The Storm Worm continues its spread

After last weeks appearances in the Storm
Worm world (see Trojan.JS.Encrypted.A ),
we have found new threats emerging on the same storyline.

It’s called Trojan.Downloader.Gadja.C
and its family is a new appearance on the scene. Trojan.Downloader.Gadja.A
has been signed on 06.06.2008 and has been updated in these 38 days to Gadja.C.
This e-threat does not have its own spreading routine but it is being sent out
as attachments in spam messages. After
infection, it copies the original %sysdir%/userinit.exe into %sysdir%/userini.exe, then disables
system protection and overwrites the original userinit.exe file with itself in
order to execute at system startup. In order for Windows to start normally
Trojan.Downloader.Gadja.C also starts userini.exe, the original copy of
userinit.exe.

After it deletes the file it has been
originally executed from, the malware drops another file detected as Trojan.Downloader.Gadja.D. It also
starts a new instance of svchost.exe and injects its code to bypass firewalls.
The it downloads additional malware like Trojan.Peed.JOP from certain
sources.

 

Img SEQ "Img" *Arabic 1: Fake flash player spreading the Storm Worm

 

Img 1: Fake flash player spreading the Storm Worm

The next e-threat helping Trojan.Peed’s spread is
Trojan.Downloader.HTML.FM. This is a web page that shows the user a fake
flash player (see the image below). The fake player window is actually a link
to an executable called “fireworks.exe”. This file is probably the Peed Trojan
itself or another downloader that stealthily installs the storm worm on the
victims’ computer. Beneath the image a text tries to trick users into click it:
“Colorful Independence Day events have already started throughout the country.
The largest firework happens on the Fourth of July. Unprecedented sum of money
was spent on this fabulous show. If you want to see the best Independence Day
firework just click on the video and run it.”

When opened, the
Web page automatically tries to run and install a remote access Java Script
with several layers of encrypted data – the Trojan.JS.Encrypted.A. This
Trojan uses an exploit to execute the encrypted shell code.

 

In addition, when
the fake player window is clicked, the Web browser automatically downloads and
installs a file called fireworks.exe (rather than play a movie). This
executable does not hold any compressed or self running multimedia content, but
just another threat – Trojan.PEED.JLV. It has its own malicious
multiplication and distribution mechanisms: once it penetrates a system, the
Trojan copies itself in the OS folder and modifies the Windows Firewall
settings. In addition, it registers the compromised computer as a peer in its
malware network and uses a randomly chosen port to communicate with the other
peers and update its peers’ list.

Besides Trojan.Peed, Exploit.SWF.Gen
has proven active as well, climbing another place on the BitDefender top 10,
getting on the 6^th spot with 7.10% of all infections.

The activity of Trojan.HTML.Zlob.W
remains constant, still on place 8 with 6.82% of all infections, compared to
its last months 6.96%.

Its little brother, Trojan.HTML.Zlob.AA,
makes a glorious comeback on place 10 with 6.32% of all infections after having
disappeared totally from the top.

They are both adware trojans, and spread
through websites that try to trick users into downloading a certain codec or
ActiveX component that supposedly helps viewing the content of a video file.

A new entry in this weeks top10 on the 9th
spot is Trojan.Autorun.TE, which is a generic name given to a collection of
autorun.inf files created by e-threats. These files are usually located in the root folder of all
infected drives. They are an alternative/complementary solution to autorun
registry keys for the malware to ensure its execution.