Installation
These threats might arrive on your PC as a spam email attachment. The attachment is in archive formats such as:
Older variants were often distributed by Win32/Cutwail.
The name of the spam email attachment can vary. We have seen the malware use the following file names:
- CA-77509WAF-88414.cabcarillion_integrated_solutions571.zip
- DO-64647JYG-84271.cab
- incantatory.zip
- item_2014-09-03_10-01-56_96088208293.arj
- <name>@<email_domain>.zip for example, mudurstoms2@inbox.lv.zip
- order_2014-08-27_11-30-20_92103382498.zip
- statement_622653241052904_5T38CL3.rar
Below are some examples of the spam emails used to distribute this threat:
Win32/Dalexis contains an embedded clean CAB file inside the binary. It installs this file on the PC as the following:
- %TEMP%\temp_cab_<random>.cab for example, c:\documents and settings\administrator\local settings\temp\temp_cab_387640.cab
- %TEMP%\<random>.<file extension> for example c:\documents and settings\administrator\local settings\temp\garoxycij.vob
The following list of extensions are hard-coded in the binary:
- 3gp
- avi
- bin
- bmp
- cda
- chm
- dat
- dll
- doc
- exe
- fb2
- flv
- gif
- hlp
- iso
- jpg
- mdb
- mdf
- mds
|
- mdv
- mp3
- mpg
- nrg
- ogg
- pdf
- png
- ppt
- rtf
- swf
- ttf
- txt
- vob
- wav
- wma
- wmv
- xls
|
The attachment itself might be a PDF, RTF or image file. Older variants displayed invoices, but newer variants have random-looking attachments.
Payload
Downloads updates or other malware
The threat checks for an Internet connection by connecting to a clean website, such as windowsupdate.microsoft.com.
If successful, it connects to a remote host that is hard-coded in its binary to download other malware. We have seen it connect to the following domains:
- agatecom.fr/voeux/firiftor.tar.gz
- baselineproduction.fr/Modules/firiftor.tar.gz
- btvsolo.elementfx.com/_old/hello.jpg
- fallamaese.net23.net/templates/hello.jpg
- greenmeadowbudgies.co.uk/img/hello.jpg
- n23.fr/asstempo/firiftor.tar.gz
- pubbliemme.com/plugins/firiftor.tar.gz
The malware will remain active on your PC until it has successfully downloaded other malware. After a successful download, the malware stops running.
We’ve seen this threat family download other malware from the following families:
As of February 2015, we have seen the variants TrojanDownloader:Win32/Dalexis.C and TrojanDownloader:Win32/Dalexis.D downloading Ransom:Win32/Critroni.
Analysis by Rodel Finones
