BitDefender weekly review

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}

Win32.Worm.VBS.J

This is a
Visual Basic Script that comes encrypted with a simple algorithm in order to
hide its purpose. The first action it takes is decrypting the actual body of
the script encapsulated in a string variable.

After
decryption the worm performs the following actions:

–       
change
the values for DisplayLogo and Timeout of the Windows Script Host
in order to hide its execution

–       
modify
the registry so it displays 2 new options on the contextual menu when right
clicking an executable file: “Scan for virus,s” and “Open application”. The
first executes a copy of the worm located in %windir%system32regedit.sys, the
second %windir%win.exe (dicussed later)

–       
modify
the registry to hijack execution from several security software applications,
screensavers and other commercial applications as well as debug and system
tools like: drwtsn32.exe, taskmgr.exe, regedit.exe, rstrui.exe. Instead of
these, its copy from %windir%system32regedit.sys will be launched

The worm
will also remove several backdoors and other malware from the computer it
infected to ensure its singular presence on the PC.

It will
create and autorun.inf file in every removable drive to get execute when the
drive is accesses.

The  %windir%win.exe file is a backdoor dropped
by the worm to allow remote access to the attacker.

Further it
checks the registry and makes sure that Windows Scripting Host is not disabled,
that hidden and system files aren’t visible in explorer, that file extensions
are hidden and that the autorun feature is enabled.

 

Trojan.Buzus.DL

 

This Trojan
is made of 2 components:

1.     
the
main executable written in Delphi

2.     
the
secondary executable written in VisualC which resides packed inside the
resource section of the main executable

When
executed, the main program will launch a second instance of the same executable
which will unpack the encrypted executable located in the .rsrc section and
inject it in its own virtual memory space then terminate.

The
decrypted code will inject itself into a separate thread of explorer.exe then
quit. This thread will create a copy of itself inside directories like
%SystemDrive%Recycler[dirname]bfrss.exe. [dirname] will have a structure
similar to S-1-5-21-1582865268-5844291516-424947749-0960 for example. Besides the
executable it also creates a Desktop.ini file inside those directories, which
has the role to hide the presence of the malware file.

The
Injected code will also make sure it spread to all removable drives (USB
sticks) by creating a copy of itself in the root folder of the drive under the
name usbcheck.exe. An autorun.inf file will ensure the execution of the file.

 

Trojan.Delf.Inject.BK

 

When
executed, this Trojan creates a copy of itself in %windir%system32tray.exe
and registers it to execute at system startup.

When that
copy is launched, it will try to connect to an IRC server called warraca.elcrazyfrog.com.
It has the potential of downloading and executing other files (probably
malware) if the command is issued by the attacker through the IRC network.

The Trojan
will also search for sensitive data inside browser-related files like:
profiles.ini, signons.txt.

Information
in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Ovidiu Visoiu