An email with a trojan Microsoft Word document made it past the spam filter today at work. At least one user reported opening the attachment.
The attachment was named: DOCO943488.doc, but running the file through virustotal.com it was clear that it’s been known by other names..
To help affected people find this page here are some hashes of the file:
I *think* the script inside of the Word Document is the W97M.Downloader
I decided to take a closer look, and document my process in case it is helpful to anyone else.
Nothing too surprising here, guess it’s a Word Doc..
I’ve added some line breaks and ellipses for formatting and brevity in the output below, but I haven’t changed any relevant details.
Lets see if the binutils “strings” command can shed any light on this
Hmm, looks like something is here, maybe if I remove some carets it will be more clear.
Yeah that’s looking better, looks like they’re running a bunch of commands in the cmd.exe Command Prompt. Let’s look at them one per line instead of chained together with “&&“s.
Huh, OK, looks like they are setting a bunch of variables with tiny bits of text so as to obfuscate what’s happening. Let’s look at some lines that don’t just begin with “set” to see what the script is doing with all these bits.
The first line that doesn’t begin with “set” we’ve already seen, it’s the command prompt statement, ignoring that and moving on we see that they are setting a new variable called UJ4 with a value made up from the values of all of the little obfuscated parts we saw earlier. Finally they are executing whatever commands are inside that obfuscated value.
We need to know the value inside of UJ4, which we can get by looking up the value to all the “set” statements in the order they appear inside of the “set UJ4” line.
Let’s save this to a file (script.txt) so we can unravel the mystery
Next a quick bash script to reassemble the obfuscated parts in the correct order
Run that to get our results…
Hmm, another layer to the onion, looks like the cmd.exe commands generates a powershell script. Let’s format a little cleaner
OK good, looks like this is the bottom of the rabbit hole.
Taking a look, we’ve got an array ($tWX) of URLs:
They use the msxml2.xmlhttp COM object ($dIO) to open a connection to each server ($ZsC) in the list and if successful use adodb.stream ($lss) to write the downloaded contents into a file ($SiC) named “jqI.exe” in the temporary directory returned by GetTempPath.
I think this means if a user opened this attachment and it executed properly there would be a file named jqI.exe in the directory specified in the first defined environment variable in the following ordered list of environment variables: %TMP%, %TEMP%, %USERPROFILE%, and finally if all else fails %WINDIR%.
Unfortunately all of the URLs in the list returned “403 Forbidden” when I attempted to get a sample of the malicious executable. I say “unfortunately”, but I suppose this is all for the best, as it hopefully means many people who opened this attachment might have been spared some of the consequences. The first URL in the list isn’t even valid, I’m not sure if this was something I did, or the malware author did (I bet the latter). “icx.turkeys.com” does resolve, perhaps that’s what it was supposed to be although there was no malicious payload to be found there either.
Still, it was possible that one of our users might have gotten the malicious executable before it was removed from all the servers. Luckily we force all local DNS traffic through our own server and keep pretty robust logging of queries there. After consulting those logs it was clear to me that even the one user who reported opening the attachment did not execute the malicious script.
While it feels like a bit of work for nothing, I think the effort was still worth it for the peace of mind (and also maybe a little bit of fun as well).
UPDATE: Since writing this a few more emails have come through with only slightly modified versions of the first script.
I’ve modified the bash script to work with the sample files I have, hopefully other Doc files infected with W97M (if that is what this is) can also be used.
If you want a copy you can download it here: w97url.zip
The script takes one argument, the name of the Doc file, and outputs the list of URLs that the downloader fetches from.
Here are the sums of some other files I’ve used this with
So far the following hosts have been found to be listed: