WEEKLY REVIEW

BitDefender weekly review

This week another wave of password stealers has hit the landscape. However not all are targeting MMORPGs. Another obfuscated variation of the fierce Zeus Spybot is on the loose, looking for online banking details at the most unsuspecting users.

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

Trojan.Spy.Zeus.W

This
version of the Zeuz bot tries to trick users into executing it by displaying
the icon of a *.chm (Microsoft Compiled Help File) as its own icon. The file is
generally sent out by spam messages containing various messages (pornography,
cataclysmic events, etc).

After
decryption BitDefender engines detect the resulting file to be
Trojan.Spy.Zeus.C. Its first action is to inject code into “winlogon.exe”
allowing it to run and manipulate the filesystem undetected.

It copies
itself to “%windir%system32sdra64.exe” with a different size and creates a
folder “lowsec” in which it drops 3 files which contain encrypted data. All the
files are hidden from Windows Explorer.

Trojan.Spy.Zeus.W
also creates registry keys in order to be executed at every system startup and
a mutex in order to mark its presence.

The Zeus
family has the capability to be used as for stealing information (mostly online
banking authentication details), remote control and spamming.

 

Trojan.PWS.OnlineGames.KBXS

This
password stealer comes bundled inside another application that is used to
remove certain security features. The dropper is detected as
PWS.OnlineGames.KBZA and after execution it will copy
“%windir%system32sfc_os.dll” (used by windows to protect files) into
“%windir%system32mmsfc1.dll”. Then it calls a certain function from
“mmsfc1.dll” in order to overwrite “%windir%system32comres.dll” with its own,
encryted, dll (the password stealer). The original “comres.dll” will be saved
in “%windir%system32sysGHT.dll”.

The new
“comres.dll” will be injected into every running process and will monitor the
keystrokes and mouse gestures of the user. The final goal of the application is
to steal authentication data from QQ Login, Dungeon and Fighter and Tenio.

A copy of
the password stealer (the replaced comres.dll) will be also created in
“%windir%fOntS” which is injected into all the processes the first time the PC
gets infected. After reboot the replaced “comres.dll” is launched by the system
automatically.

The
component responsible with sending the gathered information is also dropped
inside “%windir%fOntS” as the file GHT60366.ttf detected by BitDefender as
Trojan.PWS.OnlineGames.KBXJ.

Usernames,
passwords, server, ingame currency, equipment, level a.s.o will be sent to web
pages located on:

http://www.wg210.com/mail.asp
http://www.wg210.com/mibao.asp
http://1.qq594358080.cn/kanxin/004/mail.asp

 After a
successful infection, the dropper deletes itself.

Information
in this article is available courtesy of BitDefender virus researchers: Stefan
Catalin Hanu and Dana Stanut