SonicWALL UTM Research team received reports of a new file infector active in the wild. This new virus infects PE files and uses its own random domain name generator to generate domain names. It then attempts to download and execute malicious files via these domains.
Last time we saw random domain name generation algorithm being used by Conficker Worm to download additional Malware.
Installation:
The virus drops a copy of itself on the system and runs it. It will also inject codes to running processes before dropping a batch file to delete itself.
The injected code generates random domains and tries to download and execute additional Malware. These generated domains are derived from a randomizing function computed from the current UTC system time and date using the Windows API GetSystemTime.
It generates 800 random domains per second until it successfully downloads a Malware from one of the domains.
Dropped Files
It drops a copy of itself at:
In our environment, the virus copied itself as:
Other dropped files:
Registry modification
It adds the following registry entry to ensure that the dropped copy of malware starts on every system reboot:
Random Domain Name Generation
URL Pattern:
Samples of Domain Names observed:
Download Routine
Infected files attempt to download other malicious file from the generated URL and saves it in %TEMP% directory. It also validates the downloaded file first before executing it. Files downloaded by this virus are getting blocked as GAV: Conficker.gen (Worm)
Sample DNS requests:
SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Murofet.A (Virus) and GAV: Conficker.gen (Worm)
Share This Article
An Article By
An Article By
Security News
Security News