View my documents ()
 Home > Insights > Blogs 

CA Community

This Blog

Syndication

Malware using the _OLD_ New Executable file format

Published: June 23 2009, 01:20 AM
by Zarestel Ferrer

It is surprising to see 16-bit Windows-based malware now that we have 64-bit technology.
Recently we encountered a malware that uses the 16-bit New Executable file format and we detect it as Win16/Tanglinko.A.

 

                                [Figure 1 – IDA Pro Analysis of the file format]

As you can see in Figure 1, IDA Pro identified the File Format to be “New Executable (NE) Windows”, the Application type as “Console GUI Executable DLL 16 bit” and the file’s Expected Windows Version as “3.0”. Currently the version for new Windows Operating systems such as  Windows Vista is 6.0 and Windows 7 is 6.1 so you can see how old the file format is!

Does this mean the malware is old just because it uses an old file type? Not at all, this is new malware. However, malware authors just can’t leave the past behind and use old tricks when developing new malware. Here is the Virus Total scan result of 21st June, 2009.

         

                                [Figure 2 – Malware dropping files with directory names]

Now, what does this malware do? Apart from its file format, nothing fancy really. However, it is just as annoying as any other average malware that we encounter at present. It disables the clipboard, which means a user cannot perform a Copy/Paste operation, and terminates some Windows applications if they have any of the following strings in their Window title.

• Run
• Search Results
• Select Files and Folders
• System Configuration Utility
• Folder Options
• Display Properties
• Registry Editor
• Command Prompt
• C:\Windows\System32

In case your system has been infected and you want to manually remove the infection, a simple search, using Process Explorer, for the malware file (usually is SYSTIM32.EXE) can help you identify the malware. Please make sure you terminate the NTVDM.EXE containing SYSTIM32.exe, terminating the wrong process may give you unwanted results.

         

                                                [Figure 3 – Malware Search]


As you can see it runs under NTVDM.EXE (NT Virtual DOS Machine), which is a Win16 subsystem process under NT-based Windows Operating Systems.

To be on the safe side always keep your CA security software updated.

Share this post:  EmailEmail
ShareShare

Tags: , , , , , ,

Leave a comment

By: Zarestel Ferrer
Zarestel Ferrer is a Senior Research Engineer with CA's Internet Security Business Unit (CA ISBU) based in Melbourne, Australia. Previous to CA, he worked as a software developer and then moved into security as a Senior Anti-virus Engineer at Trend Micro. He also worked for PC Tools Research as a...
Read More..

Comments:

No Comments

Leave a Comment

* An asterisk indicates a required field

* :  

:

* :  
 
 
Page Tools
ShareShare