Trojan:Win32/Wecorl.A is a trojan that attempts to exploit a vulnerability in SVCHOST.EXE on other computers to download and install other malware. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
On targeted hosts running Windows 2003, XP, 2000 or NT, this remote attack may be performed by an unauthenticated user. Successful exploitation of the vulnerability on systems with default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of user access control (UAC) that enforce additional levels of integrity.
Installation
In the wild, this trojan may be hosted on a malicious Web site. When executed, it copies itself as a DLL component as the following:
%TEMP%\install.2008.dat
Although it doesn't export any functions and the entry point has no meaningful code, the loader executes the malicious code by computing the execution address relative to a static offset.
The trojan adds registry values and data that are specific to the affected computer.
Adds value: "<MAC address, such as 00:03:FF:3A:CA:4B>"
With data: "<hex values>"
To subkey: HKLM\Software\Licenses
Adds value: "<MAC address, such as 00:03:FF:3A:CA:4B>"
With data: "<hex values>"
To subkey: HKLM\Software\Google
The above subkeys are used by the trojan as a shared memory mechanism. The BINARY values named after MAC addresses hold Intel x86 machine code, usually encrypted lightly.
Payload
Antivirus Bypass
Once loaded, the DLL checks for the presence of "HKLM\SYSTEM\ControlSet001\Services\RsRavMon\", which indicates the presence of Beijing Rising Technology Antivirus service. If this key is found, the trojan will try to bypass Rising's real-time protection system by removing their file-system filter hooks.
In order to achieve this, the trojan drops and loads a device driver that restores some IRP hooks with defaults from ntfs.sys and fastfat.sys. Win32/Wecorl creates a backup copy of an existing driver (Asynchronous Transfer Mode - ATM - ARP driver) and replaces the original:
<system folder>\Drivers\atmarpc.sys - replacement driver
<system folder>\Drivers\atmarpc.bak - backup
The new driver is loaded by running "net start atmarpc". After it is loaded, atmarpc.sys is restored from the backup.
Patches SVCHOST.EXE
Using undocumented API functions, the trojan removes system file protection mechanisms for svchost.exe in order to patch it. First, it deletes "%WinDir%\System32\Dllcache\Svchost.exe" to ensure the patch won't be overwritten.
Win32/Wecorl then drops patched version of the Windows component 'SVCHOST.EXE' as the following:
<system folder>\6c7bfbdc
Win32/Wecorl.A patches 'SVCHOST.EXE' in the following way:
-
modifies the file header with specific bytes to prevent re-infection
-
adds the malicious payload at the end of the resource section (.rsrc) and patches one of the calls near entry-point to execute the payload
The patched version of 'SVCHOST.EXE' (detected as Virus:Win32/Wecorl.A) may only work in specific versions of Windows operating systems prior to Windows Vista due to the use of hard-coded API addresses in order to achieve its goals.
In order to keep the patch simple and functional, Virus:Win32/Wecorl.A reads and executes the instructions stored by Trojan:Win32/Wecorl.A in one of these registry subkeys:
HKLM\Software\Google
HKLM\Software\Licenses
The code stored in those BINARY value keys is position independent (just like an exploit shell-code) and has the advantage of being executed under the credentials and protection of svchost process.
Downloads Files
Virus:Win32/Wecorl.A is executed with a parameter as in:
<system folder>\svchost.exe *Ce
A payload executed by a patched version of svchost.exe may spawn multiple threads that do the following:
The list of URLs is retrieved as a small file named 'mimi.1268772' stored at one of the above listed remote Web addresses.
Analysis by Cristian Craioveanu
