Description is not available. Other Resources. Free.drweb.com — free utilities, plugins and informers; av-desk.com — the Internet service for Dr.Web AV-Desk service providers. Help Removing W97M.Downloader from Mac OS X 10.7.5. I am using Norton Anti-Virus for Mac on OS X 10.7.5. I received notice yesterday of numerous W97M.Downloader infections. A full system scan revealed these can be neither quarantined nor deleted nor fixed. So, I read somewhere to try ClamXav. Dangerous Macro Malware Ahead. Macro malware has been around for a long time, and just like most malware, Mac users have largely been.
What is 'Payments Due email virus'?
Typically, malspam campaigns are disguised as legitimate and official in attempts to make them seem less suspicious.
Cyber criminals send bogus emails to trick recipients into clicking the included link (thereby downloading and opening a malicious file) or simply opening/executing the attached file. In any case, when the malicious file is executed, it installs malware onto the recipient's computer. This particular malspam campaign is used to distribute a Trojan named Gozi.
Cyber criminals behind this malspam campaign attempt to trick recipients into believing that a received email relates to a payment, and then urging them to open the attached malicious Microsoft Excel document. When opened, the document asks to enable editing and content - this is so that it can run macro commands designed to install Gozi.
This malware can log keystrokes, gather login credentials, browsing data, system information and other sensitive data. The information could be misused by cyber criminals to steal identities, make fraudulent purchases and transactions, steal accounts or for other malicious purposes.
Therefore, users who allow the attached malicious Excel document to enable editing and content might become victims of identity theft, lose access to personal accounts, suffer monetary loss, experience problems relating to online privacy, browsing safety, and other serious issues.
Therefore, the Excel document (in this case, 'tbl_236.xls', although its name might vary) attached to this email must remain unopened.
Name | Gozi trojan |
Threat Type | Trojan, password-stealing virus, banking malware, spyware. |
Hoax | This malspam campaign is disguised as an email regarding supposed payments. |
Attachment(s) | tbl_236.xls (its name might vary). |
Detection Names | ALYac (Trojan.Downloader.XLS.gen), Fortinet (MSExcel/Agent.CZQ!tr), McAfee (W97M/Downloader.czq), Symantec (Scr.MalMacro!gen2), Full List Of Detections (VirusTotal). |
Symptoms | Trojans are designed to stealthily infiltrate the victim's computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine. |
Payload | Gozi |
Distribution methods | Infected email attachments, malicious online advertisements, social engineering, software 'cracks'. |
Damage | Stolen passwords and banking information, identity theft, the victim's computer added to a botnet. |
Malware Removal (Windows) | To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Other examples of similar malspam campaigns are 'Your Purchase Of BTC Has Started Email Virus', 'National Bank Of Greece Email Virus' and 'Black Lives Matter Email Virus'.
The main purpose of these campaigns is to trick recipients into executing a malicious file designed to infect the computer with high-risk malware, thereby helping cyber criminals to generate revenue. Some examples of malicious software that could be distributed via such emails are TrickBot, Agent Tesla, NanoCore and Dridex.
How did 'Payments Due email virus' infect my computer?
In this case, Gozi is installed on computers only when recipients open the malicious attachment ('tbl_236.xls' or a differently named Microsoft Excel document) and allow it to enable editing and content (run macro commands). Note that these malicious attachments cannot cause installation of malware as long as they remain unopened.
More examples of files that cyber criminals often attach to their emails to spread malware are other malicious Microsoft Office documents, PDF documents, executable files (.exe), JavaScript files, archives (ZIP, RAR).
How to avoid installation of malware
Ignore irrelevant emails that contain attachments or website links, especially the emails are received from unknown, suspicious addresses. In most cases, cyber criminals try to make their emails seem believable by disguising them as important, official, and so on.
Do not download or install software through third party downloaders/installers or from unofficial pages, via Peer-to-Peer networks such as torrent clients, eMule, etc. All software and files should be downloaded only from official websites and via direct links.
