of this malware is to steal certain MMORPG login credentials. When first
executed it will copy itself inside %temp% under the name herss.exe and drop a
*.DLL file cvasds0.dll in the same location.
dll will be injected into explorer.exe. Once executed from that memory space it
will make another copy of herss.exe in the root folder of the system drive. The
name give to the new executable will be wcgswa.exe and will have an autorun.inf
file pointing at it in order to get executed every time the drive is accessed
will add herss.exe to a certain registry key in order to get executed at
startup and disable the “Show hidden files and folders” option under Folder
Options → View.
injected dll file is responsible for the password stealing and it targets the
following online games: Metin2, FlyFF, Maple Story, Age of Conan, Knight Online.
The name of
the malware already gives a hint about what it’s about. Another repackaged
rogue “anti-virus”. The name this time is “Total Security” and it behaves very
executed it copies itself to %systemdrive%Documents
and SettingsAll UsersApplication Data[random number].exe and create
another pc[random number]ins file in the same folder. Afterwards it deletes the
original file and performs several registry changes one of which will ensure
the e-threats execution at every system startup.
application will “scan” the victims computer displaying a multitude of
infections. All of them are obviously fake. In addition to the fakeav arsenal,
this version also closes every started application except internet explorer to
force the user into buying the “product”. It will display a warning message
each time it closes an application: “Application cannot be executed. The file
[application file] is infected. Please activate your antivirus software.”
changes the users’ background image to be easily noticeable.
of the worm is to steal sensitive information and monitor browser activity. In
order to accomplish this undetected it has the ability to disable certain
antivirus products (eg: Norton, Kaspersky, McAfee).
executed it will create another copy of itself inside the folder it is present
in. The name is kept the same with the addition of another “.exe” at the end.
will execute the new copy with the parameter: “/res > %temp%fio.bat ” and
create a *.DLL file inside %windir%system32 called fio.dll.
will be dropped in %windir%system32drivers under the name fio.sys. This
driver is responsible witch disabling the security suites, if present.
fio.bat will end the applications initial execution and make serveral changes
to the system:
a new firewall exception named “fio32″,
for the process “svchost.exe”
a firewall exception for TCP port 8085
and start a new service named “fioo32″
for the “fio32.dll” file
the copy of the malware
fio.bat deletes itself as well.
in this article is available courtesy of BitDefender virus researcher: Lutas
Andrei Vlad, Stefan Catalin Hanu and George Cabau