{"id":4543,"date":"2011-06-17T08:12:24","date_gmt":"2011-06-17T15:12:24","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=4543"},"modified":"2018-01-30T12:22:23","modified_gmt":"2018-01-30T19:22:23","slug":"fake-ups-document-installs-fake-microsoft-patch-payload","status":"publish","type":"post","link":"https://www.webroot.com/blog/2011\/06\/17\/fake-ups-document-installs-fake-microsoft-patch-payload\/","title":{"rendered":"Fake UPS Document Installs Fake Microsoft Patch Payload"},"content":{"rendered":"

\"\"\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"\"<\/p>\n

\"\"<\/a>As if we didn’t have enough to deal with this week — after a Microsoft patch Tuesday that brought with it a boatload of security updates for Windows, Office, Silverlight, Visual Studio<\/strong>, and other programs — some enterprising malware distributor is emailing around bogus tracking number<\/em> malware dressed up in the icon of a PDF document, and that malware is downloading payloads named after the updaters that Windows Update retrieves during an update.<\/p>\n

The malware arrived into one of our spam collection points with an attachment named UPS_document.zip<\/strong>. Way to be original there, criminals. Inside the Zip file was an executable downloader named UPS_Document.exe<\/strong>. Upon execution, it retrieves at least three payloads, including a copy of SpyEye (a password stealing Trojan), a tiny agent sending profiling information about the infected system, and a fraudulent “rogue system utility” called (on my XP testbed) Windows XP Restore.<\/p>\n

The rogue takes on much of the appearance of a previous Rogue of the Week, named Windows Recovery<\/a>. In fact, Windows XP Restore looks to be a very slightly modified duplicate of that software. If you’ve been hit with either rogue, there are some cool free tools for you to download that will repair some of the damage; Read on for details.<\/p>\n

<\/p>\n

\"\"<\/a>
\nThe message with the attachment looked slightly better than these sorts of spam usually do. The creators went to the trouble of generating an HTML mail message, though I don’t know why they bothered, because it’s not as if pretty formatting makes poor spelling look any better. It says:<\/p>\n

\n
United Parcel Service\r\nTracking number #89946\r\nThe parcel was sent to your home adress<\/strong>.\r\nAnd it will arrive within 3 buisness<\/strong> days.\r\nMore information and the parcel tracking number are attached in document below.\r\nThank you\r\nUnited Parcel Service of America (c)\r\n153 James Street, Suite 100, Long Beach CA, 90000<\/strong><\/pre>\n<\/blockquote>\n
When you execute the UPS_Document program, it starts the ball rolling on a fairly serious infection.<\/p>\n
The first thing the installer does is pull down an 8704-byte downloader with the filename trol.exe<\/strong>, which we classify to the definition Trojan-Downloader-Tukpat<\/strong>. That downloader always renames itself svchost.exe initially, and copies itself into the Windows directory, but this file is not the same as the legitimate (much larger) svchost.exe that Windows uses to launch services.<\/p>\n
\"\"<\/a><\/p>\n
After I rebooted the system, I noticed that the same downloader had made yet another copy of itself named KB171818.exe<\/strong>, which, when it’s listed alongside all the other running apps on the system, looks a lot like one of those Windows Update applications that patches your system. The number next to “KB” is always six digits, but randomizes each time you run it on a different machine.<\/p>\n
The Tukpat downloader then retrieves at least three other payloads from the Web site miliardov.com<\/strong>. One of the payloads is always an installer for another downloader we call Hiloti<\/strong>; The other two are installers for SpyEye<\/strong> and the rogue. After executing each payload, one of the files triggers a bluescreen by crashing a Windows driver. When you reboot the box, it has been owned by the malware.<\/p>\n
\"\"<\/a><\/p>\n
The SpyEye payload periodically (about three times an hour) sends an HTTP GET request to one of more than a dozen Web sites; The query string typically includes the IP address of the infected computer, as well as an “affiliate ID” and several other encoded parameters. The Web sites it contacts — with names like findsmell.org, findstation.org, searchbreeze.org,<\/strong> and clickcareful.org<\/strong> — redirect you to Google when you visit them directly.<\/p>\n
\"\"<\/a><\/p>\n
The Windows XP Restore<\/strong> rogue immediately pulls the same stunts that Windows Recovery does, including:<\/p>\n
\"\"<\/a><\/p>\n