Results 1 to 4 of 4

Thread: Malware for analysis - "Michael Jackson Gay" virus (Yahoo messenger spammer)

  1. #1
    Registered User
    Join Date
    Aug 2009
    Location
    Bucharest, Romania
    Posts
    8

    Question Malware for analysis - "Michael Jackson Gay" virus (Yahoo messenger spammer)

    Hey everybody, here i have a little something for you to play with. I receive messages with this kind of crap more and more often, so a lot of people have been infected by it apparently. It sends the following messages to everyone in the infected user's messenger list:

    OMG Michael Jackson = gay > http://hahaha.machiaeljacksondied.com
    LOL WTF !!! -> http://lulz.machiaeljacksondied.com
    The displayed URLs are randomized from time to time. They are fake, the real URL they all point at is (WARNING DON'T CLICK RUN THIS IS THE ACTUAL VIRUS):

    Code:
    http://www.freewebtown.com/jackowacko666/IMG07092009.jpg--www.MichaelJackson.com
    Heh, nice trick with that .com there. By researching online i know the following things about this virus:

    The only AV that can remove it on its own is currently Avira. It has a very low detection rate (only 6 AVs on VirusTotal find it). It creates:

    Code:
    C:\Documents and Settings\<user>\Local Settings\Temp\174094.exe
    C:\Documents and Settings\<user>\Local Settings\Temp\MichaelJackson_SUCKS.PIF (or other files with “MichaelJackson” in their name and .pif extension)
    C:\Documents and Settings\<user>\Local Settings\Temp\svchost32.exe
    C:\Documents and Settings\<user>\Local Settings\Temp\vshost32.exe
    C:\vshost.exe
    C:\autorun.inf
    It also spreads via USB drives using autorun.inf. I did a bit of snooping around on my own and i found out it is written in C, and quite a bit of the code is obfuscated. I loaded it in OllyDbg (DeFixed edition by Team FOFF), and it threw a few exceptions. Once i passed them to the virus i was able to see the IM sending code but not much else. Then DeFixed throws another exception at FFE38160, passing this one to the virus results in the debugger hanging.

    I'm curious about its actual purpose. Is it a keylogger, a trojan, or what else? Hope someone can help me shed some light on this one. Download from attachment or the link above.

    Password: malware
    Attached Files Attached Files
    Last edited by Th3_uN1Qu3; September 9th, 2009 at 17:08.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Th3_uN1Qu3, and everyone else:

    Please password protect all uploaded malware files from now on, as per the sticky thread request at the start of this forum.

    I deleted the original attachment and reuploaded it with the password "malware"

    Thanks,
    Kayaker

  3. #3
    Registered User
    Join Date
    Aug 2009
    Location
    Bucharest, Romania
    Posts
    8
    Alright, sorry for that. Will do from now on.

  4. #4
    dezuzi
    Guest
    Hi, it seems to be named "BawtBot" (because it opens a mutex called "BawtBot v0x0 "
    It enumerates all processes.
    It checks wether "*TEMP\vshost32.exe" exists and if it does it removes it (as this virus will be copied there later on)
    It writes a registry key for it to "Software\Microsoft\Windows NT\CurrentVersion\WinLogon" with contents "C:\WINDOWS\SYSTEM32\userinit.exe,*TEMP\vshost32.exe"
    Then it copies itself to "*TEMP\vshost32.exe"
    Then it runs "*TEMP\vshost32.exe"

    It visits fubar.cheapsocks.cn and exchanges some data.

    Now while its running.
    It checks where you are from(IP address etc)
    It tries to save your buddy list on aim and it also tries to get your skype friends and get your yahoo buddies oh and icq. (basically any messenger)
    It tries to block any input at some times (i believe keyboard/mouse)
    It runs itself everytime a folder is opened.
    It hides itself from taskmanager and messes with regedit as well. (it hooks functions)

    I dont really seeing doing that much else
    Didn't bother trying it with any messenger on but i did see some rude textstrings in there...

    Perhaps it is used as a survey how many people are interested about MJ's death?
    Last edited by dezuzi; September 16th, 2009 at 22:13.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. Honeynet Forensic Challenge 8 - "Malware Reverse Engineering"
    By Sunk in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: May 13th, 2011, 08:42
  3. Replies: 1
    Last Post: December 14th, 2007, 13:35
  4. How does AVP scan this virus "Backdoor.Win32.CFour"?
    By Leo_Jiang in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: July 6th, 2007, 09:56
  5. Malware Analysis: "Skype" Trojan
    By Kayaker in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: February 26th, 2007, 15:09

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •