Recently, a new data-stealing worm caught our attention. The reason why it stands out from many similar amateur creations is that its author is most probably Czech, as the text strings, variable and function names used by the malware suggest.
The Czech text above is displayed by the worm inside a console window and translates to: “Initializing. This operation can take several minutes. Please wait…”, pretending to be a message from Microsoft.
But wait, variable and function names used by the programmer? Those aren’t normally seen in a compiled binary unless we have the associated PDB file (Program DataBase: a file format commonly created at compile-time that may list symbols that aren’t stored in the compiled module itself). But in this case, the worm is written entirely in PHP and “converted” to a PE file using the Bambalam PHP EXE Compiler/Embedder. This embedder simply encodes the PHP source files using Turck MMCache and then adds the resulting PHP bytecode as resources in a launcher binary. By decoding these, we were able to get a fairly accurate view of the original source code.
So let’s take a look at what the malware actually does…
Firstly, we classify it as a worm, as it contains methods for spreading itself. In order to replicate through removable media and modify the infected system to ensure persistence, i.e. that it gets relaunched subsequently, the worm copies its body to the following locations:
For each of the above mentioned locations, the worm randomly chooses one of the following innocuous-looking file names:
The purpose of the worm is to collect a large set of sensitive user data and system information, including:
The list of types of data that the worm harvests from the infected machine is quite long, and they are all gathered using various unsophisticated methods. In order to collect most of the data associated with Instant Messaging applications, browsers, and so on, the worm simply uploads all the files from the installation folders of the respective applications. For information related to Windows user accounts, network connections, running processes, and the Windows Registry, the following shell commands are used:
Another method employed for collecting the victim’s data is the use of third-party password-extraction utilities by NirSoft. The worm’s binary drops and executes four of these tools and sends their output back to the attacker.
The worm uses a simple mechanism for sending the collected data to the remote server. It sends many HTTP POST requests (port 80) containing the stolen data gz-compressed and Base64 encoded.
As you can see from the description above, the worm lacks the sophistication of some of the more advanced malware that we sometimes see. Yet, unfortunately, even these simple threats often get the job done.
Given the very low prevalence of this malware, the fact that at the time of this writing 100% of the detections came from the Czech Republic, and its apparent Czech origin, there is a possibility that this tool was used in a targeted attack on a specific victim. Or it may just have been an experiment by an amateur malware-writer. Or both.
ESET detects this worm as Win32/AutoRun.PSW.Agent.E. The malware analysis was done by Jakub Horký.
Author Robert Lipovsky, ESET