W97M/Bartallex

Installation

Threats in this malware family are malicious macros that can be embedded in Microsoft Word files. When you open a malicious file, Microsoft Word should show you a security notification to ask whether you want to enable macros. If you enable macros, the threat will run.

We have seen these threats spread in Word files that are attached to spam emails as .doc files. See the spam email samples below:

The attached file has a random name, for example:

• case number.doc
• e-ticket_79010838.doc
• fax_msg896-599-5459.doc
• invoice_723961.doc
• legal_complaint.doc
• logmein_coupon.doc
• receipt_3458934.doc

The infected .doc file contains a malicious macro script that, when opened, can download and run other malware onto your PC.

The malware uses social engineering tactics to try to get you to enable macro scripting when you view the document, as macro scripts are usually disabled by default in Microsoft Office.

We have seen the malware uses the following fake warning in an attempt to get you to enable macros:

If macros are enabled, the malicious macro runs when the attachment is opened.

Payload

Downloads other malware

The malware uses one or more scripting files, such as PowerShell, BAT or VisualBasic Script (VBS) to download other malware.

For example, it could drop %TEMP%\adobeacd-update.bat (TrojanDownloader:BAT/Bartallex.A) and %TEMP%\adobeacd-updatexp.vbs (TrojanDownloader:VBS/Bartallex.A). The BAT file will run the malicious Visual Basic Script (VBS) file. The VBS file uses a XMLHttpRequest object to download the payload malware from remote website. These components are usually deleted after the malware is downloaded.

When the script is run it immediately downloads other malware from a remote server. We have seen it download malware from the following servers:

• 91.<removed>.131.49/upd/install.exe
• 91.<removed>.131.49/upd2/install.exe
• 91.<removed>.131.73/ca/file.pif
• r<removed>.com/wp-content/uploads/2011/08/license.exe
• st<removed>.eu/wp-content/plugins/wp_add/god.exe

The downloaded file is usually saved and run from %TEMP% using a random file name, for example  %TEMP%\4444.exe. 

We have seen threats in this family download the following malware:

• TrojanDownloader:Win32/Chanitor.A - malware that can install Backdoor:Win32/Vawtrak.F
• TrojanSpy:Win32/Ursnif.gen!R - a trojan family that tries to steal your sensitive information

We have also seen these threats download a clean PNG image file and saves it with a random file name, for example %TEMP%\savepic.su\5123965.png.

Analysis by Rex Plantado