[clamav-win32] Marica/Kukuriba -- Win Malware?

Matt Watchinski mwatchinski at sourcefire.com
Tue Nov 22 18:54:11 CET 2011


If you submit it to ClamAV (http://cgi.clamav.net/sendvirus.cgi), once
its investigated you'll be notified if its malicious or not.

Cheers,
-matt

On Fri, Nov 18, 2011 at 1:46 AM, Alex <alex0192 at gmail.com> wrote:
> Hello,
>
> A complete newbie here, with a little problem.
>
> I'm looking for info and advice about a piece of Win malware (perhaps), involving the names "kukuriba", "marica", and "Loesrmx".
>
>
> Here are the details.
>
> A few days ago, a colleague attended a conference in Asia. He used a FAT32-formatted USB thumb drive to copy a presentation from his Win XP laptop to one of the public PCs at the site. (He did not connect the thumb drive to his PC afterwards.)
>
> Today, he gave me (Mac OS X) the thumb drive and asked me to copy some files to it. Immediately I noticed at the root level of the drive a folder named "kukuriba", which could not have had anything to do with the conference or his presentation; the folder contained only the file "marica.exe", approx 96k. My colleague confirmed he hadn't copied it and didn't know anything about it. The modification date was 2011/04/26 for "marica.exe"; for the "kukuriba" directory and the "autorun.inf" file (see below), they coincided with the time when he attached his thumb drive to the public PC.
>
> First, I used ClamXav (Mac OS X GUI for ClamAV; v2.2.2 (252), engine v0.97.2) to scan the USB drive, but it gave it a clean bill of health.
>
> Then I googled it, but found few solid hits. The most reliable appeared to be this one
>
> <http://www.virustotal.com/file-scan/report.html?id=27ce421fa2c0069f44a7e63073a4494f90a358a58018e4ce468aeac8d23d1687-1310399637>
>
> which indicated I was dealing with some kind of malware, identified by some, missed by many others, (including Clam), but without any indication of what it was supposed to do.
>
> Next, I looked for an "autorun.inf" file, and, surely enough, one had been created and modified immediately after the "kukuriba" directory:
>
>        =====
>        [autorun]
>        USEAUTOPLAY=1
>        shellexcute=kukuriba/marica.exe
>        Shellwips
>        shell\\Explore\\command=kukuriba/marica.exe
>        shell\Open\\command=kukuriba/marica.exe
>        icon=kukuriba/marica.exe
>        open=kukuriba/marica.exe
>        action=Open folder to view files using Windows Explorer
>        =====
>
> Finally, I used a hex editor to look at the "marica.exe" file, and extracted
>
>        Copyright (c) Loesrmx Software 1995-2011
>        Original Filename Loesrmx.exe
>        File Version 881
>
> Knowing little about malware and little more about Win, I'm left in a quandary.
>
> On one hand, this item behaves like malware -- it was copied to the thumb drive and an autorun.inf file created without user notice or permission.
>
> OTOH, for malware, it doesn't seem to try very hard to hide itself. As for the autorun.inf file, does Win interpret correctly paths with a slash (/) instead of a backslash (\)? And wouldn't Win XP or later launch Autoplay instead of executing "marica.exe" or opening the "kukuriba" directory?
>
> So what is this, and what should I do?
>
> Should I submit it to the ClamAV database? (And if so, just "marica.exe", or both it and the autorun.inf file?) Warn other conference participants about it?
>
> Or could it be an obnoxious, but not malevolent, piece of software installed by whatever was running legitimately on the public PC, perhaps same advertising engine?
>
> Thanks for your patience.
>
>
>
>
>
> _______________________________________________
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-win32
>



-- 
Matthew Watchinski
V.P. Vulnerability Research (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/


More information about the clamav-win32 mailing list