Latest Zhelatin Emails

A new wave of Zhelatin emails is currently going out. A typical example is this email:

Greetings,

Are you ready to have fun at Web Joker.

Account Number: 775152935455
Temp Login ID: user1160
Your Password ID: px259

Please keep your account secure by logging in and changing your login info.

Use this link to change your Login info: http://74.64.28.xx/

Enjoy,
Confirmation Dept.
Web Joker

The page linked to in the email advises the user to install a “Secure Login Applet” to view the page, which of course is an executable trojan file — a typical name is applet.exe. Below is a brief analysis.

The applet.exe file, when run, performs the standard Zhelatin actions: Copying itself to C:\Windows\spooldr.exe, and extracting a driver file to C:\Windows\system32\spooldr.sys. It also adds a rename entry for a .tmp file:

HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = C:\Windows\system32\drivers\OLD3.tmp"

This entry will simply delete the file on reboot. Interestingly enough, the variants we’ve examined so far haven’t patched the tcpip.sys file to make themselves autostart. This makes removal easier since tcpip.sys does not need to be restored from backup. (Check that the digital signature on tcpip.sys is valid though, in case you are infected with this and it is a different variant!)

The OLD3.tmp file is actually a patched version of the legitimate Microsoft kbdclass.sys driver file. The trojan version has an extra 15 KB of data appended to it. The entry point of the patched driver file has been modified to point to the start of this extra block of data. Once loaded, the OLD3.tmp file loads the spooldr.sys trojan driver using the native Windows API function ZWSetSystemInformation.

The spooldr.sys driver will as usual disable most common firewalls, including the built-in Windows firewall.

Manual removal steps

  1. Reboot computer in Safe Mode without networking
  2. Delete the following files: C:\Windows\spooldr.exe, C:\Windows\system32\spooldr.sys
  3. Restart computer normally

This entry was posted on August 21, 2007 at 4:35 pm and is filed under Analysis, Rootkits, Trojans. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Latest Zhelatin Emails”

  1. redwolfe_98 Says:
    August 21, 2007 at 11:24 pm

    i think i have seen the same variant.. i submitted the file to pctool’s “threat expert” and their report said that the malware modified “kbdclass.sys”.. if that is the case, then i guess you would need to restore that file rather than the “tcpip.sys” file.. i have seem other variants that, according to pctool’s “threat expert”, modified the “cdrom.sys” driver..

  2. P Flaggenan Says:
    August 22, 2007 at 5:33 am

    Thanks for the quick addressing of the issue.

  3. packed Says:
    August 24, 2007 at 6:58 am

    tcpip.sys are getting patched using undocumented API in sfc_os.dll

  4. Beware! Virii Alert! at Delusions of Grandeur Says:
    September 5, 2007 at 5:25 pm

    [...] picked up on it right away once I was able to get the box up enough to run, however both Mischel internet Security and PC HELL have ways posted online to correct the issue. Please be careful when dealing with this [...]

Leave a Reply