Downloader-BAI!M711

**Anilrgowda** · 22-Jan-2007, 04:47 AM

Risk Assessment - Home Users: Low-Profiled - Corporate Users: Low-Profiled Date Discovered: 1/19/2007 Date Added: 1/19/2007 Origin: N/A Length: 22,000 bytes - 47,000 bytes Type: Trojan SubType: Downloader DAT Required: 4943 Virus Characteristics

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx
--- Update January 21, 2007 --
There has been several new spammings of this trojan. Newer variants also drop W32/Nuwar@MM and the following files.

% SystemDir %\wincom32.ini

When executed, Downloader-BAI drops the following 2 files:

%SystemDir%\peers.ini (5483 bytes)
% SystemDir %\wincom32.sys (41728 bytes) Detected as Generic Downloader.ab

It also creates the following registry entries:

Hkey_Local_Machine\System\CurrentControlSet\Servic es\Wincom32\
Imagepath="\??\%SYSTEMDIR%\wincom32.sys"
Hkey_Local_Machine\System\CurrentControlSet\Servic es\Wincom32\
displayname="wincom32"
Hkey_Local_Machine\System\CurrentControlSet\Servic es\Wincom32\
start="2"

The .sys file is a device driver file hides network traffic for the downloads.
It then downloads "Game0.exe", detected as Downloader-ZQ.a, from the following IP addresses:

http://81.177.3.169/[censored]
http://217.107.217.187/[censored]

--- Update January 21, 2007 --
It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, and Spam-Mailbot.

Indications of Infection

Downloader-BAI is currently being spammed using the following email formats. In general the mails fall into two categories.

A subject with a controversial world news event and an attachment pretending to provide more information
A subject indicating romantic love or passion and an attachment pretending to be a greeting or postcard.

Subject:

U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Naked teens attack home director
A killer at 11, he''s free at 21 and kill again!
British Muslims Genocide
230 dead as storm batters Europe.
Radical Muslim drinking enemies' blood.
Sadam Hussein alive!
Russian missle shot down USA satellite
Russian missle shot down USA aircraft
Russian missle shot down Chinese aircraft
Sadam Hussein safe and sound!
The commander of a U.S. nuclear submarine lunch the rocket by mistake.
Hugo Chavez dead.
Fidel Castro dead.
The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
U.S. Southwest braces for another winter blast. More then 1000 people are dead.
Venezuelan leader: "Let''s the War Begin".

--- Update January 21, 2007 --

We Are Different
I Love You Soo Much
I Still Love You
You + Me
Passionate Kiss
Kisses, Hugs & Roses

Attachment:

Read More.exe
Full Clip.exe
Full Story.exe
Full Video.exe
Video.exe

--- Update January 21, 2007 --

Flash Postcard.exe
Greeting Card.exe
Greeting Postcard.exe
Postcard.exe

This downloader drops W32/Nuwar@MM. It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, Spam-Mailbot

Method of Infection

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx
A spam run of this Downloader Trojan is underway. During a spam run, the author of the malware spams the Trojan by email to entice people into executing them.

Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations

Aliases

CME-711, Downloader-BAI, Downloader-BAI.gen, Trojan-Downloader.Win32.Agent.bet, Trojan-Downloader.Win32.Small.dam, Win32/Nuwar.N@MM!CME-711

22-Jan-2007, 04:47 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Downloader-BAI!M711 Risk Assessment - Home Users: Low-Profiled - Corporate Users: Low-Profiled Date Discovered: 1/19/2007 Date Added: 1/19/2007 Origin: N/A Length: 22,000 bytes - 47,000 bytes Type: Trojan SubType: Downloader DAT Required: 4943 Virus Characteristics To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx --- Update January 21, 2007 -- There has been several new spammings of this trojan. Newer variants also drop W32/Nuwar@MM and the following files. % SystemDir %\wincom32.ini When executed, Downloader-BAI drops the following 2 files: %SystemDir%\peers.ini (5483 bytes) % SystemDir %\wincom32.sys (41728 bytes) Detected as Generic Downloader.ab It also creates the following registry entries: Hkey_Local_Machine\System\CurrentControlSet\Servic es\Wincom32\ Imagepath="\??\%SYSTEMDIR%\wincom32.sys" Hkey_Local_Machine\System\CurrentControlSet\Servic es\Wincom32\ displayname="wincom32" Hkey_Local_Machine\System\CurrentControlSet\Servic es\Wincom32\ start="2" The .sys file is a device driver file hides network traffic for the downloads. It then downloads "Game0.exe", detected as Downloader-ZQ.a, from the following IP addresses: http://81.177.3.169/[censored] http://217.107.217.187/[censored] --- Update January 21, 2007 -- It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, and Spam-Mailbot. Indications of Infection Downloader-BAI is currently being spammed using the following email formats. In general the mails fall into two categories. A subject with a controversial world news event and an attachment pretending to provide more information A subject indicating romantic love or passion and an attachment pretending to be a greeting or postcard. Subject: U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel Naked teens attack home director A killer at 11, he''s free at 21 and kill again! British Muslims Genocide 230 dead as storm batters Europe. Radical Muslim drinking enemies' blood. Sadam Hussein alive! Russian missle shot down USA satellite Russian missle shot down USA aircraft Russian missle shot down Chinese aircraft Sadam Hussein safe and sound! The commander of a U.S. nuclear submarine lunch the rocket by mistake. Hugo Chavez dead. Fidel Castro dead. The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead! U.S. Southwest braces for another winter blast. More then 1000 people are dead. Venezuelan leader: "Let''s the War Begin". --- Update January 21, 2007 -- We Are Different I Love You Soo Much I Still Love You You + Me Passionate Kiss Kisses, Hugs & Roses Attachment: Read More.exe Full Clip.exe Full Story.exe Full Video.exe Video.exe --- Update January 21, 2007 -- Flash Postcard.exe Greeting Card.exe Greeting Postcard.exe Postcard.exe This downloader drops W32/Nuwar@MM. It also downloads W32/Nuwar@MM., Downloader-ZQ, Uploader-AF, Spam-Mailbot Method of Infection To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx A spam run of this Downloader Trojan is underway. During a spam run, the author of the malware spams the Trojan by email to entice people into executing them. Removal Instructions All Users: Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations Aliases CME-711, Downloader-BAI, Downloader-BAI.gen, Trojan-Downloader.Win32.Agent.bet, Trojan-Downloader.Win32.Small.dam, Win32/Nuwar.N@MM!CME-711

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)