Scriptable SFX and Multi-Component malware

For the most part malware is easy to identify and categorise as it’s often either an individual malicious file or a small collection of malicious files, but the scripting capabilities of most archivers and installers is changing this. As I previously discussed here, multi-component malware can be tricky to untangle but is often easy to detect because individual components are themselves malicious, but the problem becomes more tricky…

One such example (detected as Troj/Bckdr-QOE) is a ~400k WinRar self-extracting archive (SFX) with an embedded script specifying the deployment path and sequence.

Silent=1 Overwrite=2

The archive script will attempt to deploy the components into a sub-folder (winnt) off system32 and then launch the deployed applications, doing all this silently as you enjoy the picture referenced by pic.url 🙂


The archive contains a bunch of files which by themselves pose no serious risk yet acting together function as a backdoor to the compromised system.

 Name             Size   Packed Ratio  Date   Time     Attr      CRC
 System.exe     413696   202292  48% 29-12-06 03:30   .....A   A3BDC68E
 3proxy.cfg        132      112  84% 30-05-08 20:25   .....A   A7D3842D
 cssrs.exe      123392    51829  42% 23-10-07 12:54   .....A   E05C8656
 start.exe      104327    50734  48% 01-06-08 20:02   .....A   8282C22F
 alg.exe         37888    23969  63% 09-06-08 03:35   .....A   54BA43CD
 register.reg     1614      537  33% 11-06-08 00:44   .....A   1FD57B78
 pic.url           133      132  99% 09-07-08 01:44   .....A   ECA6B66B

The operation is simple; launched first is the file alg.exe, an ExeScript application which runs a compiled version of a script. It is this script that is the master controller, starting the proxy and requesting that the SSH utility establish a remote tunel to an external server.

decompiled ExeScript

Start.exe is another WinRar SFX, which deploys a shortcut to “DiskDoctor” in the Startup folder (the shortcut points to the installed alg.exe) in an effort to maintain persistance. This completes the initial installation.

The file cssrs.exe is infact a copy of 3proxy tiny proxy server and system.exe is a copy of the popular SSH application “PuTTy”, which is configured with a host key by injecting the registry file register.reg.

So by gathering up a few legitimate tools and some configuration files, packaging them up with a legitimate archiver with scripting capability, malware may result. I’m sure this wasn’t the intention when scriptable archives were developed yet they now pose an interesting dilemma to administrators and users alike.