This weeks malware pack shows one piece that successfully circumvents firewall applications on the infected computer and one that doesn't. Firewall avoiding has become quite an art, as you will see, it requires at least four steps.
When ran, this malware starts svchost.exe and puts its own file as parameter in order to be started by services.exe, then it stops. When it detects its loaded by services.exe, it opens the svchost process it used earlier and will overwrite the code with it’s own, in memory. It starts a remote thread inside the injected svchost.exe which will check and download other malware from: http://lom[removed]ate.php?n=388789C57338E22B. Due to the fact it’s running in svchost.exe, the malware will most likely bypass any firewall settings.
The downloaded files are saved in the same folder the e-threat was ran from with random names ending in .tmp
After execution this Trojan creates certain registry keys in order to be executed at ever system startup. Afterwards it tries to download and execute rogue security software from the following websites:
Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Ovidiu Visoiu