WEEKLY REVIEW

Weekly Review

Getting infected with a rootkit is fairly easy today, if you keep Windows unpatched. This week BitDefender Labs has detected a fairly new e-threat that's trying to exploit a vulnerability patched in mid April 2006. Believe it or not, it is still infecting machines in the wild today!

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

 

Backdoor.Agent.AADK

 

Upon
execution overwrites a non-critical Windows driver “beep.sys” with a rootkit
detected by BitDefender as Trojan.Rootkit.GGR and enables access to SSDT (System Service Descriptor Table).

A
second component is dropped in %windir%system32 and is loaded as a service at
every system startup. The service is called “MS Media Control Center
and has the description “Provides support for T*m*t*D.dll“, where * are
random ASCII characters. This *.DLL is detected as Backdoor.PCClient.TEO.

 

The
backdoor tries to connect to awen667788.3322.org on TPCP port 1122 sending
synchronization packets and waiting for remote commands and a new malware file
which is saved as C:1.exe.

 

 

Trojan.Downloader.JS.Psyme.SR

This Trojan
uses obfuscated VBScript and JavaScript code to download and execute other
malware on the users’ computer. It is not executed from a web page, it runs on
the infected computer.

It is part
of a drive-by exploit chain (like Trojan.Exploit.SSX
http://www.bitdefender.com/VIRUS-1000396-en–Trojan.Exploit.SSX.html) which
uses known vulnerabilities to infiltrate unpatched systems. This one tries to
exploit a vulnerability in Microsoft Data Access Component (MDAC) ActiveX
Object through it’s CLSID BD96C556-65A3-11D0-983A-00C04FC29E36
in order to download a file from hxxp://?.weixk.com/[removed].css
which is detected by BitDefender as Rootkit.Agent.AIWN.
The file is save under %temp% with the name “GameeeEeee.pif“.

Afterwards
it creates another VBScript file with the content:

‘I LOVE gameee TEAM’I LOVE gameee
TEAM
Set Love_gameee = CreateObject(“Wscript.Shell”)’I LOVE gameee TEAM
‘I LOVE gomeee TEAM’i LOVE gomeee TEAM
Love_gameee.run (“%Temp%GameeeEeee.pif”)
‘I LOVE gameee TEAM’I LOVE gameee TEAM

 

 

This file
will run the downloaded rootkit as a shell object.

Information in this article is
available courtesy of BitDefender virus researchers: Ovidiu Visoiu, Daniel Chipiristeanu.