Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
There's a WinRAR file floating around in the Internet named "2012桌面雪花.rar"* (SHA1: 889cf7076d4c08637e8aeedf7a90dc4a3808f991), which can be downloaded or may be sent out as an attachment in an email message, that contains a program that claims to display beautiful snowflakes on your desktop. If you run the executable contained in the archive (file name "桌面雪花.exe" - SHA1: 7255f61cada0815bc0fa2fb12f5b3c89db7e786d), it does what it claims:
It is beautiful, right?
But wait, non-beautiful things are happening behind the scenes. As you can guess, it is malicious, and so it is interesting to me.
The info of the original file:
The overwritten file:
In this way, the malicious code is triggered when Windows Explorer calls CloseHandle. This is unusual.
The new CloseHandle is as follows:
It then restores the original CloseHandle.
To verify, let's take a look at the code of CloseHandle.
Using these specific techniques, the malware takes control of your mailbox to sends out a copy of itself to all of a user's contacts via email, and downloads different advertising applications.
The snowflake application is detected as Worm:Win32/SnowFlake.A because of its spreading mechanism.
- Jim Wang
*Note: "桌面雪花" translates to "Desktop Snowflake".