It’s not so hard to discover malwares that are written for a specific OS or a particular software. This kind of malwares are indeed not dangerous on any other machine without the specific Os (or software). Some days ago I was taking a glance over a malware and I discovered it doesn’t infect my machine because I don’t have what it needs. I have never thought about this behaviour and it leads me on some considerations.
First of all let’s see what the malware does. The malware I was looking at is one of the Goldun family (MD5: 80ADFB79029DF4BC8E663C19EE055230).
The first action performed by the malware is to close Firefox browser using taskkill.exe file utility. The function used to run the exe is called ShellExecute:
HINSTANCE ShellExecute(HWND hwnd, LPCTSTR lpOperation, LPCTSTR lpFile, LPCTSTR lpParameters, LPCTSTR lpDirectory, INT nShowCmd);
00401953 push 0 ; nShowCmd: how to display the application: SW_HIDE
00401955 push 0 ; lpDirectory: the default directory, it can be NULL
00401957 push offset Parameters ; “/F /IM firefox.exe”: parameters
0040195C push offset File ; “taskkill.exe”: the file to execute
00401961 push 0 ; lpOperation: action to perform: open
00401963 push 0 ; hwnd: handle of the owner window
00401965 call ds:ShellExecuteA ; Performs an operation on a file
In this case the performed operation is “open” and the file (taskkill.exe) is runned. There are some parameters passed to the exe:
– /F : the process will be forcefully terminated
– /IM : the process to end is specified using the image name
The first part of the malware ends here. In the next part it will delete/change some Firefox’s specific files.
In the second part the malware looks for some files:
C:\Documents and Settings\<user name>\Application Data\Mozilla\Firefox\compreg.*
C:\Documents and Settings\<user name>\Application Data\Mozilla\Firefox\xpti.*
The search is done using FindFirstFile/FindNextFile functions, then DeleteFile is used to delete the files. These files are needed by XPCOM.
The malware changes one of the file located into one of the Firefox’s folders. The file in question is ExtensionManager.dll which is inside “Mozilla Firefox\components\” folder. The file is replaced by a new one, extracted directly from the malware itself. To clean the file switch operation the malware changes some attributes of the new file: creation time, last accessed and last modified. The new values are taken from clock.avi file which is inside Windows directory.
I don’t know what the new file is and I don’t care about it, at the moment I’m not interested in such contents.
The last operation performed by the malware is:
“cmd /c del C:\DOCUME~1\<user name>\Desktop\Malware\Current\3\m.exe >> NUL”
Ok, I’m at the end of the analysis of this simple malware and some doubts arise.
If you look through the malware’s string reference you’ll surely find this one: “\Application Data\Mozilla\Firefox\”. This is a part of a folder path used by a specific Windows language version. I’m running italian XP and I don’t have this kind of path. I have something called “\Dati Applicazioni\Mozilla\Firefox\”, the meaning is the same but the strings are not equal. It’s obvious that the malware is written for specific users. Moreover it’s based on Firefox. But, what will it happen running the malware on a machine with these features:
– Firefox is not installed
– a non english/american Windows XP/2k version is running
Is it really a dangerous file? At the moment I don’t know how the malware spreads itself because I haven’t checked the replaced dll but, if I don’t have Fiforex I’m sure it won’t spread in any way. Well, the answer to the question is “no”, not dangerous for this kind of machine for sure. On this kind of machine it’s only one of the saved files on the hard disk.
Taking in mind:
1. Firefox is not the most used browser
2. There are a lot of machine without english/american Windows version installed
could it be a nice idea to divide malwares in subcategories scanning some categories only? I mean, something like “malware ‘x’ is designed to work on machine with firefox installed and if you don’t have firefox it’s useless to scan it”. In this way an antivirus company could speed up and optimize the scan engine. I talked with a friend (he’s currently working for an AV company) asking about this idea, he told me it’s not a good idea and it’s not possible to implement it. I’m sure it’s not easy to implement such idea and above all I really don’t know if it’s really useful but the problem is that he wasn’t able to tell me why.
Well, the idea was floating on my mind and I only wanted to share with someone… now you decide.