WEEKLY REVIEW

Clearing the way

Besides the usual Javascripts and rootkits that try to exploit vulnerabilities in applications or hide malicious program activities, this week we've encountered something rather strange.

A Trojan that lowers the security and privacy settings of the Internet Explorer browser in order to ease other malware into stealing potentially sensitive information from the vulnerable machines. 

Trojan.LowZones.SL

This e-threat lowers the security and privacy
settings of Internet Explorer 6 or above so that other malware can access
coockies and other files more easily on the victims system. It is a high
security risc, because it rises the possibility of identity theft or browser
tracking.

 TrojanLowZonesSL

Trojan.Exploit.JS.G

Another Javascript based exploiter that tries to
get access to the users system by taking advantage of vulnerabilities in two
third party software applications:

  1. CVE-2008-1309 that tries to exploit a flaw in Real Player. Handling its “Console” property may lead to
    memory corruption and thus gives the attacker the possibility of running
    arbitrary code on the affected computer. After a successful exploitation
    ofther malware are downloaded from http://[removed]ng17173.cn
  2. CVE-2007-6144 which exploits a buffer overflow in PPlayer.XPPlayer.1 ActiveX
    control in a Xunlei Thunder version. After control is gained over the
    machine malware are downloaded from http://[removed]us.net

Trojan.Downloader.JLEA

This Trojan is used to download other malicious
aplications from the internet. In order to do so, it will drop a dll file in
the %temp% directory with a random name, such as 4049437_ex.tmp, 4099250_ex.tmp,
4161421_ex.tmp. The malware uses a
function from this dll to run the files it downloads (probably to avoid
euristic detections based on classic API calls).

Afterwards it gets a list with the interenet
location of the files to download from http://www.oi[removed]/ko.txt.
It is saved as %system32%kn.txt and
it looks like this:

open=y
url1=http://61.160[removed]/new1.exe
url2=http://61.160[removed]/new2.exe
url3=http://61.160[removed]/new3.exe
url4=http://61.160.[removed]/new4.exe
url5=http://61.160.[removed]/new5.exe
url6=http://61.160.[removed]/new6.exe
url7=http://61.160.[removed]/new7.exe

This list is parsed and the files are downloaded
and executed (with a certain random delay between these operations).

Also, the malware replaces the hosts file
(%system32%driversetchosts)  with another one downloaded from http://www.oi[removed]/ad.jpg. This is
a fragment of the downloaded hosts file:

127.0.0.0        www.hackerbf.cn
127.0.0.0        geekbyfeng.cn
127.0.0.0        ppp.etimes888.com
127.0.0.0        www.bypk.com
127.0.0.1        va9sdhun23.cn
127.0.0.2        bnasnd83nd.cn
127.0.0.0        www.gamehacker.com.cn

The hosts file doesn’t prevent any Antivirus
updates, however it blocks access to a couple of websites.

Trojan.Exploit.ANOW

Yet another Javascript code that tries to exploit
a vulnerability in the Snapshot Viewer ActiveX control for Microsoft
Access(snapview.ocx) . If successful, the malware will download a file
from the fowllowing link http://www.oi[removed].css. The file is saved to the
following path [c or d or e]:/Program Files/Outlook Express/WAB.EXE and is
detected by BitDefender as Rootkit.Agent.AIWN.

 

Trojan.Dropper.SPO

This Trojan is used to steal the login
credentials of a popular MMORPG game called Legend of Mir. The first time it is
executed the malware copies itlsef to %windir%system32saw110.exe
and creates specific registry keys to be executed at system startup.

Saw110.exe drops the file saw110.dll
which is injected in explorer.exe.

Loaded as a module in explorer.exe, saw110.dll seeks for processes which
have a certain kind of graphical inferface (by looking for window names as TFrmMain or TDXDraw). If such a process is found,  saw110.dll injects
itself into it and checks for the following file names: mir.exe, mir1.dat, mir2.dat. If one of these names is
found the malware tries to steal account information and sends it to a remote
server.

 

Information
in this article is available courtesy of BitDefender virus researchers: Daniel
Chipiristeanu, Deac Razvan-Ioan, Dana Stanut .