You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
JOANAP.B WORM, OCT 2009<br />
This malware is significantly different from the A version. The main similarity between them is the use of the Rbot<br />
PLAIN_CRYPT algorithm for string decryption with the mentioned “9025jhdho39ehe2” default key. The custom key<br />
used is now changed to “iamsorry!@1234567”.<br />
The executable contains two XOR-encrypted objects in its resource section. One is a dictionary file containing<br />
passwords, stored in resource 101. The other, stored in resource 103, is an executable – a copy of the legitimate<br />
PsExec tool from SysInternals.<br />
Contrary to the A version, this variant is a true worm. It generates random IP addresses and attempts to connect to<br />
these over the SMB port 445/tcp. It uses the WNetAddConnection2A API to map the remote machine as a share,<br />
using its dictionary of passwords. If this works, it will copy itself to the system folder of the remote server, and<br />
extract its embedded PsExec application to execute the file remotely.<br />
The malware does not connect directly to a C&C server. Instead it sends status mails to its controller via GMail’s<br />
public mail server gmail-smtp-in.l.google.com. The email will appear to be sent FROM ninja@gmail.com TO<br />
xiake722@gmail.com. Content is all in the subject field – initially only version (1.1), time, and local IP address.<br />
Upon successful connection and copy to a remote machine, the malware sends mail again – this time also<br />
containing remote IP, username and password, in addition to its initial fields.<br />
Above: Email transfer between Joanap and the mail server.<br />
A minor sub-variant of this Joanap generation exists. This sends email just the same way as described above, but<br />
uses a different TO address (laohu1985@gmail.com) during network propagation.