BitDefender weekly review

This weeks highlight is a worm that spreads adware from which one is the famous and hard to remove Trojan.Vundo. Besides adware, there is also a nice password stealer lurking around gamers that play TwelveSky, MapleStory or World of Warcraft.


execution the Trojan will make a copy of itself in %temp% as uret463.exe. Then it
will drop lhgiyi[x]dll in the same folder (where [x] is any number) and inject
it in every running process starting with explorer.exe

performs the following actions:

another copy of the Trojan in every root folder of the drive as: gx.bat

an autorun.inf file targeting the bat file created earlier and ensure that the
autorun feature is enabled

a driver (root-kit) inside %windir%system32 as cdaudio.sys currently detected
by BitDefender as Rootkit.OnlineGames.CQ, which is responsible of hiding
certain files

The Trojan
will steal login data from games like: TwelveSky, MapleStory, World of Warcraft
and some processes related to coc.exe, fj.exe, ybclient.exe, gameclient.exe and

It will
also attempt to steal information from the following files if present on the
system: wool.dat, Online.dat, aaa.dat, config.wtf and currentserver.ini

gathered information is sent to a large number of IP addresses hardcoded into
the e-threat.




To spread,
this worm creates copies of itself in the subfolders of %programfiles% and name
them differently. Examples of names generated are: “windows 2008 keygen and
activator.exe”, “microsoft office 2007 keygen.exe”, “bitdefender antivirus 2008
keygen.exe” a.s.o. It also makes copies of itself in the mapped network drives
and removables devices. The work creates and autorun.inf file in each infected
drives’ root folder to ensure it will be executed by the system the next time
the drive is accessed.

more complex method to spread is by parsing email addresses from within email
clients’ specific files. It will send messages to all the harvested email
addresses with the subject: “You have got an e-card from your friend!” and a
zipped version of itself attached.

To protect
itself it stops several known security related services, for example: avg8wd,
vsserv, mcshield, WinDefend.

It will
also open a backdoor on a specific port on the infected machine. To find its IP
address it checks www.whatismyip.com/automation/n09230945

It will
drop two files in the %windir%system32 folder

or javasec3 detected as Trojan.Downloader.Loadadv.ACB

detected as Trojan.Vundo.GNN

In order to
mark its presence it will create a mutex on the infected system: 7kk7Buzx

in this article is available courtesy of BitDefender virus researchers: Dana
Stanut and Ovidiu Visoiu