WEEKLY REVIEW

BitDefender weekly review

This week we found obvious traces inside a chain of e-threats that Romania is actively writing malware. The first hint was the website spreading the Visual Basic script which attempted to exploit vulnerable Adobe plugins of Internet Explorer in order to infect the user with Backdoor.Ardu.A.

The website
contains information about the romanian celebrity “Elena Udrea”, hence the name
of the backdoor: Udrea – Ardu (udrea in reverse without the e). A comment
string inside the backdoors’ code also shows the romanian origin of the malware
writer. It reads: “link important de tinut sus” which translates to “important
link to be held online”.

 

Trojan.Downloader.VBS.DA

This
small downloader is written in VBS and is embedded in websites to infect users.
When it receives control, it will attempt to download 4 files from the
following location: http://love[removed].org/css. The files being downloaded
are:


AutoCfg.exe – infected, detected by BitDefender as Backdoor.Ardu.A


Instexnt.exe, Autoexnt.exe, Servmess.dll – clean files, used for running
scripts before a user logs on

After
downloading these files, it will attempt to install the AutoExNT service and it
will create the file  AutoExNT.bat, where
the infected application (AutoCfg.exe) will be listed. This way, the malware
will be execute after every reboot, even if there is no user logged on that
computer.

 

Backdoor.Ardu.A

This
backdoor will most likely end up on a system after being downloaded by other
malware (ie: Trojan.Downloader.VBS.DA) under the name
%windir%system32AutoCfg.exe.
This is nothing but a big executable that carries inside its overlay a Ruby
interpreter together with several runtime libraries it will need for running
the infected script. After getting executed, it will drop all these files
inside %temp% and execute them. The malware script will perform the following
actions:
– retrieve local computer name
– retrieve local user name
– retrieve victims IP address
– retrieve a file (ip.txt) from the following URL:
http://www.run[removed].com/examples/ip.txt, which contains (as its name says)
an IP address
– will connect to the IP address on port 2009
– will send the data gathered about the victim (ip address, computer name, user
name)
– will listen for commands that an attacker may send; If the command contains
“Goodbye”, the session will be closed; any other command will be
appended to the file %windir%system32AutoCfg.bat (created by the malware)

 

The bat
file and the backdoors executable are registered to run at every system
startup.

Information
in this article is available courtesy of BitDefender virus researcher: Lutas
Andrei Vlad