Hostile Data — The Downloader.Small-1109 Trojan

The header as received

This came in from an infected web server. The worm tries to appear as if the mail is coming from the BBC — they do have excellent news, but they're far better at English than these clowns:

From news@info.bbc.com Fri Mar 10 16:36:36 2006
Received: from city.websitewelcome.com ([70.86.180.98])
          by sccqmxc91.asp.att.net (sccqmxc91) with ESMTP
          id <20060310213633q910016u93e>; Fri, 10 Mar 2006 21:36:33 +0000
X-Originating-IP: [70.86.180.98]
Received: from nobody by city.websitewelcome.com with local (Exim 4.52)
	id 1FHpHo-0000Gz-Lr
	for bob.cromwe11@insightbb.com; Fri, 10 Mar 2006 15:36:36 -0600
To: bob.cromwe11@insightbb.com
Subject: New acts of terrorism in New York and London
MIME-Version: 1.0
From: BBC World News <news@info.bbc.com>
Content-Type: multipart/mixed;
  boundary="=_20f465097e1702befcde992276d5072a"
Message-Id: <E1FHpHo-0000Gz-Lr@city.websitewelcome.com>
Date: Fri, 10 Mar 2006 15:36:36 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - city.websitewelcome.com
X-AntiAbuse: Original Domain - insightbb.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - city.websitewelcome.com

The clumsy message content

It is foolish to allow your mail interface to render HTML. Among other things, this is used by spammers to create "web bugs" that report back to them if you read their message, guaranteeing you will get far more spam. Using mail safely, it should appear precisely as below. I think they were trying to make this look like an exciting piece of world news — the hackers' English is so bad it's hard to tell.

Today FBI and SCOTLAND YARD has informed on set of new acts of terrorism in New York and London. On a communique was lost more than two thousand person and about ten thousand have received the wounds which were much of them are in a grave condition.Police and MI5 identified an Al-Qaeda cell that had carried out extensive research and video-recorded reconnaissance missions in preparation for the attack. You can learn the detailed information in the attached file.

The attachment

This was followed by an attached zip file named news.zip, which contained a file named news.exe.

The executable contents

GNU utilities such as file, strings, and hexdump are useful for getting some limited idea about what this malicious code might do. The file utility reports that this executable is:
PE executable for MS Windows (GUI) Intel 80386 32-bit, UPX compressed
The following is partial output for running
  hexdump -C news.exe
under Linux or BSD. The interesting stuff appears, among many other places:

• Around address 0x000001f0 where reference to KERNEL32.dll appears.
• Around addresses 0x000064a0 through 0x000065f0, where suspicious strings appear.
• Around address 0x0000b350, where a URL appears.
• Around addresses 0x0000bb90 through 0x0000bbc0, where references to the Windows API appear.

