/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
of this e-threat is to download and execute “Antivirus Pro 2010″ a rogue application which poses to be security
software. The installation is composed of two steps. First it will try to
download a randomly named file, from several locations, which will be saved as “%user_documents%Application
Datalizkavd.exe”. The new executable attempts to connect to new locations,
using a name and a password and download a password protected archive. This
archive actually contains the fakealert malware (Tojan.FakeAV.VH) which will be installed in %Programs%AntivirusPro_2010.
starting the download process, it will copy itself to
and %user_documents%application dataseres.exe.
These will be started together and will protect each other from being
terminated by the user using two named mutexes.
The above two copies are also registered at the system startup by changing
certain registry keys.
It will lower security settings by allowing execution of invalid signatures
and adding certain extensions to the low risk list.
After setting the above, the malware will start the download process by
accessing several addresses like the ones below:
is distributed in a zip archive attached to an e-mail which claims to be from
“DHL express services”.
Called Glecia, this e-threat cannot propagate by itself, so it makes use of a
third party to send the spam.
The email examples look like this:
DHL Express Services. Please get your parcel NR.56449
From: “****” <****@dhl-usa.com>
Subject: DHL Express Services. Please get your parcel NR.56449
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personally!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.
Thank you for attention.
archive contains the malware executable which drops a BHO to
%SYSTEM%bhdvgtueyitf.dll and registers it as “Microsoft Online
Helper!” or “Google Accelerator!” with CLSID
When done, the dropper creates and runs a batch file called sys.bat in order to
The BHO is
a backdoor that can be used by the attacker to take control over the infected
computer. When executed it will try to connect to a Russian domain to receive
further instructions. These can be any of the following:
files from the root, Windows, and Program Files folders
in this article is available courtesy of BitDefender virus researcher: Ovidiu
Visoiu and Horea Coroiu