1 min read

Avoiding firewalls - BitDefender weekly review

Bogdan BOTEZATU

March 20, 2009

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Avoiding firewalls - BitDefender weekly review
When ran, this malware starts svchost.exe  and puts its own file as parameter in order to be started by services.exe, then it stops. When it detects its loaded by services.exe, it opens the svchost process it used earlier and will overwrite the code with it’s own, in memory. It starts a remote thread inside the injected svchost.exe which will check and download other malware from:                                                     http://lom[removed]ate.php?n=388789C57338E22B. Due to the fact it’s running in svchost.exe, the malware will most likely bypass any firewall settings.
The downloaded files are saved in the same folder the e-threat was ran from with random names ending in .tmp
 
Trojan.Downloader.FakeAV.AR
After execution this Trojan creates certain registry keys in order to be executed at ever system startup. Afterwards it tries to download and execute rogue security software from the following websites:
imagesrepository.com
protection-manager.com
zone-searching.com
protect-management.com  

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Ovidiu Visoiu

tags


Author


Bogdan BOTEZATU

Bogdan is living his second childhood at Bitdefender as director of threat research.

View all posts

You might also like

Bookmarks


loader