Buzus.GDEF – Mass-Mailing Worm (Feb 18, 2011)

SonicWALL UTM Research team received reports of a new variant of mass-mailing worm propagating in the wild. This worm propagates through emails,P2P applications, network and removable drives.

Process of Infection:

An unsuspecting user may receive an email with the malware attachment. This worm can send emails as follows:

From: invitations@twitter.com
Subject: Your friend invited you to Twitter!
Attachment: Invitation Card.zip

From: order-update@amazon.com
Subject: Shipping update for your Amazon.com order
Attachment: Shipping documents .zip

From: update@facebookmail.com
Subject: You have got a new message on Facebook!
Attachment: Facebook message.zip

From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: Postcard.zip

From: invitations@hi5.com
Subject: Laura would like to be your friend on hi5!
Attachment: Invitation Card.zip

From: resume-thanks@google.com
Subject: Thank you from Google!
Attachment: CV-20100120-112.zip

It may also send a phishing email:

Installation:

Once the user opens and executes the attachment, it will do the following:

Drops a copy of itself:

• WINDOWSsystem32PCSuite.exe – [ detected as GAV: Buzus.GDEF (Trojan) ]
• WINDOWSsystem32sta-css.exe – [ detected as GAV: (Cloud) Mufanom.APSW (Trojan) ]
• WINDOWS{random}.dll – [ detected as GAV: (Cloud) Mufanom.APSW (Trojan) ]
• WINDOWSsystem32stat-cpe.exe – [ detected as GAV: Twain.A (Trojan) ]

Registry Changes

Adds the following registry entries to ensure that the malware runs on every system startup.

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  Value: Nokia Launch Application
  Data: “C:WINDOWSSystem32PCSuite.exe”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  Value: Yravasaxog
  Data: “WINDOWSw3dyu1.dll”,Startup””

Added the following registries as part of its installation:

• Key: HKEY_CURRENT_USERSoftwareNokia4
• Key: HKEY_LOCAL_MACHINESoftwareNokia4
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer nok01 “11”
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer nok01 “24”
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUACDisableNotify InNewValue dword:00000001

Adds following registry entry to bypass firewall restrictions:

• Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:WINDOWSsystem32PCSuite.exe”
  Data: “C:WINDOWSsystem32PCSuite.exe:*:Enabled:Explorer”

Mutex

Creates this mutex to ensure only a single instance is running in the memory.

• PCSuite.exeDm28sf0V@XK$NX8hOu

Propagation

Removable Drives

Drops Autorun.inf and copy of itself as redmond.exe on and removable drives.

[autorun]
open= RECYCLER S-1-6-21-2434476521-1645641927-702000330-1542redmond.exe
icon=%SystemRoot%system32SHELL32.dll,4
action=Open folder to view files
shellopen=Open
shellopencommand= RECYCLER S-1-6-21-2434476521-1645641927-702000330-1542redmond.exe
shellopendefault=1

Peer-2-Peer Application

May copy itself in the following folders using listed filenames below:

Folder:

• C:program filesicqshared folder
• C:program filesgrokstermy grokster
• C:program filesemuleincoming
• C:program filesmorpheusmy shared folder
• C:program fileslimewireshared
• C:program filesteslafiles
• C:program fileswinmxshared
• C:Downloads

Filename:

• Ad-aware 2010.exe
• Adobe Acrobat Reader keygen.exe
• Adobe Illustrator CS4 crack.exe
• Adobe Photoshop CS5 crack.exe
• Alcohol 120 v1.9.7.exe
• Anti-Porn v13.5.12.29.exe
• AnyDVD HD v.6.3.1.8 Beta incl crack.exe
• Ashampoo Snap 3.02.exe
• AVS Video Converter v6.3.1.365 CRACKED.exe
• BitDefender AntiVirus 2010 Keygen.exe
• Blaze DVD Player Pro v6.52.exe
• CleanMyPC Registry Cleaner v6.02.exe
• Daemon Tools Pro 4.50.exe
• Divx Pro 7 + keymaker.exe
• Download Accelerator Plus v9.exe
• Download Boost 2.0.exe
• DVD Tools Nero 10.5.6.0.exe
• G-Force Platinum v3.7.5.exe
• Google SketchUp 7.1 Pro.exe
• Grand Theft Auto Episodes From Liberty City 2010.exe
• Image Size Reducer Pro v1.0.1.exe
• Internet Download Manager V5.exe
• Kaspersky AntiVirus 2010 crack.exe
• K-Lite Mega Codec v5.5.1.exe
• K-Lite Mega Codec v5.6.1 Portable.exe
• LimeWire Pro v4.18.3.exe
• MagicISO Magic ISO Maker v5.5.0276 Cracked.exe
• McAfee Total Protection 2010.exe
• Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
• Motorola
• Mp3 Splitter and Joiner Pro v3.48.exe
• ms09-067.exe
• Myspace theme collection.exe
• Nero 9 9.2.6.0 keygen.exe
• Norton Anti-Virus 2010 crack.exe
• Norton Internet Security 2010 crack.exe
• PCSuite.exe
• PDF password remover (works with all acrobat reader).exe
• PDF to Word Converter 3.0.exe
• PDF Unlocker v2.0.3.exe
• PDF-XChange Pro.exe
• Power ISO v4.2 + keygen axxo.exe
• Rapidshare Auto Downloader 3.8.exe
• RapidShare Killer AIO 2010.exe
• Sony Vegas Pro v9.0a incl crack.exe
• Sophos antivirus updater bypass.exe
• Starcraft2 battle.net key generator.exe
• Starcraft2 battle.net keys.txt.exe
• Starcraft2.exe
• Starcraft2 REGION-UNLOCKER.exe
• Starcraft2 SERVER-CHANGER.exe
• Super Utilities Pro 2009 11.0.exe
• Total Commander7 license+keygen.exe
• Trojan Killer v2.9.4173.exe
• Tuneup Ultilities 2010.exe
• Twitter FriendAdder 2.1.1.exe
• Uniblue RegistryBooster 2010.exe
• VmWare 7.0 keygen.exe
• VmWare keygen.exe
• Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
• Windows 2008 Enterprise Server VMWare Virtual Machine.exe
• Windows2008 keygen and activator.exe
• Windows 7 Ultimate keygen.exe
• Windows XP PRO Corp SP3 valid-key generator.exe
• WinRAR v3.x keygen RaZoR.exe
• YouTubeGet 5.4.exe
• Youtube Music Downloader 1.0.exe

