WEEKLY REVIEW

Weekly Review

This week we have several downloaders again, some of them however being part of online games password stealer families this time, to be more specific, the target is the MMORPG

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

Trojan.Downloader.JLQZ

This
is a straightforward downloader. Once executed it will try to download a file
from a website. If downloading succeeds it will save the file as a hidden,
system file under the name “install.exe” in the same directory it has been
launched from.

After
the downloaded file is executed, a batch file with random name is also created.
Its role is to delete the downloader after the payload has been launched.

 

Trojan.Downloader.Small.ABFV

 

This
Downloader belongs to an online games password stealer family.

It comes
packed with UPX in order to avoid detection by security products. Upon
execution it will drop a dll file in %system%, which will be injected in every
running process in order to find the desired application to steal
authentication information from, in our case, xy2.exe or xy2_ex.exe belonging
to a chineze MMORPG called “Westward Journey Online II”.

It is
gathering account username and password, used client, server, character levels
and names as well as other data and sends it to the malware author via two
different scripts located at:

http://dh2.ac[removed].cn/ZONGXXXOUT/post.asp
http://dh2.ac[removed].cn/GGGZ/xiaochang/post.asp

It will create
several registry keys that will load the dropped dll at every system startup.

At the end
of its execution, the malware creates a batch file which will delete the
initial executable, leaving only the dll on the system.

 

Information in this article is
available courtesy of BitDefender virus researchers: Lutas Andrei Vlad, Dana Stanut