Content

Downloader-BAI!M711

Type
Trojan
SubType
Downloader
Discovery Date
01/19/2007
Length
22,000 bytes - 47,000 bytes
Minimum DAT
4943 (01/19/2007)
Updated DAT
5296 (05/15/2008)
Minimum Engine
5.1.00
Description Added
01/19/2007
Description Modified
04/16/2007 12:38 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

--- Update April 16, 2007 -- 

Two new variants have been found with the follwing characteristics.

3ti.exe.exe (91,920 bytes, name may vary)

On execution, the following files are created:

  • %SystemDir%\windev-5004-7504.sys (139,008 bytes) detected as Downloader-BAI.sys.gen.a
  • %SystemDir%\windev-peers.ini (12,542 bytes, size may vary) configuration file

It also creates the following registry entries:

  • Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
    Imagepath="\??\%SYSTEMDIR%\windev-5004-7504.sys"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
    displayname="windev-5004-7504"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
    start="2"

Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "windev-peers.ini" initialization file.

pdp.exe.exe (40,720 bytes, name may vary)

On execution, the following files are created:

  • %SystemDir%\wincom32.sys (56,064 bytes) detected as Downloader-BAI.sys.gen.a
  • %SystemDir%\wincom32.ini (12,784 bytes, size may vary) configuration file

It also creates the following registry entries:

  • Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
    Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
    displayname="wincom32"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
    start="2"

Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "wincom32.ini" initialization file.

--- Update January 21, 2007 --

There has been several new spammings of this trojan.  Newer variants also drop W32/Nuwar@MM  and the following files.

  • % SystemDir %\wincom32.ini

When executed, Downloader-BAI drops the following 2 files:

  • %SystemDir%\peers.ini (5483 bytes)
  • % SystemDir %\wincom32.sys (41728 bytes) Detected as Generic Downloader.ab

It also creates the following registry entries:

  • Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
    Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
    displayname="wincom32"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
    start="2"

The .sys file is a device driver file hides network traffic for the downloads.

It then downloads "Game0.exe", detected as Downloader-ZQ.a,  from the following IP addresses:

  • http://81.177.3.169/[censored]
  • http://217.107.217.187/[censored]

--- Update January 21, 2007 --

It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, and Spam-Mailbot.

Symptoms

Downloader-BAI is currently being spammed using the following email formats.  In general the mails fall into two categories.

  • A subject with a controversial world news event and an attachment pretending to provide more information
  • A subject indicating romantic love or passion and an attachment pretending to be a greeting or postcard.

 

Subject:

 

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Naked teens attack home director
A killer at 11, he''s free at 21 and kill again!
British Muslims Genocide
230 dead as storm batters Europe.
Radical Muslim drinking enemies' blood.
Sadam Hussein alive!
Russian missle shot down USA satellite
Russian missle shot down USA aircraft

Russian missle shot down Chinese aircraft

Sadam Hussein safe and sound!

The commander of a U.S. nuclear submarine lunch the rocket by mistake.

Hugo Chavez dead.

Fidel Castro dead.

The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!

U.S. Southwest braces for another winter blast. More then 1000 people are dead.

Venezuelan leader: "Let''s the War Begin".

 

--- Update January 21, 2007 --

 

We Are Different

I Love You Soo Much

I Still Love You

You + Me

Passionate Kiss

Kisses, Hugs & Roses

 

Attachment:

 

Read More.exe

Full Clip.exe

Full Story.exe

Full Video.exe

Video.exe

 

--- Update January 21, 2007 --

 

Flash Postcard.exe

Greeting Card.exe

Greeting Postcard.exe

Postcard.exe

 

--- Update January 22, 2007 --

 

Subject: Love for Granted
Subject: Most Beautiful Girl
Subject: Puppy Love
Subject: Search for One
Subject: Magic of Flowers
Subject: Dinner Coupon 

 

Filename: full news.exe
Filename: read news.exe 
 

 

This downloader drops W32/Nuwar@MM.  It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, Spam-Mailbot

Method of Infection

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

A spam run of this Downloader Trojan is underway. During a spam run, the author of the malware spams the Trojan by email to entice people into executing them.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

--- Update January 21, 2007 --

There have been multiple spammings of this family over the last 48 hours. 

This variant is a different strain of W32/Nuwar  Newer variants drop or download samples related to W32/Nuwar@MM  

--- Update January 19, 2007 --
The risk assessment of this threat was updated to Low-Profiled due to prevalence.

Downloader-BAI is a trojan that is delivered via a spammed email message. This downloader is designed to download files from websites controlled by the malware author.

