WEEKLY REVIEW

BitDefender weekly review

This week we ended up analyzing a whole infection chain, from its source to the end result. The process starts with a maliciously crafter website and ends with a Backdoor installation. All without the users knowledge or consent obviously.

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}

Trojan.JS.PYZ

This is yet
another malicious JavaScript that tries to exploit vulnerabilities in Adobe
Acrobat Reader and Adobe Flash Player.

When
accessing the specially crafted website, the script will launch two ActiveX
objects: AcroPDF.PDF or PDF.PdfCtrl to open a *.pdf file (readme.pdf) and
ShockWaveFlash.ShpckwaveFlash to open a *.swf file (flash.swf). These files
contain the actual exploits, and when opened, will download an executable file
without any user interaction.

The
download URL was of the form: http://sitesupports.cn/[removed]?id=0 and the executable is detected by
BitDefender as Backdoor.Zdoogu.F.

 

Backdoor.Zdoogu.F

When
executed the Backdoor will create a copy of itself in
%windir%system32digiwet.dll with the extension and executable type changed to
DLL. In order to have the copy execute at every windows startup it will add
specific registry keys.

After this
it launches a new instance of svchost.exe and overwrites its image from memory
with the payload.

The
infected svchost.exe creates a file called wiaservim.log in %windir% in which
it will record its activity. It then connects twice to 78.109.29.112, first to
download several files, second to report back with other data.

The
downloaded executables belong to the Backdoor.IRCBot family, which allows an
attacker to control the infected computers via IRC (Internet Relay Chat).

 

Win32.Delicium.A

This is a
file infector that has two main components:

  1. The code that gets injected
    into the *.exe files
  2. The DLL which performs the
    actual infections

When an
infected file gets executed, the virus will do the following:

–       
drop
a DLL into %windir%system32dotnetfx.dll

–       
run
the DLL by passing it as an argument to rundll32.dll

–       
pass
execution to the host

The DLL
file is responsible for making the actual infections. When first ran it will
make changes to the registry to it gets executed at system startup. It then
adds another registry value, A, which it will increment every time it is run.
When the letter becomes Z, the virus starts its actual infection routine.

The virus
will loop through all accessible drives searching for files to infect or
delete. It only injects code into *.exe files and deletes every file with the
extension: xls, mdb, doc, jpg, frm, wmv, mp3, sis, as, fla, APP, ppt, avi, mpg,
3gp, vb, jar, css, asp, aspx, jsp, java, pdf, psd, gif, cad, zip, rar or 3ds.

In order to
infect a file, it will first read its header information and check if the file
is not already infected. As an infection marker, it will write the string
“PROZIUM32” at the physical offset 0x4E (78 in decimal) in the file. If the
file is not already infected, it will append the malicious code to the end of
the executable and update its characteristics by recalculating the size and
properties of the file.

It might
also create a random-length overlay, probably to prevent infection by other
viruses. The overlay has the last 4 bytes set to the ASCII characters “.MTS”.

Information
in this article is available courtesy of BitDefender virus researchers: Balazs
Biro and Lutas Andrei Vlad