2 min read

Weekly Review

Bogdan BOTEZATU

March 06, 2009

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Weekly Review

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

Trojan.Downloader.JLQZ

This
is a straightforward downloader. Once executed it will try to download a file
from a website. If downloading succeeds it will save the file as a hidden,
system file under the name “install.exe” in the same directory it has been
launched from.

After
the downloaded file is executed, a batch file with random name is also created.
Its role is to delete the downloader after the payload has been launched.

 

Trojan.Downloader.Small.ABFV

 

This
Downloader belongs to an online games password stealer family.

It comes
packed with UPX in order to avoid detection by security products. Upon
execution it will drop a dll file in %system%, which will be injected in every
running process in order to find the desired application to steal
authentication information from, in our case, xy2.exe or xy2_ex.exe belonging
to a chineze MMORPG called “Westward Journey Online II”.

It is
gathering account username and password, used client, server, character levels
and names as well as other data and sends it to the malware author via two
different scripts located at:

http://dh2.ac[removed].cn/ZONGXXXOUT/post.asp
http://dh2.ac[removed].cn/GGGZ/xiaochang/post.asp

It will create
several registry keys that will load the dropped dll at every system startup.

At the end
of its execution, the malware creates a batch file which will delete the
initial executable, leaving only the dll on the system.

 

Information in this article is
available courtesy of BitDefender virus researchers: Lutas Andrei Vlad, Dana Stanut

tags


Author


Bogdan BOTEZATU

Bogdan is living his second childhood at Bitdefender as director of threat research.

View all posts

You might also like

Bookmarks


loader