Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: win32

Marica/Kukuriba -- Win Malware?

 

 

ClamAV win32 RSS feed   Index | Next | Previous | View Threaded


alex0192 at gmail

Nov 17, 2011, 10:46 PM

Post #1 of 3 (1741 views)
Permalink
Marica/Kukuriba -- Win Malware?

Hello,

A complete newbie here, with a little problem.

I'm looking for info and advice about a piece of Win malware (perhaps), involving the names "kukuriba", "marica", and "Loesrmx".


Here are the details.

A few days ago, a colleague attended a conference in Asia. He used a FAT32-formatted USB thumb drive to copy a presentation from his Win XP laptop to one of the public PCs at the site. (He did not connect the thumb drive to his PC afterwards.)

Today, he gave me (Mac OS X) the thumb drive and asked me to copy some files to it. Immediately I noticed at the root level of the drive a folder named "kukuriba", which could not have had anything to do with the conference or his presentation; the folder contained only the file "marica.exe", approx 96k. My colleague confirmed he hadn't copied it and didn't know anything about it. The modification date was 2011/04/26 for "marica.exe"; for the "kukuriba" directory and the "autorun.inf" file (see below), they coincided with the time when he attached his thumb drive to the public PC.

First, I used ClamXav (Mac OS X GUI for ClamAV; v2.2.2 (252), engine v0.97.2) to scan the USB drive, but it gave it a clean bill of health.

Then I googled it, but found few solid hits. The most reliable appeared to be this one

<http://www.virustotal.com/file-scan/report.html?id=27ce421fa2c0069f44a7e63073a4494f90a358a58018e4ce468aeac8d23d1687-1310399637>

which indicated I was dealing with some kind of malware, identified by some, missed by many others, (including Clam), but without any indication of what it was supposed to do.

Next, I looked for an "autorun.inf" file, and, surely enough, one had been created and modified immediately after the "kukuriba" directory:

=====
[autorun]
USEAUTOPLAY=1
shellexcute=kukuriba/marica.exe
Shellwips
shell\\Explore\\command=kukuriba/marica.exe
shell\Open\\command=kukuriba/marica.exe
icon=kukuriba/marica.exe
open=kukuriba/marica.exe
action=Open folder to view files using Windows Explorer
=====

Finally, I used a hex editor to look at the "marica.exe" file, and extracted

Copyright (c) Loesrmx Software 1995-2011
Original Filename Loesrmx.exe
File Version 881

Knowing little about malware and little more about Win, I'm left in a quandary.

On one hand, this item behaves like malware -- it was copied to the thumb drive and an autorun.inf file created without user notice or permission.

OTOH, for malware, it doesn't seem to try very hard to hide itself. As for the autorun.inf file, does Win interpret correctly paths with a slash (/) instead of a backslash (\)? And wouldn't Win XP or later launch Autoplay instead of executing "marica.exe" or opening the "kukuriba" directory?

So what is this, and what should I do?

Should I submit it to the ClamAV database? (And if so, just "marica.exe", or both it and the autorun.inf file?) Warn other conference participants about it?

Or could it be an obnoxious, but not malevolent, piece of software installed by whatever was running legitimately on the public PC, perhaps same advertising engine?

Thanks for your patience.





_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32


williambez at yahoo

Nov 19, 2011, 11:34 AM

Post #2 of 3 (1288 views)
Permalink
Re: Marica/Kukuriba -- Win Malware? [In reply to]

________________________________
Sorry for the delay, my friend.
EXE is MARICA Backdoor virus type.

Performance data: the script uses Anti-TricksDissasembly monitoring system to avoid antivirus.
Copy files to disk, is run from Temporary folders, injected or attached.
MARICA.EXE remove instruction

1. Temporarily Disable System Restore, Reboot computer in Safe Mode.

2. Locate the virus files and uninstall program filesMARICA.EXE MARICA.EXE. Follow the onscreen instructions step by step on screen to finish uninstalling the MARICA.EXE.

3. Restart the computer in Safe Mode. Clean /delete all files MARICA.EXEinfected (s):MARICA.EXE and related, or rename files for viruses MARICA.EXE, if the file refused to bedeleted, use the tool revouninstaller

4. Delete / Modify any values ​​added to the registryrelated MARICA.EXE, Exit registry editor and restart the computer

5. delete all your IE temp files with MARICA.EXEmanually, run a whole scan with antivirus program;

