Follow:

 

Trojan:Win32/Wecorl.A


Trojan:Win32/Wecorl.A is a trojan that attempts to exploit a vulnerability in SVCHOST.EXE on other computers to download and install other malware. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
 
On targeted hosts running Windows 2003, XP, 2000 or NT, this remote attack may be performed by an unauthenticated user. Successful exploitation of the vulnerability on systems with default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of user access control (UAC) that enforce additional levels of integrity.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.


What to do now

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Trojan:Win32/Wecorl.A is a trojan that attempts to exploit a vulnerability in SVCHOST.EXE on other computers to download and install other malware. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
 
On targeted hosts running Windows 2003, XP, 2000 or NT, this remote attack may be performed by an unauthenticated user. Successful exploitation of the vulnerability on systems with default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of user access control (UAC) that enforce additional levels of integrity.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Installation
In the wild, this trojan may be hosted on a malicious Web site. When executed, it copies itself as a DLL component as the following:
 
%TEMP%\install.2008.dat
 
Although it doesn't export any functions and the entry point has no meaningful code, the loader executes the malicious code by computing the execution address relative to a static offset.
 
The trojan adds registry values and data that are specific to the affected computer.
 
Adds value: "<MAC address, such as 00:03:FF:3A:CA:4B>"
With data: "<hex values>"
To subkey: HKLM\Software\Licenses
 
Adds value: "<MAC address, such as 00:03:FF:3A:CA:4B>"
With data: "<hex values>"
To subkey: HKLM\Software\Google
 
The above subkeys are used by the trojan as a shared memory mechanism. The BINARY values named after MAC addresses hold Intel x86 machine code, usually encrypted lightly.
Payload
Antivirus Bypass
Once loaded, the DLL checks for the presence of "HKLM\SYSTEM\ControlSet001\Services\RsRavMon\", which indicates the presence of Beijing Rising Technology Antivirus service. If this key is found, the trojan will try to bypass Rising's real-time protection system by removing their file-system filter hooks.
 
In order to achieve this, the trojan drops and loads a device driver that restores some IRP hooks with defaults from ntfs.sys and fastfat.sys. Win32/Wecorl creates a backup copy of an existing driver (Asynchronous Transfer Mode - ATM - ARP driver) and replaces the original:
 
<system folder>\Drivers\atmarpc.sys - replacement driver
<system folder>\Drivers\atmarpc.bak - backup
 
The new driver is loaded by running "net start atmarpc". After it is loaded, atmarpc.sys is restored from the backup.
 
Patches SVCHOST.EXE
Using undocumented API functions, the trojan removes system file protection mechanisms for svchost.exe in order to patch it. First, it deletes "%WinDir%\System32\Dllcache\Svchost.exe" to ensure the patch won't be overwritten.
 
Win32/Wecorl then drops patched version of the Windows component 'SVCHOST.EXE' as the following:
 
<system folder>\6c7bfbdc
 
Win32/Wecorl.A patches 'SVCHOST.EXE' in the following way:
  • modifies the file header with specific bytes to prevent re-infection
  • adds the malicious payload at the end of the resource section (.rsrc) and patches one of the calls near entry-point to execute the payload
 
The patched version of 'SVCHOST.EXE' (detected as Virus:Win32/Wecorl.A) may only work in specific versions of Windows operating systems prior to Windows Vista due to the use of hard-coded API addresses in order to achieve its goals.
 
In order to keep the patch simple and functional, Virus:Win32/Wecorl.A reads and executes the instructions stored by Trojan:Win32/Wecorl.A in one of these registry subkeys:
 
HKLM\Software\Google
HKLM\Software\Licenses
 
The code stored in those BINARY value keys is position independent (just like an exploit shell-code) and has the advantage of being executed under the credentials and protection of svchost process.
 
Downloads Files
Virus:Win32/Wecorl.A is executed with a parameter as in:
 
<system folder>\svchost.exe *Ce
 
A payload executed by a patched version of svchost.exe may spawn multiple threads that do the following:
  • Download and execute other malware or spyware components
  • Connects to one of these locations (chosen randomly) in order to download a list of URLs:

    ls.cc86.info
    ls.lenovowireless.net
    ls.playswomen.com
 
The list of URLs is retrieved as a small file named 'mimi.1268772' stored at one of the above listed remote Web addresses.
 
Analysis by Cristian Craioveanu

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.45.1368.0
Latest detected by definition: 1.45.1368.0 and higher
First detected on: Nov 03, 2008
This entry was first published on: Nov 03, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32.Wecorl (Symantec)