;-)

What it does.

1) Copies itself (MFC32DLL.dll.vbs) to windows directory and all drives root path

2) Modifies registry value “Window Title” at HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ with value “Hacked by GNUl..@...”

3) Adds registry entry “MS32DLL” at HKEY_LOCAL_MACHINE\Software\Microsoft\W indows\ CurrentVersion\Run\ with value “\MFC32DLL.dll.vbs” which is an autorun entry that executes the script each time windows starts.

Here is how to remove it. If you find following instructions difficult to understand you can read this one (http://www.icimod.org.np/icimodwiki/images/8/87/Mfc32dll.pdf). Thanks Anjesh. I gave a thought of writing a removal tool but the instructions are more educational.

1) Open taskmanager and end process “wscript.exe”. “wscript.exe” is a Microsoft VB script host application which is running the script in the background. Mark’s ProcessExplorer is the best replacement of simple taskmanager.

2) Delete “autorun.inf” and “MFC32DLL.dll.vbs” files from following directories. (you may need to check “Show hidden files and folders” and uncheck “Hide protected operating system files” at Folder Options->View which you can restore after removal)

a. All Drives root paths. i.e. C:\autorun.inf; C:\ MFC32DLL.dll.vbs; D:\autorun.inf; D:\ MFC32DLL.dll.vbs etc.

b. Only “MFC32DLL.dll.vbs” from Windows directory. e.g. C:\Windows

3) Delete registry value “MS32DLL” from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. (For those who don’t know: type “regedit.exe” at run and navigate to path HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to get the entry “MS32DLL” for deletion. There might be other entries too which are the autorun entries for each windows start.)

4) This one is interesting one if you already don’t know. Navigate in regedit.exe to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main and find “Window Title” value in the other pane. Double click to edit its value to anything you like (“My IE” to “IE Sucks”). Re-Open internet explorer and enjoy. (No thing to do with Firefox fans like me)

Google privacy practice

2007-03-20T06:01:00.000-07:00

http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html

"When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we're pleased to report a change in our privacy policy: Unless we're legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google's services and protect them from security and other abuses)—but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months."

2006-10-13T09:30:00.000-07:00

Matrix + aalaya = Matrixalaya

(Aalaya in Sanskrit means home)

Himalaya is Aalaya of Him (Snow)