Log in

View Full Version : Malware for analysis - "Michael Jackson Gay" virus (Yahoo messenger spammer)

Th3_uN1Qu3
September 9th, 2009, 17:05
Hey everybody, here i have a little something for you to play with. I receive messages with this kind of crap more and more often, so a lot of people have been infected by it apparently. It sends the following messages to everyone in the infected user's messenger list:

Quote:
OMG Michael Jackson = gay > http://hahaha.machiaeljacksondied.com
LOL WTF !!! -> http://lulz.machiaeljacksondied.com


The displayed URLs are randomized from time to time. They are fake, the real URL they all point at is (WARNING DON'T CLICK RUN THIS IS THE ACTUAL VIRUS):

Code:
http://www.freewebtown.com/jackowacko666/IMG07092009.jpg--www.MichaelJackson.com


Heh, nice trick with that .com there. By researching online i know the following things about this virus:

The only AV that can remove it on its own is currently Avira. It has a very low detection rate (only 6 AVs on VirusTotal find it). It creates:

Code:
C:\Documents and Settings\<user>\Local Settings\Temp\174094.exe

C:\Documents and Settings\<user>\Local Settings\Temp\MichaelJackson_SUCKS.PIF (or other files with “MichaelJackson” in their name and .pif extension)

C:\Documents and Settings\<user>\Local Settings\Temp\svchost32.exe

C:\Documents and Settings\<user>\Local Settings\Temp\vshost32.exe

C:\vshost.exe

C:\autorun.inf


It also spreads via USB drives using autorun.inf. I did a bit of snooping around on my own and i found out it is written in C, and quite a bit of the code is obfuscated. I loaded it in OllyDbg (DeFixed edition by Team FOFF), and it threw a few exceptions. Once i passed them to the virus i was able to see the IM sending code but not much else. Then DeFixed throws another exception at FFE38160, passing this one to the virus results in the debugger hanging.

I'm curious about its actual purpose. Is it a keylogger, a trojan, or what else? Hope someone can help me shed some light on this one. Download from attachment or the link above.

Password: malware
Kayaker
September 9th, 2009, 19:10
Th3_uN1Qu3, and everyone else:

Please password protect all uploaded malware files from now on, as per the sticky thread request at the start of this forum.

I deleted the original attachment and reuploaded it with the password "malware"

Thanks,
Kayaker
Th3_uN1Qu3
September 9th, 2009, 22:28
Alright, sorry for that. Will do from now on.
dezuzi
September 16th, 2009, 21:57
Hi, it seems to be named "BawtBot" (because it opens a mutex called "BawtBot v0x0 "
It enumerates all processes.
It checks wether "*TEMP\vshost32.exe" exists and if it does it removes it (as this virus will be copied there later on)
It writes a registry key for it to "Software\Microsoft\Windows NT\CurrentVersion\WinLogon" with contents "C:\WINDOWS\SYSTEM32\userinit.exe,*TEMP\vshost32.exe"
Then it copies itself to "*TEMP\vshost32.exe"
Then it runs "*TEMP\vshost32.exe"

It visits fubar.cheapsocks.cn and exchanges some data.

Now while its running.
It checks where you are from(IP address etc)
It tries to save your buddy list on aim and it also tries to get your skype friends and get your yahoo buddies oh and icq. (basically any messenger)
It tries to block any input at some times (i believe keyboard/mouse)
It runs itself everytime a folder is opened.
It hides itself from taskmanager and messes with regedit as well. (it hooks functions)

I dont really seeing doing that much else
Didn't bother trying it with any messenger on but i did see some rude textstrings in there...

Perhaps it is used as a survey how many people are interested about MJ's death?