Jump to content

New variants of Weatherman trojan discovered


tacosteam
 Share

Recommended Posts

Given ESET has helped me out in the past with virus removal tools I thought I'd post here first :) . 10 days ago I installed software from vttp://stereomixplus.com (replace v with h) to allow streaming my own internal PC audio online. After a few minutes I started noticing multiple background chrome processes making 200+ connections to different IPs. Initially hoping it was just an infection confined to Chrome I uninstalled, but then noticed exactly the same thing with background internet explorer processes in Kaspersky network monitor, so I blocked all connections, did numerous scans with various anti adware and malware scanners, and with Adwcleaner discovered numerous leftovers from Lavasoft Web Companion so I initially put it down to this. However, after a few days I unblocked internet explorer in Kaspersky, but required permission, I was then alerted when an encrypted connection was attempted to be made to vast.ssp.optimatic.com, so I blocked that and then checked Kaspersky Network Monitor.

 

Again, there were 200+ connections to different ips in a background Internet Explorer process, so I blocked all net access, and blocked internet explorer again in Kaspersky settings. However, I then looked at process explorer, and I could see the 2nd highest cpu usage was by interstatnogui.exe located at C:\Users\YOURUSERNAME\AppData\Roaming\Interstatnogui , and it turns out this file was installed as I installed the Stereo_Mix_Plus_Setup.exe

 

Looking at the strings of the exe in process explorer (attached as txt), I found quite a bit of data that links it to other malware, including the Weatherman trojan by the fact the programmer has put his user account name Ozrenko ,  the use of the Interstat theme, weather data in the strings, links to vttp://interstat.eu (replace v with h) classified as a malicious site by numerous providers:

 

https://www.virustotal.com/en/url/826307362cf601012c703e9510275310a2876fd55505b6618656d8732f0c7d02/analysis/

 

I summed most of this up, with virustotal and reasoncore links on tenforums in this post

 

hxxp://www.tenforums.com/antivirus-firewalls-system-security/63767-hundreds-hidden-chrome-now-ie-processes-after-installing-software-3.html#post820218

 

All the exes I think are variants

 

inetstat.exe interstat.exe speedtray.exe isup.exe UserMon.exe

 

inter_weather_v320.exe interstat.exe gpupd55f74af50.exe inter_weather2.exe

 

softwebbar.exe sftwbbr_v333.exe

 

NetworkMonitor.exe

 

BandwidthMon.exe  bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe

interstatnogui.exe - Copy.txt

Link to comment
Share on other sites

Just a quick note to say I posted about this on freefixer, and someone observed the exact same behaviour - hundreds of background connections in Chrome, which they uninstalled, only to be followed by the same thing in a background internet explorer process

 

hxxp://www.freefixer.com/library/file/interstatnogui.exe-206720/#comment11230

 

Roger Karlsson, the owner of freefixer, tested Stereo_Mix_Plus_Setup.exe in a virtual machine, but in his case a different adware was offered, so it looks like it might vary what is installed depending on location or your system. The stereo mix plus software seems to originate in China with a company named Shining Morning Inc. which has past form on installing adware at the very least with its magic camera software

https://www.virustotal.com/en/file/c346ca58021c94b9411e132d9d19b65cc60dc870bacdf117cd65a78fd9ea1aad/analysis/

https://www.virustotal.com/en/file/4b5263f6121fff63c1d19b336714b8c9b0fdc012d8e908b08b8f8b9807d95c74/analysis/

Edited by tacosteam
Link to comment
Share on other sites

A new version of Weatherman I just found, compiled in April, version 1.0.3.40, compared to older version number 1.0.3.18 had by previous Weatherman and variants

interstatnogui ( inetstat.exe interstat.exe speedtray.exe isup.exe UserMon.exe )

BandwidthMon ( BandwidthMon.exe aka bandwidthstat.exe speedmon.exe inter_bandwidth_v339.exe )

User Monitor ( UserMon.exe aka softwebbar.exe sftwbbr_v333.exe )


https://www.virustotal.com/en/file/1d44605d58be5df7fe72a3412b486186d56d485365babf26f06efcfdd84efcf5/analysis/

Link to comment
Share on other sites

A variant of its Network Monitor incarnation with varying version numbers, now detected by 15 providers (not yet ESET) as a Trojan

1.3.4.2
1.3.4.3
1.4.3.2

confirmed links to interstat from variant filenames in strings interstat.exe inetstat.exe bandwidthstat.exe

https://www.virustotal.com/en/file/6d357e1f8f2a27accedf350f63718326299c8f14d567cc1f75f4054aab859379/analysis/

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...