Newly Found Dropper Skirts Startup List by Hijacking Critical DLL File

Complex Trojan takes advantage of a vulnerability in Windows code to stay hidden and active

Viruses, worms and Trojans all need to be running with the operating systems to cause any damage. Most add themselves to the Startup list by adding their path to the Startup Registry key, but this makes them easy to detect by antivirus solutions or computer-savvy users. Unlike this “regular malware”, Trojan.Dropper.UAJ comes with its own approach – it patches a vital code library (comres.dll) forcing all applications that rely on comres.dll to execute this particular e-threat, as well.

The Trojan makes a copy of the genuine comres.dll file, patches it and then saves it in the Windows directory folder, where the operating system looks for a DLL to load when it is required by an application in the same folder – i.e. explorer.exe.

The dropper patches the code library by adding a single new malicious function to the imported list to be launched with the rest of its functions.Next, the Trojan drops the file “prfn0305.dat” (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system. And everything is now in place. The moment the system calls the code library, the malware is turned on.

Cyber-crooks chose to go for comres.dll because it is widely used by most internet browsers, in some communication applications or networking tools – which makes it popular and basically indispensable for the operating system.

Since the dropper attacks the DLL file found on the system, rather than trying to overwrite its own version, Trojan.Dropper.UAJ is able to run on Windows7, Windows Vista, Windows 2003, Windows 2000 or Windows NT in both 32- and 64-bit environments.

This attack unites two types of exploitation. One is commonly known as “DLL load hijacking” which means a coding vulnerability in which some applications have specified only the name of the dll needed, instead of  a full path to that dll. And if a compromised dll is placed “closer” to the app (ie in the application’s folder), the app will use that maliciously altered file (with the same name) instead of the genuine one. And the other one which is new refers to the function import technique, detailed in paragraphs two and three.

The affected DLL file references code that can add or delete users, change passwords, add or remove user privileges, and run executable files with elevated rights.


This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.