A Worm That Does Nothing

This weeks e-threats activity was pretty odd. We have proxy servers, trojans, patchers and the one that beats them all, a worm that does nothing but spread.
Upon execution this trojan installs itself in the Windows directory and executes at startup as a system process. It’s function is that of a proxy server. It listens for connections on TCP ports 80 and 82. It is spreading through compromised websites which make use of the ADODB Javascript exploit that downloads the Trojan on your computer without any interaction. The websites themselves are cracked using SQL Injection exploits. The ugly thing about this is that whenever you visit a website like this you get infected simply by browsing it, if you are using Internet Explorer that is. The Javascript exploit is harmless on other browsers, it will just increase the loading time of the page.

It seems that a lot of effort is being put into spreading this proxy, so the intentions behind it are probably serious cracking and spamming attempts.

It’s the strangest thing nowadays.. This worm seems not to have any destructive intention. It is only spreading. We say it’s strange because usually no more malware is out there without having a negative effect on the victims PC, be it downloading other applications, infecting or deleting files, running backdoors and rootkits, you name it. It uses the most basic hiding methods, merely setting hidden and read only attributes on its own file(s). It also copies itself into your windows and windowssystem32 directories and adds some registry entries to run on system startup. It is spreading through removable drives and uses autorun.inf files to execute itself.

This threat patches the BitDefender products (Internet Security 2008, Total Security 2008 and Antivirus Plus 2008). It has a nicely built user interface and detailed instructions on how to use it. At some point you are requested to push a button that will add an entry to your system32driversetchosts file. It will set the BitDefender update server (update.bitdefender.com) to localhost (127.0.01). It seems this Trojans purpose is to render the BitDefender products update service unusable so it will not detect new threats anymore.
Also new this week are some more Vudo variations, password stealing trojans, droppers (like Mezzia for example) and of course let’s not forget our veteran, the Peed trojan (or Stormworm).