A day in the life

Filed Under: Malware, SophosLabs

In an effort to give all you readers an understanding of a typical day at SophosLabs let me relate in detail todays efforts.

The first thing I tackled was a group of three separate maliciously crafted Microsoft Word documents. Each made use of a now well-known exploit called the 1Table exploit and each used the same technique to drop a seperate piece of malware, and in one case inject malicious code into the Windows Program Manager. Of the three we already detected one as Troj/LiDoor-A, the two new given the names Troj/Vidro-G and Troj/BkDoor-A.

The process of going from an exploited Word document, to analysing the malicious code of, for example Troj/BkDoor-A was thus:

1. Inside the Word document, find and decrypt the outermost layer of exploit code
2. Follow this to decrypt another layer, which gave me enough information to find the location and size of the encrypted executable that was hidden inside
3. Dump and decrypt the encrypted executable, which was then found to be packed
4. Unpack the decrypted executable
5. Analyse the unpacked code

After this I looked at a HTML file which contained Javascript code which was again crafted to exploit a known bug in the Internet Explorer (and possibly Firefox) web browser/s. This led to an new Generic identity, Exp/IEExpl-A.

Lastly I analysed and updated our Generic detections for a worm coded in Visual Basic (most likely originating from Indonesia - as many VB worms do).  The worm, which I named W32/Gimlet-A was emphatic about keeping the authors chosen name and commanded anti-virus companies to preserve it, by way of a JPEG picture it shamelessly dropped to the infected machine. The picture was of a semi-naked anime-styled female and stated "TO VENDOR ANTIVIRUS! PLEASE DONNT REPLACE W32.<VirusName> WITH OTHER NAME" [sic].

Needless to say the name of the virus stated in the image was not W32/Gimlet :)

Thats all from me today,

You might like