WEEKLY REVIEW

Malware Review – Have a promotion, have a

With the upcoming Christmas holidays, spam waves increase again announcing marvelous promotions from various respectable companies like Coca-Cola, McDonalds or Hallmark. Fall into the trap and get infected with the latests worm spreading about.

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}

Trojan.Dmservinf.A

 

When this e-threat is executed, it drops a randomly named
DLL file (ex: 97a2ljq.tmp) in the temporary folder of the current user.
It infects several DLL files located in the system32 folder in order to ensure
it’s execution after system reboot and uses an exported function from the
dropped DLL to delete itself.

Once loaded, the DLL file will try to kill processes
belonging to several Antivirus products and will try to download other malware
from locations such as:

http://www.[removed]updates.net/flash/rVGc…K26474/JVBMO6KVF9oF.asf
http://www.[removed]updates.net/flash/rVG…CK26474/JVBMO6KVF9oF.gif
http://www.[removed]updates.net/Script/Xp…Gp11449/CjGBFgSSVJrxJ.bmp
http://www.[removed]updates.net/Script/Xp…Gp11449/CjGBFgSSVJrxJ.mp3
http://www.[removed]updates.net/flash/rVG…GCK26474/JVBMO6KVF9oF.asf
http://www.[removed]updates.net/flash/rVG…K26474/JVBMO6KVF9oF.gif

Win32.Worm.McMaggot.A

 

Discovered on the 2nd December by BitDefender,
this worm spreads using well known Peer-2-Peer applications and email spam.

After decrypting its content, the worm uses www.whatismyip.com to get the host of the newly infected
system. Next it will harvest email addresses from Thunderbird, MS Outlook and
other files on the system.

It creates registry values to ensure its startup after reboot.
It will also lower the victims security setting by editing the following
registry entries:

 “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations”
 value
 “LowRiskFileTypes”=’.zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav’

This worm should also set registry key:
 “HKCUSoftwareMicrosoftInternet
ExplorerDownload”

value

CheckExeSignatures=”no”

RunInvalidSignatures=0x1
but because of a bug in its code, it won’t do this correctly.

These settings in registry will allow the malware to automatically
download and execute files from the Internet without any user notification. It
adds itself to the firewalls authorized applications list.

 

Meanwhile, another component detected as Backdoor.Bot.67413 is
loaded. This one has backdoor capabilities, and will log everything the user
types, and save the data in a file (drm.ocx). It will send this file to a
server on a regular basis.

 

The worm
spreads in three ways:

1. by
copying itself to shared folders of Peer-2-Peer spplications like: Kazza, DC++,
eMule, Morpheus, Tesla, etc. using “hot” file names like:

“Windows
XP PRO Corp SP3 valid-key generator.exe”
“Kaspersky Internet Security 2009 keygen.exe”
“Tuneup Ultilities 2008.exe”
“Joannas Horde Leveling Guide TBC Woltk.exe”
“Wow WoLTk keygen generator-sfx.exe”
“FOOTBALL MANAGER 2009.exe”
“Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe”
“Half life 3 preview 10 minutes gameplay video.exe”  

“Ultimate
ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent – P.I.M.P, Jennifer
Lopez Feat. Ll Cool J – All I Have, 50 Cent – 21 Question).exe”
“Ultimate ring tones package2 (Lil Wayne – Way Of Life,Khia – My Neck My
Back Like My Pussy And My Crack,Mario – Let Me Love You,R. Kelly – The Worlds
Greatest).exe”
“Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin,
Greensleves).exe”
“Norton Anti-Virus 2009 Enterprise Crack.exe”

 

  1. by copying
    itself into any removable media connected to the system, creating an
    “autorun.inf” file to execute the worm when the device is
    connected to another system.
  2. by email
    spam, using its own SMTP engine and the email addresses it previously
    gathered. Emails can arrive in three formats:

Subject:
“Mcdonalds wishes you Merry Christmas!”
Sender:
“giveaway@mcdonalds.com”
Attachment: coupon.zip

McDonalds Spam Virus

Subject: “Coca Cola is proud to
accounce our new Christmas Promotion.” 
Sender:
“noreply@coca-cola.com”
Attachment: promotion.zip

CocaCola Spam Virus

Subject: “You’ve received A
Hallmark E-Card!'”
Sender:
“postcards@hallmark.com”
Attachment: postcard.zip

Hallmark Spam Virus

The attachments are compressed zip files containing the worm
itself.

Information
in this article is available courtesy of BitDefender virus researchers: Marius
Tivadar, Deac Razvan-Ioan