MARICA.EXE File type: PE135334

1069tcppcbvw.exe
1068tcppcbvw.exe
1067tcppcbvw.exe
1066tcppcbvw.exe
1055udppcbvw.exe
1052tcpurwqyi.exe
KAKAKO5.EXE
ZIRONET.EXE
YOR90ZU7.EXE
XXZQZN.EXE
WSORAC.EXE
WNP7QXT6.EXE
PROTO.EXE
WEB2NET.EXE
TYZQZJ.EXE
TIMELISS.EXE
THUR.EXE
SERVERLOLTEST1.EXE
QQHH06EYB.EXE
IOYAGIHGT.EXE
MD_98.DLL
LINEAD.EXE
ZUR.EXE
IHNO.EXE
GT1TRN0YD.EXE
G3XP7550.EXE
WEATHERPLUGIN.DLL
EY8XXLPJ.EXE
EX-TRACK.EXE
CRYPTESERVER.EXE
CHECKSOM.EXE
BCONCC.EXE
AUTHOT.EXE
WINDRLTR.EXE
TUM1.EXE
HEAP.EXE
POSTER10.EXE
PAYPAL MULTIHACK.EXE
CHOOSENAME.EXE
SFX7.DLL

By : william .bezerra
Cientista da computação
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32


mwatchinski at sourcefire

Nov 22, 2011, 9:54 AM

Post #3 of 3 (1626 views)
Permalink
Re: Marica/Kukuriba -- Win Malware? [In reply to]

If you submit it to ClamAV (http://cgi.clamav.net/sendvirus.cgi), once
its investigated you'll be notified if its malicious or not.

Cheers,
-matt

On Fri, Nov 18, 2011 at 1:46 AM, Alex <alex0192 [at] gmail> wrote:
> Hello,
>
> A complete newbie here, with a little problem.
>
> I'm looking for info and advice about a piece of Win malware (perhaps), involving the names "kukuriba", "marica", and "Loesrmx".
>
>
> Here are the details.
>
> A few days ago, a colleague attended a conference in Asia. He used a FAT32-formatted USB thumb drive to copy a presentation from his Win XP laptop to one of the public PCs at the site. (He did not connect the thumb drive to his PC afterwards.)
>
> Today, he gave me (Mac OS X) the thumb drive and asked me to copy some files to it. Immediately I noticed at the root level of the drive a folder named "kukuriba", which could not have had anything to do with the conference or his presentation; the folder contained only the file "marica.exe", approx 96k. My colleague confirmed he hadn't copied it and didn't know anything about it. The modification date was 2011/04/26 for "marica.exe"; for the "kukuriba" directory and the "autorun.inf" file (see below), they coincided with the time when he attached his thumb drive to the public PC.
>
> First, I used ClamXav (Mac OS X GUI for ClamAV; v2.2.2 (252), engine v0.97.2) to scan the USB drive, but it gave it a clean bill of health.
>
> Then I googled it, but found few solid hits. The most reliable appeared to be this one
>
> <http://www.virustotal.com/file-scan/report.html?id=27ce421fa2c0069f44a7e63073a4494f90a358a58018e4ce468aeac8d23d1687-1310399637>
>
> which indicated I was dealing with some kind of malware, identified by some, missed by many others, (including Clam), but without any indication of what it was supposed to do.
>
> Next, I looked for an "autorun.inf" file, and, surely enough, one had been created and modified immediately after the "kukuriba" directory:
>
> =====
> [autorun]
> USEAUTOPLAY=1
> shellexcute=kukuriba/marica.exe
> Shellwips
> shell\\Explore\\command=kukuriba/marica.exe
> shell\Open\\command=kukuriba/marica.exe
> icon=kukuriba/marica.exe
> open=kukuriba/marica.exe
> action=Open folder to view files using Windows Explorer
> =====
>
> Finally, I used a hex editor to look at the "marica.exe" file, and extracted
>
> Copyright (c) Loesrmx Software 1995-2011
> Original Filename Loesrmx.exe
> File Version 881
>
> Knowing little about malware and little more about Win, I'm left in a quandary.
>
> On one hand, this item behaves like malware -- it was copied to the thumb drive and an autorun.inf file created without user notice or permission.
>
> OTOH, for malware, it doesn't seem to try very hard to hide itself. As for the autorun.inf file, does Win interpret correctly paths with a slash (/) instead of a backslash (\)? And wouldn't Win XP or later launch Autoplay instead of executing "marica.exe" or opening the "kukuriba" directory?
>
> So what is this, and what should I do?
>
> Should I submit it to the ClamAV database? (And if so, just "marica.exe", or both it and the autorun.inf file?) Warn other conference participants about it?
>
> Or could it be an obnoxious, but not malevolent, piece of software installed by whatever was running legitimately on the public PC, perhaps same advertising engine?
>
> Thanks for your patience.
>
>
>
>
>
> _______________________________________________
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
>



--
Matthew Watchinski
V.P. Vulnerability Research (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32

ClamAV win32 RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.