A user discovered potential malware on his computer the other day – the files “autorun.exe” and “autorun.inf” on the C: drive which, the user claims, reappear after being deleted.

After an initial analysis it was found that a number of files are downloaded, including .NET FrameWork, which is quietly installed in the background. That was quite a surprise – it’s been a while since I’ve seen malware cheeky enough to install .NET. So I decided to investigate this sample in full. It turned out to be very interesting both in terms of the malicious functionality and the method used to install its components.

The autorun.exe source file is an SFX archive created using WinRK, an archive utility that is not currently very widespread. After it is run a whole chain of various files are executed:

Autorun.exe -> .exe -> !.bat -> start.vbs -> .bat -> Hidden Start inst.bat -> evntstart.exe;

The interesting thing about this sequence is that it uses only standard, legitimate software:

“Autorun.exe” – WinRK SFX;
“.exe” – BatToExe;
“inst.bat” – launched using Hidden Start;
“evntstart.exe” – WinRK SFX;
The malicious functionality at this stage is limited to the installation of the service in the registry that launches evnstart.exe when the system starts up, the copying of unpacked files to the system folder and the termination of SafeSurf processes. SafeSurf and its role in all this will be described below. The inst.bat file calls system utilities such as taskkill, net, regedit, etc.

Then the following takes place:

Evntstart.exe -> msexec.bat -> jnwmon.bat -> zrgutsp.bat -> ai.bat -> build.bat -> spidermod.bat -> .NET Setup -> SafeSurf start;

Let me say a little about each .bat file:

“zrgutsp.bat” – adds users with administrator’s rights, opens the TCP port 3389 for RDP using netsh and other similar activity;
“ai.bat” – installs RAdmin in hidden mode, uses two libraries and an executable file which were stored in the SFX archive;
“build.bat” – assembles autorun.exe “on the fly” using the main file of the WinRK archiver;
“spidermod.bat” – continuously removes autorun.inf from all disk roots and copies it there again;
“.NET Setup” – secretly installs .NET on the user’s machine from the jnwmon.bat file and is implemented as follows:

if exist %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll goto end
dotnetfxupdt.exe -download http://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe dotnetfx.exe
dotnetfx.exe /q:a /c:"install /q"

No malicious programs were used at the second stage either: RAdmin, netsh, net, dotnetfx, WinRK are all legal programs, including system programs. Now let us look at the JetSwap system in more detail.

The following information is given at http://www.jetswap.com/full.htm:

The JetSwap system was created to ease the process of promoting new Internet projects. After the project has been created all that is need is the allocation of one or more system codes (maximum effect is achieved if all codes are installed) and a small initial group of visitors. Several people browsing the pages of the site every day are enough to attract other visitors. System codes designed to be installed on the website enable the automated receipt of credits to promote the site. You will receive credits from your visitors. You don’t need to take any action other than simply monitoring the process.

During the final stage the malware installs SafeSurf on the user’s computer, which works with the JetSwap system and launches its “automatic surfing” in hidden mode. As the unwitting user clicks on sites, the owner of the account is earning credits. It seems that the cybercriminal didn’t even bother to cover his tracks – his data is openly available in the *.reg file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\JetSwap]

"autocr"="1"
"v2"="1"
"splash"="1"
"v3"="1"
"v4"="0"
"v5"="1"
"vhd"="1"
"msurf"="0"
"surfhide"="0"
"asurf"="1"
"minw"="0"
"login"="jackmen"
"passh"="7458bab36c82e74839639c48b9e64a05"

I launched the program with the data in the registry but without the other malicious components and saw the main SafeSurf window. And even pressed the button to check the balance, which the screenshot clearly shows.

             SafeSurf screenshot with parameters indicated by the viruswriter in the .reg file

At the beginning of my post I said that this malware was interesting because of its functionality and its installation method, so now let me explain. All the components are legal and the installation process is carried out using only legitimate programs, .bat files, scripts and registry files. Only some of the batch files can actually be considered malicious. Even the autorun.exe source file detected on the user’s computer is a WinRK SFX archive. The method for making money is also interesting – installing software to promote sites.

Currently the malware is detected by Kaspersky Lab as Trojan-Clicker.Win32.FrusEfas. Special thanks to Oleg Zaytsev for providing material.