Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

May 22nd, 2009

Inside Win32:Allaple

Win32:Allaple was a succesful worm few years ago. There are some instances of the worm in the wild also now, but the first boom was notably higher. The payload is a nice piece of polymorphic code, let’s look how it looks and how it works.

alla_stg00

The picture shows us the character of Allaple. The code in the new block is built from the arguments, which are moved via different ways (mov, add, or, xor, stosd have the same effect here, because the buffer was initially set to zeros). This obfuscated code continues to construct the block at 40FA84 and jump to the block immediately. Next picture shows us the mentioned code block.

alla_stg01

We’ve seen this scheme before (in the first obfuscation layer). No surprise, nothing more to explain, let’s move on. After finishing this block of code we can see something new, something interesting.

alla_stg02

As described in the picture above, this code performs the decryption of another code block (which is responsible for unpacking a binary as we’ll see later) and decrypts the data section (which contains the binary). The data at the beginning of first section (401000) are used to compute the decryption key. So, we have some decrypted data and another code snippet, which is shown and described bellow.

alla_stg03

After the loading of some API functions the code tries to find its data section, which contains a PE image compressed with aPLib. Then it decompresses it and drops it. The screenshots of the packed stream (some remarkable patterns specific to LZ compressions are there) and the old well known aPLib decompressor (with its constants etc) are here:

alla_stg04

alla_stg05

Great, now we have the unpacked binary. It is called dmhelpserver.exe internally. It is able to register itself as a OLE object into registry and it also contains the executive part to propagate the worm over networks. Next picture shows you the list of dictionary items and the preformatted strings to construct the CLSID (it is used as the object identifier while infecting HTML pages with object injection).

alla_stg06

The last picture will show you a part of the replicating engine. This particular snippet contains the data used to exploit a DCOM vulnerability. It’s one of the ways used by Allaple to spread.

alla_stg07

Last but not least – the original binary virustotal results http://www.virustotal.com/en/analisis/d34ac8c0bb9ca6b22413d33ce607dc78 and the dropped binary results http://www.virustotal.com/en/analisis/828d18a361867fa5d8f9a063bcb75d7a

Categories: analyses Tags:
Comments are closed.