00000000  4d 5a 00 00 00 00 00 00  00 00 00 00 50 45 00 00  |MZ..........PE..|
00000010  4c 01 02 00 46 53 47 21  00 00 00 00 00 00 00 00  |L...FSG!........|
00000020  e0 00 0f 01 0b 01 00 00  00 98 00 00 00 74 00 00  |.............t..|
00000030  00 00 00 00 b5 09 02 00  00 10 00 00 0c 00 00 00  |................|
00000040  00 00 40 00 00 10 00 00  00 02 00 00 04 00 00 00  |..@.............|
00000050  00 00 00 00 04 00 00 00  00 00 00 00 00 10 02 00  |................|
00000060  00 02 00 00 00 00 00 00  02 00 00 00 00 00 10 00  |................|
00000070  00 10 00 00 00 00 10 00  00 10 00 00 00 00 00 00  |................|
00000080  10 00 00 00 00 00 00 00  00 00 00 00 34 09 02 00  |............4...|
00000090  84 00 00 00 00 50 01 00  8c 60 00 00 00 00 00 00  |.....P...`......|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000100  60 00 00 e0 00 00 00 00  00 00 00 00 00 40 01 00  |`............@..|
00000110  00 10 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000120  00 00 00 00 00 00 00 00  e0 00 00 c0 00 00 00 00  |................|
00000130  00 00 00 00 17 ba 00 00  00 50 01 00 17 ba 00 00  |.........P......|
00000140  00 02 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  e0 00 00 c0 87 25 78 09  42 00 61 94 55 a4 b6 80  |.....%x.B.a.U...|
00000160  ff 13 73 f9 33 c9 ff 13  73 16 33 c0 ff 13 73 1f  |..s.3...s.3...s.|
[....]
000001d0  03 ff 63 0c 50 55 ff 53  14 ab eb ee 33 c9 41 ff  |..c.PU.S....3.A.|
000001e0  13 13 c9 ff 13 72 f8 c3  02 d2 75 05 8a 16 46 12  |.....r....u...F.|
000001f0  d2 c3 4b 45 52 4e 45 4c  33 32 2e 64 6c 6c 00 00  |..KERNEL32.dll..|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 02 00  |................|
00000210  03 00 00 00 20 00 00 80  0e 00 00 00 78 00 00 80  |.... .......x...|
00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 09 00  |................|
[....]
00006480  73 28 e4 65 a0 c5 63 74  1b 29 3a 20 18 9b 5b ca  |s(.e..ct.): ..[.|
00006490  68 07 6b f3 64 5d 45 36  1c 03 c5 78 9a 61 43 d1  |h.k.d]E6...x.aC.|
000064a0  99 29 5b f7 40 28 22 0a  9b a8 b1 54 75 6e 59 2c  |.)[.@("....TunY,|
000064b0  09 84 0a 3a 68 18 0a 85  62 6f 78 14 18 0f 1e 64  |...:h...box....d|
000064c0  69 a9 4c 34 06 76 46 20  03 23 4d 65 74 68 6f f5  |i.L4.vF .#Metho.|
000064d0  66 53 20 1f 4e 65 77 03  46 6f 72 6d f7 a5 41 19  |fS .New.Form..A.|
000064e0  8d 66 6e 4d 1a f9 64 25  49 bb 19 aa 2e 03 d9 3c  |.fnM..d%I......<|
000064f0  38 6d 57 10 4a 03 b0 20  55 52 4c ac 45 62 5c 09  |8mW.J.. URL.Eb\.|
00006500  69 64 00 53 4f 46 54 02  57 41 52 45 5c 55 8f db  |id.SOFT.WARE\U..|
00006510  46 75 6c f8 cc 29 26 32  3d 99 a0 8a 6f 67 08 b1  |Ful..)&2=...og..|
00006520  28 0d 0a cb 24 6b 43 bc  c3 2d 4c 28 0a 67 91 da  |(...$kC..-L(.g..|
00006530  94 38 14 14 1a 54 79 70  d7 63 12 b0 6c 69 63 ed  |.8...Typ.c..lic.|
00006540  48 94 2f 90 ec 6e 77 02  8a 66 a7 bc ba 75 35 6c  |H./..nw..f...u5l|
00006550  48 14 f2 a3 68 93 34 bd  9b 6b 69 5d a6 29 80 a1  |H...h.4..ki].)..|
