BitDefender weekly review

Trojan.FakeAV.VE

The purpose
of this e-threat is to download and execute “Antivirus Pro 2010″ a rogue application which poses to be security
software. The installation is composed of two steps. First it will try to
download a randomly named file, from several locations, which will be saved as “%user_documents%Application
Datalizkavd.exe”. The new executable attempts to connect to new locations,
using a name and a password and download a password protected archive. This
archive actually contains the fakealert malware (Tojan.FakeAV.VH) which will be installed in %Programs%AntivirusPro_2010.

Before
starting the download process, it will copy itself to
%user_documents%application datasvcst.exe
and %user_documents%application dataseres.exe.
These will be started together and will protect each other from being
terminated by the user using two named mutexes.

 The above two copies are also registered at the system startup by changing
certain registry keys.
It will lower security settings by allowing execution of invalid signatures
and adding certain extensions to the low risk list.

 After setting the above, the malware will start the download process by
accessing several addresses like the ones below:
 hxxp://erta[removed]ert.com/s1fb0Uv5MS8X[removed]
 hxxp://abu[removed]hkamid.com/nQ1Zx0E5X8[removed]

Trojan.Generic.2581209

The malware
is distributed in a zip archive attached to an e-mail which claims to be from
“DHL express services”.
Called Glecia, this e-threat cannot propagate by itself, so it makes use of a
third party to send the spam.

 
The email examples look like this:

Subject:
DHL Express Services. Please get your parcel NR.56449

Headers:
From: “****” <****@dhl-usa.com>
Subject: DHL Express Services. Please get your parcel NR.56449

Body:
Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personally!

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Thank you for attention.
DHL Services.

Attachments:
DHL_print_label_582b9.zip (16.23KB)

The
archive contains the malware executable which drops a BHO to
%SYSTEM%bhdvgtueyitf.dll and registers it as “Microsoft Online
Helper!” or “Google Accelerator!” with CLSID
{CEE2864E-1144-4B8F-9A43-4CEAC4553560}.

When done, the dropper creates and runs a batch file called sys.bat in order to
delete itself.

The BHO is
a backdoor that can be used by the attacker to take control over the infected
computer. When executed it will try to connect to a Russian domain to receive
further instructions. These can be any of the following:

Send system
information

Open a
given URL

Execute
files

Delete all
files from the root, Windows, and Program Files folders

Information
in this article is available courtesy of BitDefender virus researcher: Ovidiu
Visoiu and Horea Coroiu