Email Propagation

Harvests email addresses from files with the following extensions:

• asp
• dbx
• doc
• htm
• log
• lst
• nfo
• php
• rtf
• txt
• wab
• wpd
• wps
• xls
• xml

It avoids sending email with addresses having the following strings:

• .com
• .gov
• .mil
• abuse
• acd-group
• acdnet.com
• acdsystems.com
• acketst
• admin
• ahnlab
• alcatel-lucent.com
• anyone
• apache
• arin.
• avg.comsysinternals
• avira
• badware
• berkeley
• bitdefender
• bluewin.ch
• borlan
• bpsoft.com
• bsd
• bugs
• buyrar.com
• ca
• certific
• cisco
• clamav
• contact
• debian
• drweb
• eset.com
• example
• f-secure
• fido
• firefox
• fsf.
• ghisler.com
• gimp
• gnu
• gold-certs
• gov.
• help
• honeynet
• honeypot
• iana
• ibm.com
• icrosoft
• idefense
• ietf
• ikarus
• immunityinc.com
• info
• inpris
• isc.o
• isi.e
• jgsoft
• kaspersky
• kernel
• lavasoft
• linux
• listserv
• mcafee
• me
• messagelabs
• mit.e
• mozilla
• mydomai
• no
• nobody
• nodomai
• noone
• not
• nothing
• novirusthanks
• ntivi
• nullsoft.org
• page
• panda
• pgp
• postmaster
• prevx
• privacy
• qualys
• quebecor.com
• rating
• redhat
• rfc-ed
• root
• ruslis
• sales
• samba
• samples
• secur
• security
• sendmail
• service
• site
• slashdot
• soft
• somebody
• someone
• sopho
• sourceforge
• spam
• spm
• ssh.com
• submit
• sun.com
• support
• suse
• syman
• tanford.e
• the.bat
• unix
• usenet
• utgers.ed
• virus
• virusbuster
• webmaster
• websense
• winamp
• winpcap
• wireshark
• www.ca.com
• www
• you
• your

Queries available Mail-Exchange Server to send the email:

Other System Modification:

Delete files from the following directories:

• Program Filesprevx

Delete files related to the following registry entry:

• HKEY_LOCAL_MACHINESOFTWAREMcAfeeAVEngine szInstallDir = “mcshield.exe”
• HKEY_LOCAL_MACHINESOFTWAREMalwarebytes’ Anti-Malware InstallPath = *.*”

Terminates the following services related to AV security softwares:

• AVP
• AntiVirSchedulerService
• Arrakis3
• CSIScanner
• CaCCProvSP
• ERSvc
• Ehttpsrv
• Emproxy
• FPAVServer
• GWMSRV
• K7EmlPxy
• K7RTScan
• K7TSMngr
• LIVESRV
• LiveUpdate Notice Service
• MBAMService
• MCNASVC
• MPFSERVICE
• MPS9
• McAfee HackerWatch Service
• Norton AntiVirus
• PANDA SOFTWARE CONTROLLER
• PAVFNSVR
• PAVPRSRV
• PAVSVR
• PSHOST
• PSIMSVC
• PSKSVCRETAIL
• RSCCenter
• RSRavMon
• SAVScan
• SUM
• Savadminservice
• Savservice
• Sophos Agent
• Sophos Autoupdate Service
• Sophos Certification Manager
• Sophos Management Service
• Sophos Message Router
• Symantec Core LC
• TPSRV
• ThreatFire
• VSSERV
• WerSvc
• WinDefend
• XCOMM
• antivirservice
• avast! Antivirus
• avast! Mail Scanner
• avast! Web Scanner
• avg8emc
• avg8wd
• bdss
• ccEvtMgr
• ccproxy
• ccpwdsvc
• ccsetmgr
• ekrn
• liveupdate
• mcODS
• mcmisupdmgr
• mcmscsvc
• mcpromgr
• mcproxy
• mcredirector
• mcshield
• mcsysmon
• msk80service
• navapsvc
• npfmntor
• nscservice
• sbamsvc
• scan
• sdauxservice
• sdcodeservice
• sndsrvc
• spbbcsvc
• wscsvc

C&C Server

Sends information to the following remote server:

153.26.137.241

Anti-debugging Technique

Checks for the following SoftIce Debugger driver:

• \.SICE
• \.NTICE
• \.SIWVIDSTART

Anti-VMware:

Checks if its running in VMWare

• \.VMDRV

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Buzus.GDEF (Trojan) (Trojan)
GAV: Twain.A (Trojan)
GAV: Mufanom.APSW (Trojan)
GAV: (Cloud) Mufanom.APSW (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.