00006560  3d 31 a1 15 52 21 bf e9  72 a2 04 55 80 10 48 6f  |=1..R!..r..U..Ho|
00006570  90 c2 83 0d 9f 97 54 10  50 2f 31 2e 6f 30 2b 09  |......T.P/1.o0+.|
00006580  4f 08 f0 20 14 26 99 6c  c8 d0 70 a4 9d eb 95 c0  |O.. .&.l..p.....|
00006590  74 08 93 7e 14 24 77 9c  92 5f 1e 61 fd 7c 98 73  |t..~.$w.._.a.|.s|
000065a0  d0 da eb 4d 78 9e ca 76  63 4e a6 86 50 54 45 21  |...Mx..vcN..PTE!|
000065b0  4d 50 01 5c 64 72 69 76  43 90 73 c1 49 6e df cf  |MP.\drivC.s.In..|
000065c0  6f 6c 62 a0 44 fb e4 4e  54 7b 2e 7d 79 e1 4a 13  |olb.D..NT{.}y.J.|
000065d0  d0 30 a6 79 26 25 27 48  c4 c5 7c c1 41 46 12 80  |.0.y&%'H..|.AF..|
000065e0  67 82 69 62 75 88 a9 9f  2a f4 fb 44 8d 24 b9 0b  |g.ibu...*..D.$..|
000065f0  a0 76 a2 4f 33 32 e5 4d  3f 9a 6e 73 21 11 0e 77  |.v.O32.M?.ns!..w|
00006600  ee 85 a2 6b 33 1b 6d e6  60 d4 ec b8 f2 4d 40 70  |...k3.m.`....M@p|
00006610  72 6f c7 42 66 74 af f2  0f 50 64 5b 58 c2 43 43  |ro.Bft...Pd[X.CC|
00006620  6f 8c 05 74 56 55 8e 88  7f 7f 52 dc cf 07 4e 74  |o..tVU....R...Nt|
00006630  51 8c 22 79 51 53 ac e7  ba 6d 8a c1 97 4a a7 68  |Q."yQS...m...J.h|
00006640  6c 34 58 23 75 5c 8a 2e  83 ef 4e 56 9b 53 a8 42  |l4X#u\....NV.S.B|
00006650  4c 45 3c 44 52 c1 c2 be  ec 88 b0 59 a0 01 9b a8  |LE<DR......Y....|
00006660  f6 cf 11 a4 42 c3 c8 c9  0a 8f 50 39 d1 cb 18 85  |....B.....P9....|
00006670  95 4d 20 96 0c e0 80 1f  c7 f4 ee 00 e0 06 41 fe  |.M ...........A.|
00006680  9a 39 64 d0 40 8c 67 50  15 a7 34 87 62 65 20 92  |.9d.@.gP..4.be .|
[....]
0000b320  28 01 aa bd 3e 06 e3 80  0a 09 44 09 06 8a 1f 28  |(...>.....D....(|
0000b330  11 03 22 34 44 13 10 89  04 91 09 0b 22 73 44 02  |.."4D......."sD.|
0000b340  0d 89 01 12 0c 25 12 32  54 97 25 17 34 5c 7a 84  |.....%.2T.%.4\z.|
0000b350  04 57 53 32 5f ab a2 14  80 55 52 4c 44 6f 25 77  |.WS2_....URLDo%w|
0000b360  6e 5d 07 d5 54 83 46 69  c1 65 41 74 3f 72 fe 6d  |n]..T.Fi.eAt?r.m|
0000b370  f8 6e ac 22 60 43 38 73  65 48 61 7f 6e 83 3d 1d  |.n."`C8seHa.n.=.|
0000b380  52 ed 52 4e 16 0b 34 67  72 1a 74 aa 35 68 0e 63  |R.RN..4gr.t.5h.c|
[....]
0000bb70  80 00 00 00 00 7d 00 00  5c 09 42 00 e8 01 40 00  |.....}..\.B...@.|
0000bb80  dc 01 40 00 de 01 40 00  20 5b 40 00 96 09 02 00  |..@...@. [@.....|
0000bb90  a4 09 02 00 00 00 00 00  4c 6f 61 64 4c 69 62 72  |........LoadLibr|
0000bba0  61 72 79 41 00 00 47 65  74 50 72 6f 63 41 64 64  |aryA..GetProcAdd|
0000bbb0  72 65 73 73 00 90 b8 54  01 40 00 90 90 90 90 90  |ress...T.@......|
0000bbc0  03 c3 2b c3 90 90 90 90  90 90 90 90 90 90 90 90  |..+.............|
0000bbd0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
0000bbe0  90 90 90 90 90 ff e0 e9  00 00 00 00 60 e8 00 00  |............`...|
0000bbf0  00 00 58 83 c0 08 f3 eb  ff e0 83 c0 28 50 e8 00  |..X.........(P..|
0000bc00  00 00 00 5e b3 33 8d 46  0e 8d 76 31 28 18 f8 73  |...^.3.F..v1(..s|
0000bc10  00 c3 8b fe b9 3c 02                              |.....<.|
0000bc17