Reverse engineering a Parasitic file infector – Win32/Emerleox.JK

Today,  We shall see a typical parasitic virus behavior. The Emerleox family (alias names : Fujacks, Fujack) of viruses are not new. However the variants of this family have been roaming in the wild for quite some years now.

The interesting aspect about it is the fact that the authors of this family keep adding new features to it.

Ok. Lets see what does a typical Emerleox do. i.e., the execution flow of an emerleox variant. ( Emerleox.JK).

Step 1:  Once started, the executable checks the path. If it is running from system32 folder go to Step 4.

Step 2: Copy the self to %system32%\spocl32.exe.

Step 3: ShellExecute the newly dropped binary.

Step 4: Enumerate all the removable disks and create a copy of self along with an autorun.inf file to start automatically when the removable disk is connected to other machines.

Step 5: Enumerate the list of logical drives in the system and start infecting the PE and HTML files.

Step 6: The infection process starts with extracting the Icon data of the victim file (by using ExtractIconA) and stores it in a temp file in %temp% folder.

Step 7: Prepends the code of the self on top of the victim file.

Step 8: Retrieves the icon data collected in step 6 and set the icon to the resulting file Step 7.

Step 9: If the victim is a HTML file,  the malware appends a malicious <iframe> pointing to a malware distribution site so that every time an user opens the html document will silently get redirected to the malware distribution site in the background

Step 10: Additionaly creates an autorun entry to the system registry to ensure that process survives every reboot.

I will post the static analysis to backup these claims in  my next post!

Have a good day! Cheers..  🙂

Advertisements

%d bloggers like this: