WEEKLY REVIEW

Privacy of China is endangered

Lately we have seen many e-threats exploiting Chinese software in order to spread or obtain sensitive data. This weeks review is focused on a couple of password stealing threats, part of which some are indeed targeting the Chinese population.

Trojan.PWS.OnlineGames.AABK

When
executed, the malware deletes the copies of %windir%system32rpcss.dll
from %windir%system32dllcache and %windir%servicepackfilesi386 in order
to avoid the operating system to restore this file. A copy of it is stored in %windir%system32srpcss.dll
because the operating system will need to use the functions from the
original file.

After this
the malware overwrites the original rpcss.dll with its own code which also takes
care of all the operating system calls to the original file (will be redirected
to srpcss.dll). Another file is dropped to %windir%system32gdipro.dll.

At this
point the malicious rpcss.dll will be loaded at every system startup by
svchost.exe  which creates a remote
thread in csrss.exe (or explorer.exe) that will execute code from
%windir%system32sys05020.dll,
another file dropped by the malware.

This
sys05020.dll will try to collect sensitive data (username, password
combinations) sent while connecting to some online-gaming sites or to block
access to other such sites.

After
infection, the original trojan file will be deleted.

Trojan.PWS.Agent.SGD

Another
password stealing e-threat which however targets Instant messaging rather then
online game accounts. More specifically Trencent QQ Instant Messenger
maintained by Tencent Holdings Limited, which is a Chinese Internet Research
Institute. The original name of the messenger was OICQ which stood for Oriental
ICQ, and spread to millions of users rapidly after it’s creation.

The file
that attempts to steal this information is %windir%system32hbqqxx.dll which is injected in every
running process to ensure it eventually captures the sensitive data.

Another
dropped file, %windir%system32system.exe, will perform “maintenance”
operations. It sets registry keys that will ensure its execution at every
system startup and will load a huge list of dlls to be executed by every
running process. One of these dll files is hbqqxx.dll
which attempts to steal your Trencent QQ login credentials, the others are
older version of this password stealer. System.exe will also remove two
entries from the registry which belong to a Chinese antivirus.

A third
file is dropped into %windir%system32drivershbkernel32.sys which is a rootkit that
is installed as a system service (named HBKernel32). This file will hook
functions in the System Service
Descriptor Table
to execute some of its code every time they are called.

And a forth
and last file, called c:documents and settings%user_name%local settingstempselfdel.bat, is used to delete the original trojan after infection.

Win32.Worm.Gimmiv.A

Upon
execution this worm drops a couple of files. %SystemDirectory%wbemsysmgr.dll,
which is installed as a system service and creates several registry keys in
order to execute at every system startup, and a bat file that is used to delete
the original worm after infection is complete.

The service
will also try to identify if one of the following antivirus products are
installed: BitDefender,
Kaspersky, Kingsoft, Symantec Norton Antivirus, Microsoft OneCare, TrendMicro.

I will attempt to update itself from the
following ip address 59.106.145.** and will check for the availability of
212.227.93.**,
64.233.189.**,
202.108.22.** using the IcmpSendEcho
API.

 

Win32.Worm.Gimmiv.B

After the
initial setup described at Win32.Worm.Gimmiv.A, the same worm drops basesvc.dll, winbase.dll, syicon.dll
into %system32%wbem which are
detected as Win32.Worm.Gimmiv.B.

The file winbase.dll
is registered as a system service. After execution it loads the other two dll
files into memory. Then it starts collecting information from the infected
system, such as the user name and password, the locally installed antivirus
products and usernames and passwords from Outlook Express and MSN Messenger.

Basesvc.dll
is responsible with the spreading routine. It is using the MS08-067 exploit, a
vulnerability of a server service in Windows to replicate the worm onto other
network machines. It uses the srvsvc pipe
as an RPC interface, registered with the UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188 for remote code execution in
order to be able to propagate and execute code on vulnerable systems.

Affected
systems are those that run Windows 2000, Win XP, and Windows Server 2003, with
disabled firewall or with exceptions added to it for File and Printer sharing.

 

Information
in this article is available courtesy of BitDefender virus researchers: Boeriu
Laura, Marius Barat, Octavian-Mihai Minea