CANADA.EXE Findings

From: John H (surfcityjohnat_private)
Date: Wed Mar 12 2003 - 20:56:08 PST

Next message: Andy Polyakov: "Re: [unisog] Port 109 Mystery"

Previous message: James C Slora Jr: "RE: Port 109 Mystery"
Next in thread: Cavey, Jean-Luc: "RE: CANADA.EXE Findings"
Reply: Cavey, Jean-Luc: "RE: CANADA.EXE Findings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All:

CANADA.EXE (aka HOT CANADA) is a "dialer" by nature. In fact, a
known dialer:
http://www.pestpatrol.com/PestInfo/db/h/hot_canada.asp.

The loose sequence of events upon execution is as follows:

After CANADA.EXE is executed, it pops up a dialog that displays a
pornographic image and asks the user if they would like to go to a
porn site.

Meanwhile, behind the scenes...

It downloads HOT_CANADA.EXE from either 208.192.120.56 and
204.177.92.205 (via HTTP/port 80). HOT_CANADA.EXE is placed in a
very obvious "dialers" folder under Program Files.

HOT_CANADA.EXE then begins execution.

It contacts 204.177.92.204 (via HTTP/port 80) and proceeds to
download HOT_CANADAUPDATE.EXE which is placed in the root directory
of the PC.

HOT_CANADAUPDATE.EXE then takes over with the most interesting
activity and downloads HotOrgy_ca.exe and HardcoreVideos_ca.exe.
They are placed in their own directories under the now infamous
"dialers" directory. Links are placed on the desktop and start menu
to these new files.

HOT_CANADA.EXE at this point seems to go into an idle state and this
is where my experiments stopped. The outbound traffic was minimal
and consisted of HTTP requests. HOT_CANADA.EXE did examine the
registry entries for RAS, long distance dialing codes, and analog
modem devices.

This looks like a genuine "dialer" program. Although CANADA.EXE
appeared to be "compacted" with PECompact, there appeared to be no
serious effort to hide or obfuscate what this program and its
supporting executables do. My window of testing was very short, so
there may be more unsolicited action later on down the execution
path. Naturally, it should not be assumed this program or programs
like it are harmless based on what I have said. The should be
considered a real threat, because this program had full access to my
machine and the data contained within while it was executing.

By the way, the IPs belong to a company called Lexitrans.

Regards,

John Herndon
Security Consultant

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.94

iD8DBQE+cA1vPAH04z2c9bARArqrAJ4sTIarily9j6SH/s+NNboDgqOSkwCfZZYJ
lOj/jIuIwYEZXrSeSPn9EIY=
=pitm
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Andy Polyakov: "Re: [unisog] Port 109 Mystery"
Previous message: James C Slora Jr: "RE: Port 109 Mystery"
Next in thread: Cavey, Jean-Luc: "RE: CANADA.EXE Findings"
Reply: Cavey, Jean-Luc: "RE: CANADA.EXE Findings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 07:55:32 PST