WEEKLY REVIEW

Avoiding firewalls – BitDefender weekly review

This weeks malware pack shows one piece that successfully circumvents firewall applications on the infected computer and one that doesn't. Firewall avoiding has become quite an art, as you will see, it requires at least four steps.
When ran, this malware starts svchost.exe  and puts its own file as parameter in order to be started by services.exe, then it stops. When it detects its loaded by services.exe, it opens the svchost process it used earlier and will overwrite the code with it’s own, in memory. It starts a remote thread inside the injected svchost.exe which will check and download other malware from:                                                     http://lom[removed]ate.php?n=388789C57338E22B. Due to the fact it’s running in svchost.exe, the malware will most likely bypass any firewall settings.
The downloaded files are saved in the same folder the e-threat was ran from with random names ending in .tmp
 
Trojan.Downloader.FakeAV.AR
After execution this Trojan creates certain registry keys in order to be executed at ever system startup. Afterwards it tries to download and execute rogue security software from the following websites:
imagesrepository.com
protection-manager.com
zone-searching.com
protect-management.com  

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Ovidiu Visoiu