Avoiding firewalls - BitDefender weekly review

Trojan.Injector.CZ

When ran, this malware starts svchost.exe  and puts its own file as parameter in order to be started by services.exe, then it stops. When it detects its loaded by services.exe, it opens the svchost process it used earlier and will overwrite the code with it’s own, in memory. It starts a remote thread inside the injected svchost.exe which will check and download other malware from:                                                     http://lom[removed]ate.php?n=388789C57338E22B. Due to the fact it’s running in svchost.exe, the malware will most likely bypass any firewall settings.

The downloaded files are saved in the same folder the e-threat was ran from with random names ending in .tmp

 

After execution this Trojan creates certain registry keys in order to be executed at ever system startup. Afterwards it tries to download and execute rogue security software from the following websites:
imagesrepository.com
protection-manager.com
zone-searching.com
protect-management.com  

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Ovidiu Visoiu