WEEKLY REVIEW

Weekly Review

Have you ever been held for ransom? Hope not, I for one haven't been. How about all the data in your computer? This week there's a high chance it might get encoded by cyber-criminals in order to make you pay a buck for decryption.

 

Trojan.Exploit.ANOP

Normal
0

21

false
false
false

DE
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}

This is
another campaign that uses several exploits in an attempt to drive-by-download
other malware on vulnerable systems, similar to Trojan.Exploit.SSX. This time, Trojan.Delf.POH is the
payload. Trojan.Delf.POH monitors your browsing habits and sends the
information back to its servers to produce targeted pop-up advertisements.

The
exploits used in this JavaScript are:

  1. iframes which lead to different versions of
    the Flash Player exploit
  2. exploit for SSReader consisting in a buffer overflow vulnerability in the
    LoadPage” function
    of an ActiveX control

Both
exploits give the attacker the possibility to download and execute arbitrary
code on the affected machine (Trojan.Delf.POH)

 

Trojan.Rensom.B

This
e-threat is probably received via spam email as an attachement under the name
skype.exe
. After execution, the file drops and runs three files and
displays an error message to make the user believe the file was invalid.

The dropped
files are:

%windows%lsass.exe
(detected: Trojan.Rensom.B)

%windows%services.exe
(detected: Trojan.VB.NXI )

%windows%uninstlv16.exe
(detected: Trojan.Rensom.B )

services.exe
and uninstlv16.exe spread the original malware infection to all available
removable disks. It copies the malware with the name “Skype.exe” and
creates an “autorun.inf” in order for the file to be executed when the
removable disk is plugged into another computer.

lsass.exe
will encrypt almost all the files on your hard drive (except the critical
system files). Meanwhile it will display a ransom note, asking the user to pay
a small fee in order to recover his files.

 

Information
in this article is available courtesy of BitDefender virus researchers: Daniel
Chipiristeanu, Adrian Stefan Popescu