/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
font-family:”Times New Roman”,”serif”;}
of this Trojan is to steal login information from massive multiplayer online
role playing games (MMORPGs). When executed, the e-threat will create two files
inside %temp%: herss.exe (a copy of itself) and cvasds0.dll which will be
injected in every running process.
it will create “3c.exe” and an autorun.inf file pointing at the executable,
inside the root folders of ever accessible drive. As a result, the Trojan will
be executed every time any of the drives are accessed.
also make certain registry changes in order to ensure the file herss.exe will
be executed on every reboot. Show hidden files and folders is disabled as well
by making changes to the registry.
infected DLL file is responsible of the actual account stealing.
malware is run, the program makes two copies of itself in
%windir%system32[random-name].exe and %userprofile%[random-name2].exe. They
will also be added to the registry in order for them to be executed at every
%windir%system32[random-name].exe is executed and the initial file is deleted
using a bat file. This executable will modify the security settings of Internet
Explorer and add itself to the Windows Firewall trusted application list.
will try to connect to the following servers to get new instrucitons: 18.104.22.168,
22.214.171.124, 126.96.36.199, 188.8.131.52.
infected computer is then transformed into a spamming relay, in this sense a
smtp server and an email generator is implemented in the malware body.
in this article is available courtesy of BitDefender virus researcher: Lutas
Andrei Vlad and Ovidiu Visoiu