Recently, McAfee Avert Labs received a suspicious CHM file containing nineteen wonderful pictures from a National Geographic article by Tolstoy Ilia, titled “Across Tibet from India to China”. Other security companies seem fascinated by these pictures too.

Interestingly, we received another suspicious CHM file a week earlier, also containing some images related to Tibet, and more specifically about Tsering Chungtak who was crowned Miss Tibet 2006!

(Just to clarify: a CHM file is a compiled and compressed Microsoft HTML Help file that can contain formatted text but also documents, scripts and executable files.
When a CHM file is opened, the HTML Help viewer, called hh.exe and located in the Windows directory, extracts the compressed files and executes them, that’s why CHM files are sometimes used maliciously.)

As the two cases looked similar (both drop a file named music.exe; both contained pictures related to Tibet), I decided to investigate them further and… bingo, both are linked to the same remote servers and involve the same family of malware (Spy-Agent.cp), which is a multi-part trojan composed of a loader, an infostealer, a backdoor component and an update installer.

Actually the file “music.exe” is just the first part of the puzzle - the figure below represents the attack architecture:

Although the CHM file will stay on the infected machine, music.exe will be deleted either by avp.exe (1st variant of the trojan) or by conime.exe (2nd variant). These two executable files also control the DLL loading.

The file zipfldr.dll (named the same as the file used in Windows’ built-in ZIP handling) is the infostealer component that stores data in two different files: C36YKNy.dat and C36YKNz.dat.

The former contains logs of when the execution of the dll started and stopped, the hostname and IP address of the machine, and the intercepted keystrokes. However the keystrokes will be written into the other logfile too.

The latter contains various data from the machine:

  • Microsoft Windows Version
  • Windows Environment Strings
  • MAC address
  • List of the active processes, their PPID and PID
  • Outlook Passwords
  • Hotmail Passwords
  • Deleted Outlook Account passwords
  • IE Password-Protected sites passwords
  • MSN Explorer Signup passwords
  • IE AutoComplete Passwords
  • IE Auto Complete Fields
  • Cached passwords
  • Keystrokes from the former logfile

These passwords are retrieved from the Protected Storage System Provider key and by enumerating the Protected Storage. To do that the malware doesn’t load pstorec.dll directly but instead copies the file to xactsrv.dll located alongside the two .dat. This newly created dll file is loaded and its exported function PStoreCreateInstance() is called, providing an instance of IPStore.

Additionally, the malware uses the WNetEnumCachedPasswords() function from MPR.dll to gather cached passwords – a common trait of infostealer Trojans!

Last but not least zipfldr.dll attempts to connect to a remote server chosen amongst a list of three IP addresses. If successful two further components are downloaded:

  1. setup.dat
  2. winzip.exe

The URL used doesn’t reference the executable files directly, moreover a server-side script receives a specific UID as the effective parameter. The parameter that means “let me get the other files please” is “DD01×51″.

As you can see below, the files are encoded in Base64 and they are enclosed between the tags “1401C4F9071401C4F92317″:

And as previously mentioned, the dll file is able to intercept keystrokes by installing a high-level keyboard hook (WH_KEYBOARD).

There is hardly anything to mention about winzip.exe (the malicious one, of course!): as it’s just an executable looking for new files to install and setup their required registry keys.

Setup.dat is the backdoor component. The control connection to the attacker’s machine is done by sending a HTTP request to the server-side script file again passing UID “DDF03”.

The remote server to contact is chosen from a list of ten hardcoded IP addresses and URLs, which are also stored in the following registry key:

[HKCU\Software\Kodak\Imaging\Etc\]
“host%d”=host_to_contact (where %d is a digit).

It’s worth mentioning that the list of hosts may be updated by the attacker at any time by using a specific command.

Other commands available during remote control also include:

  • Hosts: to write a new host in the registry key quoted above.
  • Shell: to get a shell on the victim’s machine… (cmd.exe /c %s >> %s)
  • Quit: to close the backdoor. That results in the writing of the date and time in

    • [HKCU\Software\Kodak\Imaging\Etc\]
    “Refresh”=local_date_and_time

  • Some others include Netget, Netmget, Netmgetr, Netls, Netlsr, Regls, Reglsr, Ls, Lsr, Get, Mget, which are used to obtain various pieces of information about the victim’s registry, read directory contents, download files to the victim’s machine, or to retrieve their files!

The CHM files received were used in two targeted attacks, so this multi-part trojan is unlikely to be widely distributed, but I would not be surprised to find it for sale in underground forums…

Our detection includes all components of this malware as Spy-Agent.cp.dr!chm, Spy-Agent.cp.dr, Spy-Agent.cp.dll and Spy-Agent.cp, and of course we will still keep an eye out for similar attacks!!!