Sandbox Malware Analyzer

Home

Products

Technology

Case studies and News

About Norman

Buy or Try

Microsites » SandBox Malware Analyzer » Case studies and News » An analysis of the malicious program W32/Agent.ULL

An analysis of the malicious program W32/Agent.ULL

On Friday 10 March 2006, child porn was used in a piece of malware named W32/Agent.ULL.

The Norman Sandbox Information Center (NSIC, http://sandbox.norman.com) received a file with the special filename childpornf*******movie.mpeg.exe. As most people run Windows Explorer in the default settings, the extension “.exe" would be hidden as a feature of Windows and the file was shown as a movie, of course with a Windows Media File icon.

When executed, the Trojan actually does show a child-porn movie hiding its true activity: downloading and installing a range of other malware such as the fake antispyware programs SpySherrif and BraveSentry, as well as adware like Tibs, an adware downloader for pornographic web sites. While the movie is playing, the human curiosity takes over from logic and people lose attention to other activity.

On 18 March 2006, NSIC received another Trojan again using the same technique to hide the same purpose. Although the movie shown is identical, a different variety of other malware is downloaded and installed.

Given that the sample is 193536 bytes long, full code-analysis of this peace of malware by reverse engineering would take a considerable amount of time and human resources. Having Norman Sandbox Analyzer analyze the behavior, it only takes a few moments before the interesting behavior is revealed:

[ General information ]
* Creating several executable files on hard-drive.
* File might be compressed.
* Decompressing Unk3!FSG?.
* File length: 193536 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\TEMP\childporn.wmv.
* Creates file C:\WINDOWS\SYSTEM32\win32.exe.
* Creates file C:\WINDOWS\SYSTEM32\msits.exe.
* Creates file C:\WINDOWS\SYSTEM32\loadadv713.exe.
* Creates file C:\WINDOWS\uniq.
* Creates file C:\WINDOWS\kl1.exe.

[ Network services ]
* Opens URL: http://traffsale1.biz/dl/dl.php?adv=adv713.
* Opens URL: http://traffsale1.biz/progs/kl.txt.

[ Security issues ]
* Starting downloaded file - potential security problem.

[ Process/window information ]
* Attempts to open C:\WINDOWS\TEMP\childporn.wmv NULL.
* Attempts to open C:\WINDOWS\SYSTEM32\win32.exe NULL.
* Attempts to open C:\WINDOWS\SYSTEM32\msits.exe NULL.
* Attempts to open C:\WINDOWS\SYSTEM32\loadadv713.exe NULL.
* Enumerates running processes.
* Enumerates running processes several parses....

[ Signature Scanning ]
* C:\WINDOWS\TEMP\childporn.wmv (142802 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\win32.exe (7723 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\msits.exe (8605 bytes) : no signature detection.
* C:\WINDOWS\SYSTEM32\loadadv713.exe (5185 bytes) : no signature detection.
* C:\WINDOWS\uniq (4096 bytes) : no signature detection.
* C:\WINDOWS\kl1.exe (4096 bytes) : no signature detection.

In this case, if the malicious file was executed on a system in the network, the system administrator can see exactly which files that have been downloaded and in which folders they have been placed.

Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam, and encryption, the company plays an important role in the data industry.