When checking some URLs at MX Lab this one caught our attention because it is a nice trick to distribute malware. The trick is to attract people that want high speed internet for free. Don’t we all want this? I believe so but this one isn’t going to offer you high speed internet at all.
The URL points to hxxp://comcast.corporate.history.userguide-csebfhah6.interstitialcontrol.43534online.com/highspeedinternet.html?/permissions/specialoffer=jt4uffle9qdyzzp.
The website starts with a very nice offer:
Attention All Customers: March 19, 2009
Comcast High Speed Self Installation Kit v.4 is a special utility designed to boost the speed of your connection. This tool has advanced features of the 3rd generation high speed internet with multiple connections , download scheduling, and many more. It is free proposition for all Comcast clients (any connection) for 300 days.
The instructions are very simple, download the file 36 kB big ComcastHSkit.exe. In most browsers the download is started after a few seconds.
When submitting the file to Virus Total we got 6 engines of the 39 that detect this malware as TR/Crypt.FKM.Gen (Anti-Vir), Trojan.Crypt.FKM.Gen (McAffee GW Edition) or Mal/EncPk-HJ (Sophos).
The malware contains the Rootkit.Agent.EX that hides its presence in infected machine in order to perform malicious actions without user’s knowledge. A file %Windir%\9129837.ex, %System%\abcdefg.bat and %Windir%\new_drv.sys (a hidden file) is being created on an infected machine.
A new hidden process 9129837.exe is started and the following system services are stopped on the computer: ALG (Application Layer Gateway Service), SharedAccess (Windows Firewall/Internet Connection Sharing), wscsvc (Security Center). The malware makes connection on the IP 126.96.36.199, server port 80, with one of the following GET requests:
According to other blog posts the IP 188.8.131.52 is involved in more malicious activities. The server has been reported relocated from the Ukraine to Hong Kong. Here are some articles:
Virus Total permalink and MD5: 8bf819ad4704aab758f86684a108c2a1.