/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
font-family:”Times New Roman”,”serif”;}
This is yet
Acrobat Reader and Adobe Flash Player.
accessing the specially crafted website, the script will launch two ActiveX
objects: AcroPDF.PDF or PDF.PdfCtrl to open a *.pdf file (readme.pdf) and
ShockWaveFlash.ShpckwaveFlash to open a *.swf file (flash.swf). These files
contain the actual exploits, and when opened, will download an executable file
without any user interaction.
download URL was of the form: http://sitesupports.cn/[removed]?id=0 and the executable is detected by
BitDefender as Backdoor.Zdoogu.F.
executed the Backdoor will create a copy of itself in
%windir%system32digiwet.dll with the extension and executable type changed to
DLL. In order to have the copy execute at every windows startup it will add
specific registry keys.
it launches a new instance of svchost.exe and overwrites its image from memory
with the payload.
infected svchost.exe creates a file called wiaservim.log in %windir% in which
it will record its activity. It then connects twice to 126.96.36.199, first to
download several files, second to report back with other data.
downloaded executables belong to the Backdoor.IRCBot family, which allows an
attacker to control the infected computers via IRC (Internet Relay Chat).
This is a
file infector that has two main components:
- The code that gets injected
into the *.exe files
- The DLL which performs the
infected file gets executed, the virus will do the following:
a DLL into %windir%system32dotnetfx.dll
the DLL by passing it as an argument to rundll32.dll
execution to the host
file is responsible for making the actual infections. When first ran it will
make changes to the registry to it gets executed at system startup. It then
adds another registry value, A, which it will increment every time it is run.
When the letter becomes Z, the virus starts its actual infection routine.
will loop through all accessible drives searching for files to infect or
delete. It only injects code into *.exe files and deletes every file with the
extension: xls, mdb, doc, jpg, frm, wmv, mp3, sis, as, fla, APP, ppt, avi, mpg,
3gp, vb, jar, css, asp, aspx, jsp, java, pdf, psd, gif, cad, zip, rar or 3ds.
In order to
infect a file, it will first read its header information and check if the file
is not already infected. As an infection marker, it will write the string
“PROZIUM32” at the physical offset 0x4E (78 in decimal) in the file. If the
file is not already infected, it will append the malicious code to the end of
the executable and update its characteristics by recalculating the size and
properties of the file.
also create a random-length overlay, probably to prevent infection by other
viruses. The overlay has the last 4 bytes set to the ASCII characters “.MTS”.
in this article is available courtesy of BitDefender virus researchers: Balazs
Biro and Lutas Andrei Vlad