BitDefender weekly review

This week we have another online games password stealing Trojan that is encrypting the game names in its body really well in order to make it hard for security suites to determine its real purpose. Also MSN is targeted again as a spreading medium. A worm is sending messages with links to the whole contact list when someone is logging in to MSN from an infected computer.


This Trojan
is used to steal sensible information from games.

time the malware is executed, it drops a clean application named rxcf-green.exe
and a malware file named xq.exe in %userprofile%local settingstemp and runs
both of them.

malware (xq.exe) creates a malicious dll named [random].dll in
%windir%system32 and makes certain registry entries to ensure it will be
loaded on every system boot.

created dll file has a random 8 char name, different size and a different overlay
every time. It’s injected into the memory space of explorer.exe and every other
application wich has explorer.exe as parent.

that xq.exe will use a batch script to delete itself from the disk.



This worm
tries to spread through MSN and USB removable devices.

When first
executed, it checks its own filename and if it’s not “sysdate.exe” it creates a
folder in RECYCLER, with the name starting with “S-1-5-21” and makes a copy of
itself in it. Then it creates a Desktop.ini file to hide the executable from
explorer.exe. If the filename is “sysdate.exe”, it checks for the Desktop.ini
file to ensure it’s hidden and continues execution.

will make certain changes to the registry so that it get executed every time
the system boots then performs a code injection in the memory space of
explorer.exe which assures that both “sysdate.exe” and “Desktop.ini” are seen
as read-only.

If a USB
stick is inserted into an infected computer the worm will create a new folder
called “temp” in the root folder of the drive and copy itself in it under the
name “winsetup.exe”. It will hide the temp folder by creating another
“Desktop.ini” file with special instructions inside it. It also creates an
autorun.inf file which will execute the copy from the flash drive if it’s
inserted in any system that has the autorun feature enabled.

in this article is available courtesy of BitDefender virus researcher: Geroge