You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
JOANAP.E WORM, AUG-SEP 2011<br />
Joanap.E was the first variant of this family we tied to this threat complex, due to the fact that several samples are<br />
signed using the peculiar MicrosoftCodeSigningPCA certificate format.<br />
This variant is again a worm – as mentioned before, the installer drops three files – one SMB spreading DLL<br />
(wmmvsvc.dll), one backdoor DLL (scardprv.dll) and one configuration file (mssscardprv.ax). The backdoor DLL and<br />
the configuration file fill the same role as in Joanap.D.<br />
The network spreader module contains some code from the B variant, but a lot of functionality has been reworked.<br />
Similarly to B, it generates semi-random IP addresses and attempts to logon to the admin account of these<br />
machines using a password dictionary. If it manages to do this, it creates a remote share named “$adnim” (no<br />
typo), copies the main installer (and the configuration file) over, and executes it. The authors have moved away<br />
from using PsExec for remote execution. Instead they add shares and execute the worm by creating remote service<br />
commands via the Service Control Manager.<br />
If this is successful, the worm sends a status mail the same way as the B variant. Mail is this time FROM:<br />
redhat@gmail.com TO: Joana .<br />
This malware uses the same encryption keys as the B variant. This worm sets the mutex “PlatFormSDK2.1”.<br />
JOANAP.F WORM, MAR 2012<br />
We have only two slightly different samples of this generation. Again, the malware’s structure has changed. It is no<br />
longer a service DLL, but instead a standalone Windows executable. Contrary to previous versions, this worm<br />
requires being started with at least one command line parameter (either –i or -s), if not it just exits.<br />
The –s parameter starts the spreading routine if it is installed correctly and it can find its configuration files. The<br />
samples we have come without installer or data files and do not run.<br />
There is no doubt that these samples belong to this malware family – they use the same encryption keys, mutex<br />
structures and data file names as the E variant in the series. There is one notable exception: This is the first time we<br />
see the file encryption RC4 key “y0uar3@s!11yid!07,ou74n60u7f001”, which closely matches the key mentioned as<br />
belonging to the “SMB Word Tool” in the US-CERT advisory (2) after the Sony incident,<br />
"y0uar3@s!llyid!07,ou74n60u7f001”. The difference might be due to a typo. The malware appears not to be<br />
identical though, as some other strings from the advisory YARA rule are not present.<br />
This worm sets the mutex “PlatFormSDK2”.