OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: maoqmwgn.exe

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Thu Apr 15 2004 - 17:13:27 CDT


"George M. Garner Jr." <gmgarnererols.com> wrote:

> I am looking for information on a small program entitled maoqmwgn.exe
> (http://users.erols.com/gmgarner/malware/maoqmwgn.zip). The program, which
> opens UDP 1030, was found on a computer that was infected with certain
> spyware. The creation time also correlates with the spyware. ...

Aside from opening that port, it appears that this is a downloader that
pulls files down from another site and installs them. It has a
hardcoded reference to a data file on www.slotch.com and currently that
file contains references to two .EXE file -- setup_integrated_s2.exe
and uninstall.exe (the first on a machine in the ouyks.com domain and
the second in the same folder as the .PHP file at slotch.com). Until
you have determined what all is happening on this machine, it would be
advisable to block all traffic to any machines in either of domains if
possible (and better still to log all attempted connections to machines
in those domains).

Eyeballing the decompressed .EXE suggests that the following filenames
and directories _may_ be found on the victim machine if this .EXE was
run (many may simply be temporary files created during download and
installation then removed):

   uinst_cp.exe
   casino.exe
   C:\casino\Golden Palace Casino\casino.exe
   config.dat
   win.dat
   html.dat
   setup_updater.exe
   updaterinstall.dat
   c:\Setup.exe
   text.dat
   defaulttxt.dat
   addremove.dat

Also, keys or values may have been added or modified at or under any
registry locations that include these strings:

   SOFTWARE\Microsoft\Windows\CurrentVersion
   SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

The odds are good that the maoqmwgn.exe file is on the machine because
the user "accepted" it as an ActiveX control (or it was downloaded as
the result of them accepting some other control) or by clicking on a
"download me" link in spam, a banner ad or a popup. It may also have
been pushed to the machine as part of the payload of the spyware. Can
you obtain any further evidence of how it came to be on the machine?
This is important, as several AV companies will not add detection for
the downloader unless it can be proved that some form of deception is
used in getting the user to accept it, or otherwise that some form of
malice or ill-intent is involved in getting the .EXE onto "victim"
machines (i.e. many AV developers do not see it as their job to protect
your users from the easily avoidable stupidity of accepting a
"commercial offer", no matter how obviously "dodgy" or "fishy" said
offer is to a normal, sane person).

Is this a "corporate PC" or a SOHO machine? If the former, why is IE's
"only allow administrator approved controls" policy not in force?

Analysis of the .EXEs this downloads will proceed later today -- I have
other work to do first and am on a slow-ish link so the 3.9MB installer
is still downloading...

> ... I don't see
> it referenced anywhere.

Well, by and large, filenames alone are all but useless diagnostically.
If you rename this thing to foobar.exe and run it, do you really expect
that it will not work?

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

---------------------------------------------------------------------------
----------------------------------------------------------------------------