Last week a virus that infects Delphi development environments and then the compiled Delphi programs was detected and got some media attention – infected programs were distributed on cover-mount CDs and DVDs on computer magazines and via Download Portals.

Our developers created a special version of our Avira Removal Tool which is capable of detecting and deleting infected programs. You can download the English version here and the German version here!

Dirk Knop
Technical Editor

While refining and improving our detection of the W32/Tobin file patcher malware we analysed its “infection” algorithm closer. Upon execution, it drops a DLL (usually “nikitob.dll”) and modifies executable files on the system so that they load the dropped DLL once they get started. So far nothing new or unusual.

Fig. 1: The new import table

W32/Tobin adds a new section named “.lenna” at the end of the PE file. This section consists of an import table – such import tables are used by the Windows loader to dynamically load DLLs and provide the corresponding function from them to the started program. The new import table references the dropped DLL “nikitob.dll”. At the same time, the import data directory entry in the PE header gets modified to point to the newly attached import table. If there is a bound import table in the executable, W32/Tobin “removes” the entry from the data directory by setting it’s RVA and size to 0.

Fig. 2: Original data directory address

Fig. 3: Patched data directory address

The dropped DLL “nikitob.dll” just exports one function, “NikitaTob”. Upon calling it, it shows a message box with the text “NikitaTob”. The actual virus code is executed automatically when the DLL is loaded.

Fig. 4: The malware dll exports just one function

Among other things, the import address table is rebuilt to make the patched executable work. In our analysis we didn’t find further malicious routines in the malware.

Fig. 5: W32/Tobin just shows a message

In one of the W32/Tobin samples we found the reference to “C:\NIKITA\Soft\black_soft\29a\nikitob\Release\nikitob.pdb”. A short search in our archives turned up an old magazine of the VX group 29A. In the issue from January 2005 there is proof-of-concept code which exactly infects files the W32/Tobin-way. The new section there is called “.senna”, and a message box shows the text “PayLoad”. It looks like some malware writers used the Proof-of-Concept virus to learn new techniques.

Removing this kind of malware from an infected system isn’t as simple as it may look on first glance. Simply deleting the dropped DLL doesn’t work: The infected executables depend upon the DLL now and won’t start anymore. Most likely the whole system wouldn’t start up anymore. Since W32/Tobin stores the address of the original import table at the end of the executable, it is possible to restore that value and disinfect the system gracefully.

Dirk Knop
Technical Editor

Some hype established around the malware known as Psyb0t. It is unusual as it doesn’t infect windows machines, but MIPS-based Internet-routers and DSL-modems – which are very widespread. (This is only half of the story. There is a windows malware floating around which starts infecting the Internet gateway; this malware is detected and removed by Avira AntiVir though.)

In our analysis we found plenty of interesting strings in the Psyb0t-variant 2.9L.

Fig. 1: Disassembled Psyb0t and its function graph.

This malware is quite sophisticated and has a whole lot of functions which a bot master may need. Psyb0t connects to an IRC-Server and can be controlled from there.

It tries to exploit weak passwords on devices reachable via the Internet and contains an extensive list of default passwords and some often used passwords, too. Also it attacks SQL servers and software like PHPMyAdmin. So it doesn’t only infect Netcomm-DSL-Modems as has been reported on the media sometimes, but can break into plenty of other MIPS-based devices from other brands as well – even in OpenWRT installations, if they use some insecure service versions.

How can you detect if your router is infected? There is no easy way to tell. But the malware adds a firewall rule to block telnet connections (iptables -A INPUT -p tcp –dport 23 -j DROP). So if there is a telnet deamon running on your router and you can’t reach it, it would be a bad sign.

How to get rid of an infection? You have to connect via wired network to your Internet gateway in this situation. Fetch the latest firmware version available from a different network, maybe at a neighbour’s place or at a friend’s. Then you usually have to initiate a hard reset on the Internet gateway. Most devices reset their settings to the default ones when pressing the reset knob for 10 seconds, then pulling the power plug and reinserting the plug again.

After that, first change the default password to a good and safe one – you know the drill: Small and capital letters, special characters and numbers in most random fashion. Then upgrade the firmware to the most recent version. After that you can start configuring your Internet gateway again.

Dirk Knop
Technical Editor

Markus Hinderhofer
R&D Engine Team

Last friday we released an engine update which added some removal routines for certain variants of the W32/Sality virus family. This wouldn’t be remarkable if W32/Sality wasn’t a polymorphic file infector – it infects other executable files and tries to spread throughout the network by lowering the firewall settings and disables warnings of the windows security center.

On our web server the malware description for W32/Sality gets often accessed. That its a real threat is also shown in the statistics of Virustotal. We detect plenty of variants generically as W32/Sality.Y. As it is a generic detection, we find a multitude of samples with it.

W32/Sality is not new, variants of it with different payloads like keyloggers, backdoors, rootkit or downloader functions often appeared in the last years. This leads to the situation that every now and then Sality gets widespread again.

The spreading of Sality is also possible due increased sophistication of hiding the malware in the infected files. Sality adds a new code section at the end of the PE-file, and sometimes increases the size of the last section and injects code there. Then it modifies the code at the entry point (not the entry point itself in the PE headers).

Additionally the injected code is highly encrypted and filled up with trash. Furthermore, fake API-calls are meant to outsmart emulation techniques; the debugging process is hindered by unnecessary instruction blocks in the virus code. If the infected file gets started, the virus decrypts it’s own code and restores the code of the original binary at the entry point. It starts that original code in the main thread then while staying active in the new thread in the background.

Since this malware is widespread, we developed removal routines for a lot of variants of W32/Sality.Y. As usual, today it’s not possible to properly restore all the original binaries as for example digital signatures might get broken by the malware infection.

The removal of W32/Sality isn’t as easy as we like it to be though. It should be done using our Rescue CD which also includes the updated engine. This is due to the fact that it’s not possible to kill all processes at runtime to get hold of the binary files and disinfect them. It is always a good idea to clean an infected system with the Rescue CD as the malware isn’t active when the computer is started from the CD.

Additionally, we have some repair batch files that affected customers can get by emailing or calling our support. Those batches repair some essential registry keys on cleaned machines which W32/Sality modified.

Dirk Knop
Technical Editor