WEEKLY REVIEW

BitDefender weekly review

They don't like antivirus products. I don't know why, they're so friendly, they take care of our computers, protect our data and identity, but they still don't like antivirus products.

 

Cyber criminals wage a war against them and these are some of the ways they do it:

Trojan.KillAV.PT

This Trojan is a really nice piece of work. It was not easy to analyze and although it’s not that complex, it is interesting to see how intricate an attackers mind can get in order to reach his goal.

The Trojan starts by dropping 3 components at which we will look closer below.

 

  1. The antivirus killer
    (killdll.dll)
    :

– is saved in %windir%system32, gets loaded first and contains two encrypted drivers. It is deleted after 15 seconds.

1.1. The first is used to disable the following services belonging to security products vendors:

avp.exe
DrUpdate.exe
QQDoctorRtp.exe
KWatch.exe
Uplive.exe
udaterui.exe
McTray.exe
SHSTAT.exe
ccSvcHst.exe
xcommsvr.exe
vsserv.exe
livesrv.exe
bdagent.exe
mcinsupd.exe
mcshell.exe
FrameworkService.exe
vstskmgr.exe
mcagent.exe
mcnasvc.exe
mcmscsvc.exe
mcsysmon.exe
mfevtps.exe
mcupdmgr.exe
vptray.exe
ccapp.exe
rtvscan.exe
defwatch.exe
ccEvtMgr.exe
ccSetMgr.exe
KVSrvXP.exe
KPFW32.exe
engineserver.exe
KavStart.exe
kmailmon.exe
KPfwSvc.exe
KISSvc.exe
MPSVC3.exe
MPSVC.exe
MpfSrv.exe
naPrdMgr.exe
rsnetsvr.exe
mcshield.exe
McProxy.exe
QQDoctor.exe
Rav.exe
ScanFrm.exe
RsTray.exe
RavStub.exe
CCenter.exe
RavTask.exe
RavMonD.exe
RavMon.exe
egui.exe
mfeann.exe
RsAgent.exe
ekrn.exe
antiarp.exe
360tray.exe
360Safebox.exe
safeboxTray.exe

To achieve this, the driver is saved under %windir%system32driversAsyncMac.sys, replacing the original driver with the same name which was a Microsoft Remote Access Network Serial driver.

Then it will disable the system start feature of these services so they will not be loaded again after restart. When it’s done the driver file will be unloaded and deleted.

1.2. The second driver is saved under %windir%system32driversaec.sys, replacing the original driver as well, which used to be a Microsoft Acoustic Echo Canceler. This component deactivates commonly used proactive detection techniques by undoing the changes made by antivirus software to the kernel memory. After it has finished it is unloaded and deleted.

 

  1. The downloader ([random_value]_xeex.exe):

– is saved in %windir% after killdll.dll has finished its job. Upon execution this component check first where it has been started from. If it is injected in userinit.exe then it will first execute explorer.exe (default userini.exe behavior) so the user doesn’t notice the infection. Then it will continue with its own routine. If it’s not userinit.exe it will continue with its own routine
without starting explorer.exe.

It will send the MAC address, operating system version and the file version (probably provided by the creation date) to the following script: http://[removed]518js.com/30330/count.asp

It will download and execute about 30 files specified by an online text file located at: http://[removed]518js.com/30330/newfz.txt If the downloader version provided above is outdated the list will contain a new version of the Trojan as well in order to update itself, the rest of the files belong to the OnlineGames password stealers family.

It will register the parent executable image to start with system startup using the windows registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, with the following key name: RsTray.

 

  1. The overwriter (pcidump.sys):

– is saved in %windir%system32drivers, loaded into memory and after it finished its job it will be deleted.

The driver has the function to overwrite unserinit.exe, a core Windows component, with the downloader part in order for it to be executed at every system startup. Under normal circumstances unserinit.exe quits after initializing all the necessary processes. If infected with the downloader however, it stays resident in memory, giving the victim a hint of the malware’s presence.

The main executable also copies itself into %windir%system32scvhost.exe and delete the original file it has been executed from afterwards.

Win32.Worm.VB.NXY

Upon execution the worm copies itself to %windir%userinit.exe and makes changes to the registry in order to ensure the copies’ execution at system startup.

A second copy will be created inside %windir%system32system.exe.

Both executables, while running, will protect each other from being terminated.

After this, the worm will try to update itself from the following locations: t35.com, titanichost.com, 110mb.com. The downloaded file is saved under %windir%system32task.exe and after it’s launched it will replace the two copies of the worm.

In order to protect itself, it will deny access to the following security websites by making changes to the %windir%system32driversetchosts file:

download.f-secure.com
mirror02.gdata.de
download.avg.com
spftrl.digitalriver.com
www.grisoft.cz
download1us.softpedia.com
download.softpedia.com
www.bitdefender.co.uk
www.bitdefender.com
virusscan.jotti.org
bkav.com.vn
www.bkav.com.vn
download.com.vn
www.download.com.vn
9down.com
www.9down.com
download.eset.com
www.download.com

A third file is created as %windir%kdcoms.dll. This file is actually nothing but a text file containing the following message: “Don’t worry! I will protect your computer”. After update, the file contains the current date.

The worm spreads on all removable drives by making a copy of itself in the root folder of the drive using forever.exe as a filename. An autorun.inf file will be created to point to this file.

Information
in this article is available courtesy of BitDefender virus researchers: Balazs Biro and Ovidiu Visoiu

About the author

Bitdefender

We're a sublime alloy of intelligence, strength and willpower. We have the sharp mind of the wolf and the sleekness of the dragon, the vigilance of the alpha-male and the indestructibility of the snake's body. We are a unique combination of symbols that fight on Good's side.