Win32/Newacc is detection for an attacker tool that automatically registers new e-mail accounts on Hotmail, AOL, Gmail, Lycos and other account service providers. To achieve this, the tool communicates with a Web Service in order to bypass CAPTCHA protection. CAPTCHA is an acronym for 'Completely Automated Public Turing test to tell Computers and Humans Apart'.
Installation
When executed, Win32/Newacc loops until it finds an active Internet connection.
Some variants may then install themselves on an affected system by copying themselves to %windir%\mmhren1.exe, and then making the following modifications in order to ensure that this copy is executed at each Windows start:
-
Modifies configuration file 'win.ini'
[Windows]
run=%windir%\mmhren1.exe
-
Modifies the following registry entry:
Adds value: "Microsoft hren1"
With data: "%windir%\mmhren1.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The tool then makes additional registry modifications, depending on the e-mail account service provider targeted, as in the following examples:
Adds value: <account variable> Data
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft
Adds value: vars
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\<account variable> Data\
Adds value: Date
With data: "<system time>"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\<account variable> Data\vars\
Where <account variable> is one of the following, referencing an account service provider:
Hchk - Hotmail and Windows Live
HREN2 - Hotmail and Windows Live
AAcc - America Online (AOL)
GAcc - Google E-mail (Gmail)
LAcc - Lycos
Payload
E-mail Account Creation
Win32/Newacc connects to the login page of the targeted e-mail service provider, then downloads the registration form and the associated JPEG format CAPTCHA image. The image file is temporary stored in the Windows folder, and then submitted to an online OCR (Optical Character Recognition) service for decoding at the Web domain 'c1.ocrservice.biz'.
If the CAPTCHA image is properly decoded, Win32/Newacc submits the registration form using a list of usernames provided by a connection with a remote site. In researching this tool, two domains have been implemented thus far in providing a list of usernames:
-
sys191.3fn.net
-
lamodano.info