WEEKLY REVIEW

BitDefender weekly review

This week a pretty simple but recyclable IRCBot caught out attention. Besides the fact that it allows remote control of the infected machine by the attacker, the only noteworthy fact about it is that it comes packed, which means that by the click of a button or two, a new morphed version of it can spread unhindered through anti-virus protected PCs.

Backdoor.IRCBot.ACTN

This
worm is packed and encrypted in order to avoid av detection and hide
its malicious purpose. When first run, it creates a hidden copy of
itself in %windir%, under the name usb_magr.exe and makes specific
changes to the registry to ensure that the copy will be executed at
every system start up.

Next
it drops a file named x.bat which will disable the Security Center
service. As a consequence of disabling this service, the user will
not be notified if virus protection, firewall and automatic updates
are enabled or not. The bat file deletes itself afterwards.

It
spreads on removable drives using the autorun.inf technique. The
executable is hidden in a RECYCLER folder to hide its presence and
will be executed each time the drive is accessed if the autorun
feature is enabled.

Then
it will try to connect to an IRC server using the following
authentication details:

User:
MEAT* 0
Nick:
{iNF-00-USA-<operating_system>-<computer_name>-<random_number>}
Pass:
prison

By
opening this backdoor the attacker will be able to control the
system, download other files or upgraded versions of the backdoor by
executing IRC commands,

Win32.Tufik.M

This
file infector is made out of two components:
– A small code that
will receive execution before the infected file and will drop the
main executable
– The main executable file, which is responsible
for the rest of the malicious actions

The main executable will
perform the following, upon execution:
– create a new mutex:
BLACKSEEDER1.1, in order to avoid multiple instances of the same
executable
– copy itself inside “%windir%Downloaded Program
Files” as xxxxxxxx.exe (where each x is a number from 0 to 9 or a
character from A to F, ex: 00094648.exe) and continue execution from
there
– drop a small dll file, xxxxxxxx.dat (the .exe file and the
.dat file will have the same 8-characters sequence), which will be
injected in every running process; it has only one purpose:
downloading files from the following URL:
http://www.wangzhe[removed].com/girl/


it will infect .htm, .html, .php, .asp, .aspx files by adding an
invisible iframe pointing to:
http://www.wangzhe[removed].com/girl/picture.htm
– create a
desktop.ini file inside this folder, to make sure the malware-files
are not visible under Explorer
– register itself at startup by
making changes to the registry
– make a copy of itself inside the
root directory of every accessible drive
– create an autorun.inf
file on every accessible drive, which will point to the file
described above

It is also its responsibility to search and
infect other files, with the extentions: .exe, .com, .bat, .scr,
.cmd, if they are valid PE files. The infection process is the
following:
– checks if the file is not already infected (last
section-name is not BSDR1.1)
– checks if the file has an overlay
(it will not infect files with overlay)
– If the file is not
infected, it will create a new section at the end of the executable,
where it will add the main-code that will get executed inside the
host, and the main executable file.
– modify the entry-point in
order for the virus to be executed first
– modify the SizeOfImage
and SizeOfCode fields inside headers, in order the reflect the new
changes after infection

The
“viral code” (1436 B) will receive the execution inside the
infected file, before the host (it is done by modifying the
Original
entry-point of the infected application) and perform the following:

create a new mutex: BLACKSEEDER1.1, in order to avoid multiple
instances
– retrieve addresses of some API functions it will use

retrieve temp-folder path
– drop and execute the main exe file
(which is located immediately after the viral code) inside temp
folder, as BLACKSEEDER1.1
– Jump back to the host code


The worm will also kill any process with one of the following
names:
vstskmgr.exe, naprdmgr.exe, updaterui.exe, tbmon.exe,
scan32.exe, ravmond.exe, ccenter.exe, ravtask.exe, rav.exe,
ravmon.exe, ravmond.exe, ravstub.exe, kvxp.kxp, kvmonxp.kxp,
kvcenter.kxp, kvsrvxp.exe, kregex.exe, uihost.exe, trojdie.kxp,
frogagent.exe, 360Safe.exe, AST.exe …

… and terminate the
following services, if present on the system:
kavsvc, AVP,
AVPkavsvc, McAfeeFramework, McShield, McTaskManager, McAfeeFramework
McShield, McTaskManager, navapsvc, KVWSC, KVSrvXP, Schedule,
sharedaccess, RsCCenter, RsRavMon, RsCCenter, RsRavMon, wscsvc,
KPfwSvc, SNDSrvc, ccProxy, ccEvtMgr, ccSetMgr, SPBBCSvc, Symantec,
Core LC, NPFMntor, MskService, FireSvc, Alerter

Information
in this article is available courtesy of BitDefender virus
researchers: Dana Stanut and Lutas Andrei Vlad