Update and activate installed software only with tools or implemented functions that are provided by official software developers. Other (unofficial, third party) tools often infect computers with malware. Note that it is illegal to activate licensed software with unofficial, 'cracking' tools.
Perform regular scans using reputable anti-spyware or anti-virus software and ensure that this software is kept up to date. If you have already opened 'Payments Due email virus' attachment, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.
Text presented in the 'Payments Due email virus' email message:
Subject: Payments 20639
Please see attached all payments due June 20 , 2020
Malicious attachment distributed via 'Payments Due email virus' spam campaign:
Instant automatic malware removal:Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo CleanerBy downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- STEP 1. Manual removal of Gozi malware.
- STEP 2. Check if your computer is clean.
How to remove malware manually?
Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically.
To remove this malware we recommend using Combo Cleaner Antivirus for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:
If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:
Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:
Restart your computer into Safe Mode:
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in 'Safe Mode with Networking':
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened 'General PC Settings' window, select Advanced startup.
Click the 'Restart now' button. Your computer will now restart into the 'Advanced Startup options menu'. Click the 'Troubleshoot' button, and then click the 'Advanced options' button. In the advanced option screen, click 'Startup settings'. Click the 'Restart' button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in 'Safe Mode with Networking':
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click 'Restart' while holding 'Shift' button on your keyboard.
In the 'choose an option' window click on the 'Troubleshoot', next select 'Advanced options'. In the advanced options menu select 'Startup Settings' and click on the 'Restart' button. In the following window you should click the 'F5' button on your keyboard. This will restart your operating system in safe mode with networking.
W97m.downloader Mac
Video showing how to start Windows 10 in 'Safe Mode with Networking':
Extract the downloaded archive and run the Autoruns.exe file.
In the Autoruns application, click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options. After this procedure, click the 'Refresh' icon.
Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose 'Delete'.
After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.
These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software.
To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.
W97m.downloader Mac Removal
McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office documents to run malicious Visual Basic scripts that download and run malware, this instance of W97M contains an embedded executable that is dropped onto the file system using a malicious macro.
W97M is a malware family comprising all malicious Office files (rich text, Word, Excel, etc.) that rely on macros containing VB scripts to download and run a specific malware from its control servers. Recently McAfee Labs has seen multiple waves of W97M malware serving malware, especially:
- Ransomware such as TeslaCrypt and Locky.
- Banking Trojans such as Dridex.
Vawtrak is a multifunctional malware family with the following capabilities:
- Stealing FTP passwords from a victim’s system.
- Stealing certificates from a victim’s system.
- Stealing credentials and other information via process infection.
- Malicious code injection in web pages displayed in a browser on a victim’s system.
- Running arbitrary commands on a victim’s system.
Infection vector and analysis
W97M malware is usually served via malicious email spam campaigns. This instance of W97M, however, is served from compromised websites. These compromised websites might be used with exploit kits or phishing campaigns that trick victims into downloading and running the W97M documents.
Some URLs serving the W97M malware:
- hxxp://www.excel-dougakaisetu.com/wordpress/wp-content/plugins/[masked]/account.doc
- hxxp://www.ippan.x0.to/wp-content/themes/[masked]/account.doc
- hxxp://www.newbeginningsari.org.au/wp-content/[masked]/account.doc
- hxxp://www.sternschule-uelzen.de/wp-content/plugins/[masked]/account.doc
- hxxp://elveland.no/wp-content/themes/[masked]/account.doc
- hxxp://www.nightaccess.com/themes/[masked]/account.doc
- hxxp://excel-dougakaisetu.com/wordpress/wp-content/plugins/[masked]/account.doc
- hxxp://nightaccess.com/themes/[masked]/account.doc
- hxxp://www.paintballandbbthailand.com/modules/[masked]/account.doc
- hxxp://ippan.x0.to/wp-content/themes/[masked]/account.doc
- hxxp://www.elveland.no/wp-content/themes/[masked]/account.doc
- hxxp://paintballandbbthailand.com/modules/[masked]/account.doc
- hxxp://sternschule-uelzen.de/wp-content/plugins/[masked]/account.doc
- hxxp://www.yacht-energy.fr/wp-content/themes/[masked]/account.doc
The W97M sample appears to have an RSA-encrypted message embedded in its contents. The document asks the victim to “enable content” to view the decrypted contents of the document. This is a standard trick to get the victim to enable the malicious macro, which drops an embedded executable and executes it.
