A Trojan that lowers the security and privacy settings of the Internet Explorer browser in order to ease other malware into stealing potentially sensitive information from the vulnerable machines.
This e-threat lowers the security and privacy
settings of Internet Explorer 6 or above so that other malware can access
coockies and other files more easily on the victims system. It is a high
security risc, because it rises the possibility of identity theft or browser
tracking.
Another Javascript based exploiter that tries to
get access to the users system by taking advantage of vulnerabilities in two
third party software applications:
This Trojan is used to download other malicious
aplications from the internet. In order to do so, it will drop a dll file in
the %temp% directory with a random name, such as 4049437_ex.tmp, 4099250_ex.tmp,
4161421_ex.tmp. The malware uses a
function from this dll to run the files it downloads (probably to avoid
euristic detections based on classic API calls).
Afterwards it gets a list with the interenet
location of the files to download from http://www.oi[removed]/ko.txt.
It is saved as %system32%kn.txt and
it looks like this:
open=y
url1=http://61.160[removed]/new1.exe
url2=http://61.160[removed]/new2.exe
url3=http://61.160[removed]/new3.exe
url4=http://61.160.[removed]/new4.exe
url5=http://61.160.[removed]/new5.exe
url6=http://61.160.[removed]/new6.exe
url7=http://61.160.[removed]/new7.exe
…
This list is parsed and the files are downloaded
and executed (with a certain random delay between these operations).
Also, the malware replaces the hosts file
(%system32%driversetchosts) with another one downloaded from http://www.oi[removed]/ad.jpg. This is
a fragment of the downloaded hosts file:
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.1 va9sdhun23.cn
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
The hosts file doesn’t prevent any Antivirus
updates, however it blocks access to a couple of websites.
Yet another Javascript code that tries to exploit
a vulnerability in the Snapshot Viewer ActiveX control for Microsoft
Access(snapview.ocx) . If successful, the malware will download a file
from the fowllowing link http://www.oi[removed].css. The file is saved to the
following path [c or d or e]:/Program Files/Outlook Express/WAB.EXE and is
detected by BitDefender as Rootkit.Agent.AIWN.
This Trojan is used to steal the login
credentials of a popular MMORPG game called Legend of Mir. The first time it is
executed the malware copies itlsef to %windir%system32saw110.exe
and creates specific registry keys to be executed at system startup.
Saw110.exe drops the file saw110.dll
which is injected in explorer.exe.
Loaded as a module in explorer.exe, saw110.dll seeks for processes which
have a certain kind of graphical inferface (by looking for window names as TFrmMain or TDXDraw). If such a process is found, saw110.dll injects
itself into it and checks for the following file names: mir.exe, mir1.dat, mir2.dat. If one of these names is
found the malware tries to steal account information and sends it to a remote
server.
Information
in this article is available courtesy of BitDefender virus researchers: Daniel
Chipiristeanu, Deac Razvan-Ioan, Dana Stanut .
tags
November 14, 2024
September 06, 2024