Weekly Review

Win32.Otwycal.A

A file
infector we haven’t seen for a while now. When executed it drops it’s code into
%Temp%WinDir.EXT and runs it. Then it copies itself into %WinDir%Tasksx01xx8p.exe
and it tries to infect %System%spoolsv.exe.

After this
infection, it tries to download a configuration file into one of these files:

% WinDir %kkk.txt

% WinDir %config.txt

%WinDir%windows.txt

 The instructions in these files tell it to do the
following steps:

1. Download files from: http://888.[REMOVED].com/00/ and run them

2. infects all the web related files with the
extension: *.do, *.htm, *.html, *.shtm, *.shtml, *.aspx, *.php, *.jsp,
*.cgi, *.xml, *.GHO. The content it inserts in the pages is extracted from
the configuration file.

3. Infects all the PE files from all fixed drives
with the following extensions: *.exe, *.bat, *.cmd, *.com, *.scr

With the
exception of: qq.exe, QQDoctor.exe, QQDoctorMain.exe

4. Spread on to all removable drives by creating
an autorun.inf file which executes a copy of the malware that has been created
on the specific drive.

If the host computer doesn’t have Internet
connectivity it only infects the file %system%spoolsv.exe and runs the
removable drives spreading routine. No web files are infected.

This file infector also seems to have some
primitive builtin protection against antivirus products. It kills all processes
which try to execute the following files: avp.exe, smss.exe, kvsrvxp.exe,
kvsrvxp.exe which basically try to disable Kaspersky Antivirus.

Trojan.Exploit.ANOH

 
Yet another variation of Trojan.Exploit.ANOI (or
Trojan.Exploit.SSX) which has been pretty mcuh overused these days dues to the
big amount of exploits it has bundled within. This time however, browser
detection has been included in the encrypted Javascript which servers the
victim with different pages if he uses Mozilla Firefox or Internet Explorer.
Those web pages contain the initial Trojan.Exploit.SSX which in turn tries to
download additional malware (Trojan.Downloader.JLCQ). The downloaded threats
can be anything ranging from rogue antivirus software to complex trojans with
rootkit capabilities.

Trojan.Exploit.ANOG

This is an obfuscated Javascript that hides a VBScript (Visual Basic
Script) beneath it which will download and execute a file detected by
BitDefender as Trojan.Agent.AJJX . Thie threat is saved on the users computer
under the name: %TEMP%Gameeeeee.pif.
Uppon execution, this new Trojan will check if it is already installed, and if
not, it will drop a file in the MSN Messenger folder and ensure that it is
executed at every system startup. Additionally, it also downloads and executes
other e-threats.

Information
in this article is available courtesy of BitDefender virus researchers: Adrian
Stefan Popescu, Ovidiu Visoiu, Dana Stanut