Cyber criminals wage a war against them and these are some of the ways they do it:
This Trojan is a really nice piece of work. It was not easy to analyze and although it’s not that complex, it is interesting to see how intricate an attackers mind can get in order to reach his goal.
The Trojan starts by dropping 3 components at which we will look closer below.
- The antivirus killer
– is saved in %windir%system32, gets loaded first and contains two encrypted drivers. It is deleted after 15 seconds.
1.1. The first is used to disable the following services belonging to security products vendors:
To achieve this, the driver is saved under %windir%system32driversAsyncMac.sys, replacing the original driver with the same name which was a Microsoft Remote Access Network Serial driver.
Then it will disable the system start feature of these services so they will not be loaded again after restart. When it’s done the driver file will be unloaded and deleted.
1.2. The second driver is saved under %windir%system32driversaec.sys, replacing the original driver as well, which used to be a Microsoft Acoustic Echo Canceler. This component deactivates commonly used proactive detection techniques by undoing the changes made by antivirus software to the kernel memory. After it has finished it is unloaded and deleted.
- The downloader ([random_value]_xeex.exe):
– is saved in %windir% after killdll.dll has finished its job. Upon execution this component check first where it has been started from. If it is injected in userinit.exe then it will first execute explorer.exe (default userini.exe behavior) so the user doesn’t notice the infection. Then it will continue with its own routine. If it’s not userinit.exe it will continue with its own routine
without starting explorer.exe.
It will send the MAC address, operating system version and the file version (probably provided by the creation date) to the following script: http://[removed]518js.com/30330/count.asp
It will download and execute about 30 files specified by an online text file located at: http://[removed]518js.com/30330/newfz.txt If the downloader version provided above is outdated the list will contain a new version of the Trojan as well in order to update itself, the rest of the files belong to the OnlineGames password stealers family.
It will register the parent executable image to start with system startup using the windows registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, with the following key name: RsTray.
- The overwriter (pcidump.sys):
– is saved in %windir%system32drivers, loaded into memory and after it finished its job it will be deleted.
The driver has the function to overwrite unserinit.exe, a core Windows component, with the downloader part in order for it to be executed at every system startup. Under normal circumstances unserinit.exe quits after initializing all the necessary processes. If infected with the downloader however, it stays resident in memory, giving the victim a hint of the malware’s presence.
The main executable also copies itself into %windir%system32scvhost.exe and delete the original file it has been executed from afterwards.
Upon execution the worm copies itself to %windir%userinit.exe and makes changes to the registry in order to ensure the copies’ execution at system startup.
A second copy will be created inside %windir%system32system.exe.
Both executables, while running, will protect each other from being terminated.
After this, the worm will try to update itself from the following locations: t35.com, titanichost.com, 110mb.com. The downloaded file is saved under %windir%system32task.exe and after it’s launched it will replace the two copies of the worm.
In order to protect itself, it will deny access to the following security websites by making changes to the %windir%system32driversetchosts file:
A third file is created as %windir%kdcoms.dll. This file is actually nothing but a text file containing the following message: “Don’t worry! I will protect your computer”. After update, the file contains the current date.
The worm spreads on all removable drives by making a copy of itself in the root folder of the drive using forever.exe as a filename. An autorun.inf file will be created to point to this file.
in this article is available courtesy of BitDefender virus researchers: Balazs Biro and Ovidiu Visoiu