A Trojan that lowers the security and privacy settings of the Internet Explorer browser in order to ease other malware into stealing potentially sensitive information from the vulnerable machines.
This e-threat lowers the security and privacy
settings of Internet Explorer 6 or above so that other malware can access
coockies and other files more easily on the victims system. It is a high
security risc, because it rises the possibility of identity theft or browser
get access to the users system by taking advantage of vulnerabilities in two
third party software applications:
- CVE-2008-1309 that tries to exploit a flaw in Real Player. Handling its “Console” property may lead to
memory corruption and thus gives the attacker the possibility of running
arbitrary code on the affected computer. After a successful exploitation
ofther malware are downloaded from http://[removed]ng17173.cn
- CVE-2007-6144 which exploits a buffer overflow in PPlayer.XPPlayer.1 ActiveX
control in a Xunlei Thunder version. After control is gained over the
machine malware are downloaded from http://[removed]us.net
This Trojan is used to download other malicious
aplications from the internet. In order to do so, it will drop a dll file in
the %temp% directory with a random name, such as 4049437_ex.tmp, 4099250_ex.tmp,
4161421_ex.tmp. The malware uses a
function from this dll to run the files it downloads (probably to avoid
euristic detections based on classic API calls).
Afterwards it gets a list with the interenet
location of the files to download from http://www.oi[removed]/ko.txt.
It is saved as %system32%kn.txt and
it looks like this:
This list is parsed and the files are downloaded
and executed (with a certain random delay between these operations).
Also, the malware replaces the hosts file
(%system32%driversetchosts) with another one downloaded from http://www.oi[removed]/ad.jpg. This is
a fragment of the downloaded hosts file:
The hosts file doesn’t prevent any Antivirus
updates, however it blocks access to a couple of websites.
a vulnerability in the Snapshot Viewer ActiveX control for Microsoft
Access(snapview.ocx) . If successful, the malware will download a file
from the fowllowing link http://www.oi[removed].css. The file is saved to the
following path [c or d or e]:/Program Files/Outlook Express/WAB.EXE and is
detected by BitDefender as Rootkit.Agent.AIWN.
This Trojan is used to steal the login
credentials of a popular MMORPG game called Legend of Mir. The first time it is
executed the malware copies itlsef to %windir%system32saw110.exe
and creates specific registry keys to be executed at system startup.
Saw110.exe drops the file saw110.dll
which is injected in explorer.exe.
Loaded as a module in explorer.exe, saw110.dll seeks for processes which
have a certain kind of graphical inferface (by looking for window names as TFrmMain or TDXDraw). If such a process is found, saw110.dll injects
itself into it and checks for the following file names: mir.exe, mir1.dat, mir2.dat. If one of these names is
found the malware tries to steal account information and sends it to a remote
in this article is available courtesy of BitDefender virus researchers: Daniel
Chipiristeanu, Deac Razvan-Ioan, Dana Stanut .