This
e-threat is a very known and wide spread type of malware. Fake AV or rogue
security software are the same concepts and have been talked about a lot in the
past. Please refer to our other pages about this subject for more
information.
Besides the
classic routine of detecting inexistent infections on infected PCs and
demanding purchase of the product in order to rid the victim of those
infections, this rogue also downloads other malware to the computer.
There is a
confirmation message before installation which sounds like this: “This program
will download and install Total Security on your PC.”
The malware
makes changes to the registry in order to be executed at every system startup.
In order to protect itself it disables many tools used by malware researchers.
It does this by regularly iterating the list of running processes and checking
for specific window names. If any of the targeted processes is found, it is
killed, an error message is returned to the user and its file is deleted.
The rogue
“Total Security” is part of the “XP Antivirus” family.
When
executed, the malware will copy itself under the name “herss.exe” and drop “cvasds[number].exe” in the victim’s %temp%
folder, where [number] is usually 0, e.g.: “cvasds0.dll”. After this it injects the dropped dll into the memory
space of explorer.exe, and all the processes which have explorer.exe as parent.
Then it creates a new entry in the registry at “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” named “cdoosoft” and sets it’s value to “%temp%herss.exe”, making sure the
malware will run each time the computer starts.
The injected dll monitors user activity and steals sensitive data from mmorp
games. The stolen information will be sent to different servers. It will also
copy “%temp%herss.exe” under the
name “lhh3v.exe” and create an “autorun.inf” file, on every root folder
of every drive, including removable devices. The “autorun.inf” file will be responsible for running the “lhh3v.exe” when the drive will be
opened by Explorer. After the malware will run it’s malicious code, it will
open the folder requested by the user to put aside any suspicion.
The injected dll also contains another embedded dll which could disable the
update service of several antivirus products, making the victim vulnerable to
other viruses.
Trojan.PWS.OnlineGames.KCVU
This e-threat is directly related to Trojan.PWS.OnlineGames.KCVU described last week.
Information
in this article is available courtesy of BitDefender virus researcher: Daniel
Chipiristeanu and George Cabau
tags
November 14, 2024
September 06, 2024