History

W32/NuWar@MM used to drop downloader-ARL few weeks ago. Now it has changed its payload by dropping Downloader-BAI. W32/Nuwar@MM creates a copy of itself with a random name followed by ".t" extension. It then infects files in the directories. The infected files are detected as W32/Duel. In the process of infection it is also observed to corrupt the binaries which will get detected as w32/Duel.dam.

Aliases

  • CME-711
  • Downloader-BAI
  • Downloader-BAI.gen
  • Storm Worm
  • Trojan-Downloader.Win32.Agent.bet
  • Trojan-Downloader.Win32.Small.dam
  • Trojan.Peacomm
  • Win32/Nuwar.N@MM!CME-711

Characteristics

Characteristics -

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

--- Update April 16, 2007 -- 

Two new variants have been found with the follwing characteristics.

3ti.exe.exe (91,920 bytes, name may vary)

On execution, the following files are created:

  • %SystemDir%\windev-5004-7504.sys (139,008 bytes) detected as Downloader-BAI.sys.gen.a
  • %SystemDir%\windev-peers.ini (12,542 bytes, size may vary) configuration file

It also creates the following registry entries:

  • Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
    Imagepath="\??\%SYSTEMDIR%\windev-5004-7504.sys"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
    displayname="windev-5004-7504"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\windev-5004-7504\
    start="2"

Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "windev-peers.ini" initialization file.

pdp.exe.exe (40,720 bytes, name may vary)

On execution, the following files are created:

  • %SystemDir%\wincom32.sys (56,064 bytes) detected as Downloader-BAI.sys.gen.a
  • %SystemDir%\wincom32.ini (12,784 bytes, size may vary) configuration file

It also creates the following registry entries:

  • Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
    Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
    displayname="wincom32"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\wincom32\
    start="2"

Once established, the service attempts UDP communication that appears to be connection requests to filesharing peers, specifically using the eDonkey or compatible network format. Seemingly random IP addresses and UDP ports are used, but it is likely this information is being decoded from the "wincom32.ini" initialization file.

--- Update January 21, 2007 --

There has been several new spammings of this trojan.  Newer variants also drop W32/Nuwar@MM  and the following files.

  • % SystemDir %\wincom32.ini

When executed, Downloader-BAI drops the following 2 files:

  • %SystemDir%\peers.ini (5483 bytes)
  • % SystemDir %\wincom32.sys (41728 bytes) Detected as Generic Downloader.ab

It also creates the following registry entries:

  • Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
    Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
    displayname="wincom32"
  • Hkey_Local_Machine\System\CurrentControlSet\Services\Wincom32\
    start="2"

The .sys file is a device driver file hides network traffic for the downloads.

It then downloads "Game0.exe", detected as Downloader-ZQ.a,  from the following IP addresses:

  • http://81.177.3.169/[censored]
  • http://217.107.217.187/[censored]

--- Update January 21, 2007 --

It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, and Spam-Mailbot.

Symptoms

Symptoms -

Downloader-BAI is currently being spammed using the following email formats.  In general the mails fall into two categories.

  • A subject with a controversial world news event and an attachment pretending to provide more information
  • A subject indicating romantic love or passion and an attachment pretending to be a greeting or postcard.

 

Subject:

 

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Naked teens attack home director
A killer at 11, he''s free at 21 and kill again!
British Muslims Genocide
230 dead as storm batters Europe.
Radical Muslim drinking enemies' blood.
Sadam Hussein alive!
Russian missle shot down USA satellite
Russian missle shot down USA aircraft

Russian missle shot down Chinese aircraft

Sadam Hussein safe and sound!

The commander of a U.S. nuclear submarine lunch the rocket by mistake.

Hugo Chavez dead.

Fidel Castro dead.

The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!

U.S. Southwest braces for another winter blast. More then 1000 people are dead.

Venezuelan leader: "Let''s the War Begin".

 

--- Update January 21, 2007 --

 

We Are Different

I Love You Soo Much

I Still Love You

You + Me

Passionate Kiss

Kisses, Hugs & Roses

 

Attachment:

 

Read More.exe

Full Clip.exe

Full Story.exe

Full Video.exe

Video.exe

 

--- Update January 21, 2007 --

 

Flash Postcard.exe

Greeting Card.exe

Greeting Postcard.exe

Postcard.exe

 

--- Update January 22, 2007 --

 

Subject: Love for Granted
Subject: Most Beautiful Girl
Subject: Puppy Love
Subject: Search for One
Subject: Magic of Flowers
Subject: Dinner Coupon 

 

Filename: full news.exe
Filename: read news.exe 
 

 

This downloader drops W32/Nuwar@MM.  It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, Spam-Mailbot

Method of Infection

Method of Infection -

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

A spam run of this Downloader Trojan is underway. During a spam run, the author of the malware spams the Trojan by email to entice people into executing them.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A