Threat Spotlight

For the week of 30 Nov 2009
Threat 1

Malicious iPhone worm targets jail-broken phones

Threat Name:

Worm: iPh/Duh-A

Users at Risk:

Jail-broken iPhone users who have not changed the default root password ('alpine')

Also Known As:

  • Kaspersky: Net-Worm.IphoneOS.Ike.b
  • Microsoft: Worm:iPhoneOS/Ikee.B
  • Trend Micro: OSX_IKEE.A

Further Reading:

Since iPh/Duh-A can download additional code and commands, users are recommended to restore their iPhones from a last known-clean backup, or upgrade to the latest Apple firmware. In addition, please follow these instructions for removing worms.

About:

iPh/Duh-A is a multi-component worm that that targets jail-broken iPhones, which are iPhones running code not officially approved by Apple.

This worm can:

  • Communicate with a remote server (IP 92.61.38.16)
  • Download and install additional applications and malware

Any passwords on the iPhone that were previously set to 'alpine' will be changed to 'ohshit'.

iPh/Duh-A uses files with the following names:

  • duh
  • sshd
  • cydia.tgz
  • inst
  • syslog
  • rel

The worm also modifies the following configuration files:

  • com.apple.ksyslog.plist
  • com.apple.period.plist

It installs several non-malicious applications:

  • curl
  • adv-cmds
  • sqlite
Threat 2

Zipped email attachment hides backdoor Trojan

Threat Name:

Troj/Agent-LNC

Users at Risk:

Windows users

Also Known As:

  • Avira: TR/Crypt.XPACK.Gen
  • Kaspersky: Backdoor.Win32.Small.zs
  • McAfee: Cutwail
  • Microsoft: TrojanDownloader:Win32/
    Cutwail.gen!C
  • Symantec: Trojan.Pandex
  • Trend Micro: TROJ_AGEN.AWYQ

Removal Instructions:

Please follow these instructions for removing Trojans.

About:

Troj/Agent-LNC is a backdoor Trojan which allows a remote intruder to gain access and control over the computer. The Trojan accesses the internet to communicate with a remote server via HTTP.

Troj/Agent-LNC is typically distributed in a zip file attached to an email informing the recipient that "You are today's Macbook Air Winner!" (Read the SophosLabs blog entry on this threat.)

The zip file is detected as Troj/SpefZp-A. When the samples first appeared in Sophos's spam traps, Troj/Agent-LNC was proactively detected as Mal/FakeAV-AX. This is because Troj/Agent-LNC uses distinctive encryption techniques that SophosLabs identifies in fake anti-virus Trojans.

The lure of a new laptop has been used by cybercriminals before to spread fake anti-virus via spam. We saw it with Troj/Agent-LGE, featured in our October 8, 2009 Threat Spotlight.

When Troj/Agent-LNC is installed, it creates the following files:

  • <User>\reader_s.exe
  • <System>\reader_s.exe

It creates the following registry entries to run reader_s.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reader_s
<User>\reader_s.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reader_s
<System>\reader_s.exe
Threat 3

Hidden executable file embeds self in Windows registry

Threat Name:

Troj/ZipMal-J

Users at Risk:

Windows users

Removal Instructions:

Please follow the instructions for removing Trojans.

About:

Troj/ZipMal-J is a malicious ZIP file which comes attached to an email. This email often has the subject line: "your mailbox has been deactivated." Sample body text:

We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, <Hidden>.com technical support.

The attached ZIP file is utility.zip and the executable inside the zip is utility.exe.

When Troj/ZipMal-J runs, it creates the following files:

<Windows>\snhol4k.dll
<System>\wdni.buo

Sophos detects these files as Mal/EncPk-LP.

The Trojan creates the following registry entry to run code exported by wdni.buo on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe rundll32.exe wdni.buo nrufk

It also sets these registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Notification Packages
<BINARY>

Registry entries are created under HKCR\idid\.

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy