Additional Information:File Behavior
MSRSTART.EXE has been seen to perform the following behavior:
• Executes a Process
• This Process Deletes Other Processes From Disk
• Registers a Dynamic Link Library File
• This process creates other processes on disk
• Copies files
• Looks at the contents of the autoexec.bat file
• Reads email address and phone book details
• Uses DNS to retrieve the IP address for web sites
• This Process is a file infector which modifies program files to include a copy of the infection
• Changes to the file command map within the registry
• Adds a Registry Key (RUN) to auto start Programs on system start up
• Violates Windows/Vista Physical Memory Protection allowing it to look inside the data areas of other programs
• Terminates Processes
MSRSTART.EXE has been the subject of the following behavior:
• Added as a Registry auto start to load Program on Boot up
• Copied to multiple locations on the system
• Executed as a Process
• Registered as a Dynamic Link Library File
• Created as a process on disk
• Changes to the file command map within the registry
File Name Aliases
MSRSTART.EXE can also use the following file names:
• TPSZXYD.SYS
• NXTEPAD.EXE
• 07409245.SYS
• 81244974.DAT
• 64063935.DAT
• TMP0_401322499073.BK
Filesizes
The following file size has been seen:
• 376,320 bytes
• 241,152 bytes
• 375,808 bytes
• 259,584 bytes
Vendor, Product and Version Information
Files with the name MSRSTART.EXE have been seen to have the following Vendor, Product and Version Information in the file header:
• ; ; 2.0.1.154
• ; ; 2.0.1.162
• ; ; 2.0.1.151
• ; ; 2.0.1.152
• ; ; 2.0.1.166
File Type
The filename MSRSTART.EXE refers to many versions of an executable program.
File Activity
One or more files with the name MSRSTART.EXE creates, deletes, copies or moves the following files and folders:
• Copies filec:\windows\system32\urlmon.dll to c:\docume~1\user\locals~1\temp\mtaw72598.dll
• Opens/modifes c:\autoexec.bat
• Moves c:\windows\system32\udxfytw.sys to c:\windows\system32\tmp0_312103509098.bk.
• Moves c:\windows\system32\tmp0_312103509098.bk to c:\windows\system32\udxfytw.sys
• Deletes c:\windows\system32\tmp0_312103509098.bk.
• Creates c:\windows\system32\Install.tx
• Creates c:\windows\Install.tx
• Moves c:\windows\system32\tmpxr_621171838093.bk to c:\windows\system32\tmp0_57032696252.bk.
• Moves c:\windows\system32\tmp0_57032696252.bk to c:\windows\system32\tmpxr_621171838093.bk
• Deletes c:\windows\system32\tmp0_57032696252.bk.
• Deletes c:\windows\system32\noytcyr.exe
• Moves c:\windows\system32\tmpxr_621171838093.bk to c:\windows\system32\noytcyr.exe
• Moves c:\windows\system32\tmpxr_434138765527.bk to c:\windows\system32\tmp0_793471556187.bk.
• Moves c:\windows\system32\tmp0_793471556187.bk to c:\windows\system32\tmpxr_434138765527.bk
• Deletes c:\windows\system32\tmp0_793471556187.bk.
• Deletes c:\windows\system32\wsldoekd.exe
• Moves c:\windows\system32\tmpxr_434138765527.bk to c:\windows\system32\wsldoekd.exe
• Moves c:\windows\system32\tmpxr_549716366933.bk to c:\windows\system32\tmp0_175036521364.bk.
• Moves c:\windows\system32\tmp0_175036521364.bk to c:\windows\system32\tmpxr_549716366933.bk
• Deletes c:\windows\system32\tmp0_175036521364.bk.
• Deletes c:\windows\system32\afisicx.exe
• Moves c:\windows\system32\tmpxr_549716366933.bk to c:\windows\system32\afisicx.exe
• Moves c:\windows\system32\tmpxr_55360933570.bk to c:\windows\system32\tmp0_618276258932.bk.
• Moves c:\windows\system32\tmp0_618276258932.bk to c:\windows\system32\tmpxr_55360933570.bk
• Deletes c:\windows\system32\tmp0_618276258932.bk.
• Deletes c:\windows\system32\Install.txt
• Creates c:\windows\system32\comsa32.sys
• Copies filec:\windows\system32\urlmon.dll to c:\docume~1\user\locals~1\temp\mta96020.dll
• Deletes c:\docume~1\user\locals~1\temp\mta96020.dll
• Copies filec:\windows\system32\urlmon.dll to c:\windows\temp\mta20954.dll
Registry Activity
One or more files with the name MSRSTART.EXE creates or modifies the following registry keys and values:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt Application C:\WINDOWS\system32\nxtepad.exe
• HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\SystemExclamation\.Current
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International W2KLpk value:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
• HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr ProfileInitialized value:
• HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr ProfileInitialized value:
• HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB} Enable value:
• HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000809\{09EA4E4B-46CE-4469-B450-0DE76A435BBB} Enable value:
Network Activity
One or more files with the name MSRSTART.EXE performs the following network events:
• DNS Lookup208.43.250.162 bfkq.com
• DNS Lookup74.54.201.210 74.54.201.210
• DNS Lookup208.43.250.162 208.43.250.162
• DNS Lookup74.52.142.226 jsactivity.com
• DNS Lookup74.55.37.210 74.55.37.210
• DNS Lookup174.133.126.2 174.133.126.2
• DNS Lookup63.241.59.58
www.searchfeed.com • DNS Lookup66.230.188.67 xml.click9.com
• DNS Lookup63.251.210.68 search.epilot.com
• DNS Lookup72.32.202.199 xmlRevenue.com
• DNS Lookup208.79.82.154 infobits.net
• DNS Lookup63.251.210.114 txsearch.epilot.com
• DNS Lookup69.41.173.95 lookcode.com
• DNS Lookup69.41.170.30
www.valusearch2004.com • DNS Lookup69.41.173.97
www.smarterclickz.com • DNS Lookup69.41.173.186 2007search.com
• DNS Lookup69.41.173.174 justforclickz.com
• DNS Lookup69.41.173.164 searchdaze.com
Website Activity
One or more files with the name MSRSTART.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
• TCP:127.0.0.1:1108 Port:20
• TCP:208.43.250.162:8392 Port:16
• TCP:74.54.201.210:8392 Port:16
• TCP:208.43.250.162:8392 Port:15
• TCP:74.52.142.226:8392 Port:15
• TCP:74.55.37.210:8392 Port:15
• TCP:174.133.126.2:8392 Port:15
• Port 80 IP:63.241.59.58
• Port 80 IP:66.230.188.67
• Port 80 IP:63.251.210.68
• Port 80 IP:63.251.210.114
• Port 80 IP:72.32.202.199
• Port 80 IP:208.79.82.154
• Port 80 IP:69.41.173.95
• Port 80 IP:74.52.164.210
• TCP:174.133.126.2:8392 Port:23
• Port 80 IP:69.41.170.30
• Port 80 IP:69.41.173.97
• Port 80 IP:69.41.173.186
• Port 80 IP:69.41.173.174
• Port 80 IP:69.41.173.164
Malware Activity• The malware created a lot of files in C:\WINDOWS\system32\:
• C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\msrstart.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\afisicx.exe
Virus scanner report:• Report Generated 24.2.2009 at 0.18.09 (GMT 1)
Time for scan: 187 seconds
Filename: afisicx.exe
File size: 181 KB
MD5 Hash: DA3E12A66735C24D5ECB631D3DA1BE7E
SHA1 Hash: 64485D2C2DA92377002014D11CC2916372C23E08
CRC32: 743296509
Application Type: Executable (EXE) 32bit
Packer detected: Borland Delphi 6.0 - 7.0
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 3 on 23 (13,04 %)
Antivirus Sig Version Resulta-squared 23/02/2009 Nothing found!
Avira AntiVir 7.1.2.64 Nothing found!
Avast 090221-0 Win32:Refpron-I [Trj]
AVG 270.11.3/1967 Nothing found!
BitDefender 24/02/2009 Nothing found!
ClamAV 23/02/2009 Nothing found!
Comodo 986 Nothing found!
Dr.Web 24/02/2009 Nothing found!
Ewido 24/02/2009 Nothing found!
F-PROT 6 20090223 Nothing found!
IkarusT3 23/02/2009 Nothing found!
Kaspersky 24/02/2009 Nothing found!
McAfee 23/02/2009 Nothing found!
MHR (Malware Hash Registry) 24/02/2009 Nothing found!
NOD32 v3 3882 Nothing found!
Norman 2009/02/20 Nothing found!
Panda 07/02/2009 Nothing found!
QuickHeal 23 February, 2009 Nothing found!
Solo Antivirus 24/02/2009 Nothing found!
Sophos 24/02/2009 Troj/Agent-IWW
TrendMicro 861(586100) Nothing found!
VBA32 24/02/2009 Win32 Shadow Driver Install
VirusBuster 10.101.22 Nothing found!
Other created files:•C:\WINDOWS\system32\pe.dll
C:\DOCUME~1\userxx\LOCALS~1\Temp\Cookiesh
C:\DOCUME~1\userxx\LOCALS~1\Temp\Historyl
C:\WINDOWS\Temp\mtaw31787.dll
C:\WINDOWS\Temp\mta33058.dll
C:\WINDOWS\Temp\mta107493.dll
C:\WINDOWS\system32\post.asp.cikehorse=aaa
• The malware firstly dropped in C:\WINDOWS\system32\ the file named pe.dll and then started to download and then execute all the other files.
• The malware utilize rootkit technology to hide processes from Task Manager and all user-mode process viewers. (not ProcessExplorer)
• The malware add itself to registry startup to be able to run after every reboot of windows OS.
Registry keys created:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer => msrstart.exe
Traffic:The malware established connections in the remote port number 8392 with mainly 4 IP Addresses:
-208.43.250.162 (208.43.250.162-static.reverse.softlayer.com)
-74.52.142.226 (host30.4hosthelp.com)
-74.55.37.210 (d2.25.374a.static.theplanet.com)
-174.133.126.2 (2.7e.85ae.static.theplanet.com)
The traffic was always the same (with an “echo” inside):
================================================
Index : 12
Protocol : TCP
Remote Address : 208.43.250.162
Local Port : 1035
Remote Port : 8392
Packets : 14
Data Size : 48 Bytes
Total Size : 676 Bytes
Capture Time : 23/02/2009 23.28.52:437
================================================
00000000 00 00 78 E3 00 00 4F 95 00 00 00 04 65 63 68 6F ..xã..O• ….echo
00000000 00 00 00 0C 38 37 2E 31 31 2E 33 39 2E 32 35 31 ….xx.xxx.xxx.xxx
After, the traffic changed in:
================================================
Protocol : TCP
Remote Address : 74.52.142.226
Local Port : 1041
Remote Port : 8392
================================================
00000000 00 00 78 E3 00 00 27 B3 00 00 00 11 32 2E 30 5F ..xã..’³ ….2.0_
00000010 6E 65 77 32 30 30 39 5F 77 2E 65 78 65 new2009_ m.exe
00000000 00 00 00 41 37 34 2E 35 32 2E 31 36 34 2E 32 31 …A90.5 2.164.21
00000010 30 2F 70 31 32 31 32 0D 0A 31 37 34 2E 31 33 33 0/p1213. .174.133
00000020 2E 31 34 37 2E 31 38 2F 70 31 32 31 32 0D 0A 31 .142.18/ p1212..1
00000030 37 34 2E 31 33 33 2E 31 34 37 2E 32 36 2F 70 31 74.133.1 47.21/p1
00000040 32 31 32 0D 0A 212..
Now we can see from the traffic below that the malware is getting some kind of list of “words” that the malware will then use for spam / search engines hijack / browser hijacks / Click hijacks:
================================================
Protocol : TCP
Remote Address : 208.43.250.162
Remote Port : 8392
================================================
00000000 00 00 78 E3 00 00 76 B8 00 00 00 07 6E 65 77 32 ..xã..v¸ ….new2
00000010 30 30 39 009
00000000 00 00 18 A2 72 76 0D 0A 73 74 65 72 6C 69 6E 67 …¢rv.. sterling
00000010 20 73 69 6C 76 65 72 20 6A 65 77 65 6C 72 79 0D silver jewelry.
00000020 0A 50 61 79 2B 50 65 72 2B 43 6C 69 63 6B 2B 41 .Pay+Per +Click+A
00000030 64 76 65 72 74 69 73 69 6E 67 0D 0A 6E 66 6C 20 dvertisi ng..nfl
00000040 74 69 63 6B 65 74 0D 0A 41 6D 61 74 65 75 72 0D ticket.. Amateur.
00000050 0A 62 61 6E 67 6B 6F 6B 2B 68 6F 74 65 6C 0D 0A .bangkok +hotel..
00000060 57 65 69 67 68 74 2B 6C 6F 73 73 2B 70 69 6C 6C Weight+l oss+pill
I hope this information comes in handy to some!
-Mike