Contents of a malicious W97M document.
The document contains the malicious .exe embedded inside one of its forms. We have seen other examples of W97M embedding commands in forms but not as in the preceding example, in which the entire .exe is embedded in the document.
Embedded .exe in a Visual Basic form.
The malicious macro reads the contents of the form and writes it into an executable in the %temp% directory.
Malicious macro code in the W97M malware.
Second-stage executable
The executable dropped in the %temp% directory is a VB 6 binary. The code is decrypted at runtime and the malware creates a suspended copy of itself that is injected with the malicious code. This malware is a variant of Pony malware.
The primary functions of the second-stage binary:
- Steal FTP and other login credentials from known FTP software.
- Download and run the third-stage binary (Vawtrak).
Strings in the second-stage malware indicate the theft of FTP credentials.
Once the second-stage binary has all the credentials it can find, it sends the stolen data to the following control servers:
- hxxp://tittertte.ru/sliva/gate.php
- hxxp://tythetru.ru/sliva/gate.php
- hxxp://rulahat.ru/sliva/gate.php
These domains appear to be under the attacker(s) control:
- They are registered with the same registrar with registrant information hidden.
- They were registered on the same dates.
- They expire on the same dates.
This malware targets the following software for credentials:
- Far Manager
- Total Commander
- Ipswitch WS_FTP
- CuteFTP
- FlashFXP
- FileZilla
- FTP Navigator
- Bulletproof FTP
- Smart FTP
- Turbo FTP
- FFFTP
- FTP++
- GoFTP
- Cofeecup FTP
- CoreFTP
- FTP explorer
- LeapFTP
- WinSCP
- 32BitFTP
- ClassicFTP
- SoftX FTP client
- UltraFXP
- FTPRush
- FTPControl
- FTPVoyager
- LeechFTP
- Estsoft ALFTP
- DeluxeFTP
- Staff FTP
- FTP Visicom Media
- AceBit WiseFTP
- FreshFTP
- BlazeFTP
- 3D-FTP
- EasyFTP
- Winzip FTP
- WinFTP
- FTPSurfer
- FTPGetter
- FTPNow
- Robo-FTP 3.7
- Linas FTP Site Manager
- Notepad++ FTP
- Coffeecup ftp profile
- FTPShell
- MyFTP
- NovaFTP
- Yandex
- Adobe Common SiteServers
- Frigate3
- SecureFX
- Cryer WebsitePublisher
- BitKinex
- ExpanDrive
- NCH Software Fling
- Directory Opus
- NetDrive
- Webdrive
- Opera
- Firefox
- Firefox FireFTP
- Mozilla Seamonkey
- Mozilla Flock
- Mozilla Profiles
- SiteInfo.qfp SpeedFTP
- Chrome login and web data
- Chromium login and web data
- Chrome plus login and web data
- Bromium login and web data
- Nichrome login and web data
- Comodo login and web data
- RockMelt login and web data
- K-Meleon profile data
- Epic profile data
- GlobalDownloader
- NetSarang
- RDP
- CyberDuck
- Putty
- MAS Soft FTPInfo
- NexusFile
- FastStone Browser FTPlist
- MapleStudio Chromeplus
- Windows Live Mail
- Windows Mail
- RimArts Mail
- Pocomail
- Incredimail
- BatMail
- MS Internet Account Manager
- Thunderbird
Once the second-stage malware has uploaded the stolen credentials to the control server, it downloads the third-stage malware from a different set of control servers and runs it:
- hxxp://awc.asia/wp-content/themes/[masked]/hsg.exe
- hxxp://teatromanzonicassino.it/wp-content/themes/[masked]/hsg.exe
- hxxp://www.bisaim.com/wp-content/themes/[masked]/hsg.exe
Third-stage executable
The third-stage executable is the Vawtrak payload (also a VB 6 binary).
The primary purpose of the binary is to infect other running processes in the system and:
- Steal security certificates.
- Infect Chrome and Firefox processes to inject malicious code into browsed web pages.
- Steal financial login credentials for banks.
Process infection and API hooking
The malware spreads across the system by injecting its code into any process that doesn’t appear on the following whitelist:
- csrss.exe
- smss.exe
- wininit.exe
- services.exe
- svchost.exe
- lsas.exe
- lsm.exe
- winlogon.exe
- dbgview.exe
- taskhost.exe
The malware also looks for the following processes to establish API hooks:
- Internet Explorer
- HttpEndRequest, HttpOpenRequest, HttpQueryInfo, HttpSendRequest,
- InternetConnect, InternetQueryDataAvailable, InternetQueryOption, InternetReadFile.
- Firefox
- PR_Close, PR_Read, PR_Write, PR_Close, etc.
- Chrome
- LoadLibrary, PFXImportCertStore, etc.
- Other processes
- CreateProcessInternal: To infect any new process spawned by this process.
- PFXImportCertStore: To steal certificate information from the victim.
API hooks established by the third-stage malware.
The malware uploads the stolen data to one of the following control servers:
- castuning.ru/rss/feed/stream
- mgsmedia.ru/rss/feed/stream
- puropea.com/rss/feed/stream
- futooke.com/rss/feed/stream
- citroxi.com/rss/feed/stream
Infection chain
The stages of infection are illustrated in the following figure:
Anti-VM measures
Both the second- and third-stage binaries of Vawtrak check the monitor resolution using User32.GetMonitorInfoA to make sure the malware isn’t running in a virtual machine. The malware binaries check to make sure the monitor resolution is greater than 800×600. This technique is employed to thwart some behavior-based detection systems.
Vawtrak’s monitor-resolution check.
Conclusion
This W97M malware differs from typical W97M malware due to the embedded binary inside the document. This tactic could be a result of the increased focus in the security community on W97M and the subsequent blacklisting of its control servers. Embedding an .exe in the doc file removes the need to contact a control server to download and execute the second-stage malware.
The encryption mechanisms and the use of VB 6 in both the second and third stages indicate that both instances of the malware share a common codebase, suggesting they could have been written by the same party.
MD5s
W97M samples. These samples are detected by McAfee as “W97M/Dropper.ao.”
- e56a57acf528b8cd340ae039519d5150
- 040c51e8c9118cc113c380d530984ba8
- ef10ea1a8b342dd9f6d1cec46fcd3c0f
Second-stage malware: These samples are detected as “Generic.xy.”
- 4b7623945d31ecd6ff1ed13f0ba1d6e0
Third-stage malware: These samples are detected as “RDN/Generic.cf” and “Vawtrak-FBB.”
- 3e631d530267a38e65afc5b012d4ff0c
Yara rule for W97M Vawtrak dropper
rule W97M_Vawtrak_dropper
{
meta:
author=”McAfee”
description=”W97M_Vawtrak_Dropper”
strings:
$asterismal=”asterismal”
$bootlicking=”bootlicking”
$shell=”WScript.Shell”
$temp=”%temp%”
$oxygon=”oxygon.exe”
$saxhorn = “saxhorn”
$fire = “Fire”
$bin= “546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e”
condition:
all of them
}