We started to receive spam that looked like:

JENNIFER LOPEZ EXTREMLY NAKED!!! http://****/bst/rel.php which in turn downloads a video.avi.exe. So far nothing special!

While loaded manually (after a double-click on it, in my Windows system), it installed a "Spyware"! oh, no?!

malware

Luckily, it soon installed an Antivirus (a known rogue one of course, like many blogged or complained about).

antimalware

During the process, it tried to get some more files and one of it puzzled me:

> GET /soft3/common/14.gif HTTP/1.1
> Range: bytes=0-
> User-Agent: Internet Explorer
> Connection: Keep-Alive

< Host: stat.av(xxxxxxx).com
< HTTP/1.1 206 Partial Content
< Server: nginx/0.6.26
< Date: Fri, 01 Aug 2008 05:31:54 GMT
< Content-Type: image/gif
< Content-Length: 1401498
< Last-Modified: Thu, 31 Jul 2008 17:16:03 GMT
< Content-Range: bytes 0-1401497/1401498
< Connection: Keep-Alive
< GIF89ad.d....5-":4&855++.-%.$#.#"..&$$.....<;,D:4H@.ID=JLFTNMVL9D(truncated)

Offline, I downloaded it:

downloading

This might be a lemur or some sort :)

checking

Normal GIF file look-a-like. Nothing suspicious for the moment, except the question "why the hell an antivirus (even a rogue one) would need a picture of a lemur?".

In my Microsoft Windows XP SP2, I started XORSearch.exe with the following options:

key_finding

What looks the most "readable" is the 0x95 key. I suspected that there would be an 'http' inside, but it would have been a good idea to check also for 'program'. Please refer to the PE-COFF files format, or for the collectors, to the original Microsoft.com text.

So let's double-check:

        C:\path_kivabien\XORSearch.exe -i 14.gif program
        Found XOR 95 position 1C38: program cannot be run in DOS mode....$
        Found XOR B5 position 1C38: PROGRAM

Bingo! we can spot the ASCII phrase: "!This program cannot be run in DOS mode."

Note to myself: recreate a similar tool in Python to avoid starting my VM, but big thanks to Didier anyway. Didier made another 'cool' tool called 'Translate' and available here.

Back to my Terminal:

de-xoring

Let's have a look at the decoded file:

checking2

Damn, the file doesn't start with 'MZ', soon followed by 'PE', one of the Windows file caracteristics... then let's look for it :

looking

Gotcha! Now we have found the DOS Header "MZ"="4d 5a", followed by the DOS stub, between "MZ" (Mark Zbikowski) and "...DOS mode....$", then our "PE.."="50 45 00 00", at 0x3c away from the DOS Header. So at 0x1be5 + 0x3c = 0x1cb5.

No doubt, it is a Windows executable!

We now need to extract, because, if it doesn't start by the DOS Header, it's unlikely going to start.

Since we noticed that the DOS Header starts at 0x1be5, which some might not be comfortable with, we will convert it to its decimal value, then use dd (from the MAN page, dd -- convert and copy a file) that seems to be the appropriate tool:

We now have our executable ready.

extracting

It's a boy "named": e36e9fd88dbb712decc213b98a9d98b4, that weights 1.3Mb. :-)
It's a pretty big baby!

Yesterday, the "baby" was not very well known by AVs, according to this relatively low (6 out of 34) VirusTotal AV detection rate. Our own "home-made" multi-AV scanning engine provided the same bad results: