[clamav-win32] Marica/Kukuriba -- Win Malware?

Alex alex0192 at gmail.com
Fri Nov 18 07:46:19 CET 2011


Hello,

A complete newbie here, with a little problem.

I'm looking for info and advice about a piece of Win malware (perhaps), involving the names "kukuriba", "marica", and "Loesrmx".


Here are the details.

A few days ago, a colleague attended a conference in Asia. He used a FAT32-formatted USB thumb drive to copy a presentation from his Win XP laptop to one of the public PCs at the site. (He did not connect the thumb drive to his PC afterwards.)

Today, he gave me (Mac OS X) the thumb drive and asked me to copy some files to it. Immediately I noticed at the root level of the drive a folder named "kukuriba", which could not have had anything to do with the conference or his presentation; the folder contained only the file "marica.exe", approx 96k. My colleague confirmed he hadn't copied it and didn't know anything about it. The modification date was 2011/04/26 for "marica.exe"; for the "kukuriba" directory and the "autorun.inf" file (see below), they coincided with the time when he attached his thumb drive to the public PC.

First, I used ClamXav (Mac OS X GUI for ClamAV; v2.2.2 (252), engine v0.97.2) to scan the USB drive, but it gave it a clean bill of health.

Then I googled it, but found few solid hits. The most reliable appeared to be this one

<http://www.virustotal.com/file-scan/report.html?id=27ce421fa2c0069f44a7e63073a4494f90a358a58018e4ce468aeac8d23d1687-1310399637>

which indicated I was dealing with some kind of malware, identified by some, missed by many others, (including Clam), but without any indication of what it was supposed to do.

Next, I looked for an "autorun.inf" file, and, surely enough, one had been created and modified immediately after the "kukuriba" directory:

	=====
	[autorun]
	USEAUTOPLAY=1
	shellexcute=kukuriba/marica.exe
	Shellwips
	shell\\Explore\\command=kukuriba/marica.exe
	shell\Open\\command=kukuriba/marica.exe
	icon=kukuriba/marica.exe
	open=kukuriba/marica.exe
	action=Open folder to view files using Windows Explorer
	=====

Finally, I used a hex editor to look at the "marica.exe" file, and extracted

	Copyright (c) Loesrmx Software 1995-2011
	Original Filename Loesrmx.exe
	File Version 881

Knowing little about malware and little more about Win, I'm left in a quandary.

On one hand, this item behaves like malware -- it was copied to the thumb drive and an autorun.inf file created without user notice or permission.

OTOH, for malware, it doesn't seem to try very hard to hide itself. As for the autorun.inf file, does Win interpret correctly paths with a slash (/) instead of a backslash (\)? And wouldn't Win XP or later launch Autoplay instead of executing "marica.exe" or opening the "kukuriba" directory? 

So what is this, and what should I do?

Should I submit it to the ClamAV database? (And if so, just "marica.exe", or both it and the autorun.inf file?) Warn other conference participants about it?

Or could it be an obnoxious, but not malevolent, piece of software installed by whatever was running legitimately on the public PC, perhaps same advertising engine?

Thanks for your patience.







More information about the clamav-win32 mailing list