There's a WinRAR file floating around in the Internet named "2012桌面雪花.rar"* (SHA1: 889cf7076d4c08637e8aeedf7a90dc4a3808f991), which can be downloaded or may be sent out as an attachment in an email message, that contains a program that claims to display beautiful snowflakes on your desktop. If you run the executable contained in the archive (file name "桌面雪花.exe" - SHA1: 7255f61cada0815bc0fa2fb12f5b3c89db7e786d), it does what it claims:

It is beautiful, right?

But wait, non-beautiful things are happening behind the scenes. As you can guess, it is malicious, and so it is interesting to me.

  1. The WinRAR file comes with two files: the snowflake program and a file called time.ini. The malicious code is encrypted and stored in the latter file. When the snowflake program is opened, you see the beautiful snowflake display. But then it also runs time.ini. After it performs its malicious routine, time.iniis overwritten with the current time. It does this to mislead the user that it is not doing anything malicious.

    The info of the original file:

    The overwritten file:

  2. The file time.iniis then injected into Windows Explorer and hooks the CloseHandle API instead of creating a remote thread. It implements this by calling WriteProcessMemory two times. The first time call writes the malicious code in the file time.ini into the Windows Explorer, and the second hooks the API CloseHandle.

    In this way, the malicious code is triggered when Windows Explorer calls CloseHandle. This is unusual.

    The new CloseHandle is as follows:

    It then restores the original CloseHandle.

    To verify, let's take a look at the code of CloseHandle.

  3. In Windows DLLs, you may find some NOPs before an API. The malware tries to find a NOP instruction, and then calls the NOP instead of calling APIs directly. It does this for anti-debugging and anti-emulation purposes.

  4. The API addresses in all of the API calls are computed dynamically and mainly, you cannot step over the CALL instructions, much less set non-hardware breakpoints. Again, this is done to make debugging more difficult.

 

Using these specific techniques, the malware takes control of your mailbox to sends out a copy of itself to all of a user's contacts via email, and downloads different advertising applications.

The snowflake application is detected as Worm:Win32/SnowFlake.A because of its spreading mechanism.

- Jim Wang

*Note: "桌面雪花" translates to "Desktop Snowflake".