Home / malwarePDF  

Trojan.Peed.JVL


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Peed.JVL is also known as Peed, Zhelatin, Nuwar, Peacomm.

Explanation :

When started, the malware copies itself to the following location:
%windows%[malware_name].exe

It creates the following registry entry:
HKCUMicrosoftWindowsCurrentVersionRun"[malware_name]" = "%windows%[malware_name].exe"

A few examples of [malware_name] are:
"msserv"
"msssecurity"

It synchronizes the current computer time by executing the following commands:
w32tm.exe /config /synffromflags:manual /manualpeerlist:time.windows.com,time.nist.gov
w32tm.exe /config /update

The malware adds itself as a Windows Firewall exception by executing the following command:
netsh firewall set allowedprogram %windows%[malware_name].exe

The virus registers the compromised computer as a peer in its malware network and uses a randomly chosen UDP port to communicate with the other peers. It also sends to its network an unique ID for the compromised computer from the registry key:
HKLMMicrosoftWindowsITStorageFinders"config"

It drops a list of the initial peers to the configuration file:
%windows%[malware_name].config
The malware updates this list by communicating with url-s like:
cadeaux-avenu[hide]/getbackup.php

The malware also has backdoor capabilities and can perform actions like:
- send spam emails by using its SMTP engine
- send system information from the compromised computer
- download and execute other malware
- update itself

It searches email addresses from files with the following extensions:
".wab"
".txt"
".msg"
".htm"
".shtm"
".stm"
".xml"
".dbx"
".mbx"
".mdx"
".eml"
".nch"
".mmf"
".ods"
".cfg"
".asp"
".php"
".pl"
".wsh"
".adb"
".tbb"
".sht"
".xls"
".oft"
".uin"
".cgi"
".mht"
".dhtm"
".jsp"
".dat"
".lst"

It does not send spam emails to email addresses that contain the following strings:
"@microsoft"
"rating@"
"f-secur"
"news"
"update"
"anyone@"
"bugs@"
"contract@"
"feste"
"gold-certs@"
"help@"
"info@"
"nobody@"
"noone@"
"kasp"
"admin"
"icrosoft"
"support"
"ntivi"
"unix"
"bsd"
"linux"
"listserv"
"certific"
"sopho"
"@foo"
"@iana"
"free-av"
"@messagelab"
"winzip"
"google"
"winrar"
"samples"
"abuse"
"panda"
"cafee"
"spam"
"pgp"
"@avp."
"noreply"
"local"
"root@"
"postmaster@"

Examples of sent emails:

Subject: Well done 4th!
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

American Independence Day http://69.251.[hide]/

Subject: Amazing Independence Day show
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Stars and Strips forever http://68.90.195.[hide]/

Some of sent emails' subjects are:

Amazing firework 2008
Amazing Independence Day salute
Amazing Independence Day show
America for You and Me
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrate the spirit of America
Celebrate with Pride
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Birthday, America!
Happy Fourth of July
Happy Independence Day
Home of the Brave
Independence Day firework broke all records
Just You
Light up the sky
Long Live America
Proud to be an American
S America the Beautiful
S Happy Fourth of July
S Stars and Strips forever
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best firework you've ever seen
The best of 4th of July Salute
Time for Fireworks
Well done 4th!
You Stay In My Heart

Some of the ip-s used in the email body:

12.173.3.17
12.206.167.119
166.82.212.39
206.174.87.86
206.74.70.49
207.244.171.96
208.126.51.68
216.137.135.74
216.255.59.26
24.0.122.81
24.13.166.252
24.13.97.222
24.130.139.182
24.147.15.92
24.152.149.120
24.165.150.180
24.17.174.193
24.182.235.74
24.205.232.114
24.238.99.243
24.242.213.72
24.249.135.214
24.33.244.139
24.33.89.242
24.4.23.176
24.6.219.159
24.7.77.216
24.92.177.76
24.99.230.65
4.248.91.239
63.78.247.132
64.179.170.8
64.252.164.229
64.53.204.29
65.185.105.8
65.185.32.14
65.190.171.249
65.25.89.233
65.26.141.252
65.33.188.214
66.108.212.234
66.176.27.185
66.176.38.218
66.190.179.222
66.207.80.239
66.245.42.63
66.31.118.34
66.65.85.219
67.149.166.122
67.160.102.118
67.167.223.69
67.167.51.11
67.176.18.50
67.181.66.114
67.185.246.151
67.191.111.202
67.33.240.209
67.36.178.103
67.38.31.104
67.65.218.142
68.118.224.81
68.123.103.252
68.123.111.68
68.179.134.99
68.186.95.152
68.32.95.182
68.34.130.92
68.51.239.72
68.61.116.164
68.62.190.121
68.72.110.46
68.73.159.167
68.83.187.175
68.91.83.15
69.0.75.77
69.14.241.85
69.141.230.19
69.153.15.97
69.225.5.209
69.230.217.93
69.234.41.107
69.237.236.202
69.251.31.74
69.253.205.240
70.118.103.166
70.126.163.86
70.131.107.42
71.138.48.93
71.14.77.216
88.73.16.57

Last update 21 November 2011

 

TOP

Malware :