Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}
The malware
is disguised as a Microsoft Office Word Document by having its usual executable
file icon changed, to trick users into launching it.
When
executed, it will drop a .DLL file in %windir%system32 with a random name
composed of 9 letters (e.g: frjacnwrm.dll). The file will be registered as a
BHO (Browser Helper Object) by making changes to specific registry values that
affect Internet Explorer’s behavior.
The
downloader next drops a batch file, sys.bat, that is used to delete itself.
The BHO is
used to monitor the users browsing behavior and the gathered data is sent to a
domain similar to: http://[removed]idbredov.ru
Uppon execution
this password stealer will perform the following operations:
–
copy
itself under the name herss,exe inside %temp%
–
drop
a file called cvasds0.dll inside %temp%
–
make
changes to the registry in order for the copy to get executed at every system
startup
After the
“installation”, the Trojan will inject the dropped DLL file into every running
process and make other copies of itself inside the root folder of every
removable drive. These copies are named bychft.exe and are pointed to by an
autorun.inf file which will ensure their execution each time the drive is
accessed, if the Windows’ autorun feature is enabled.
The
injected DLL is responsible of the password stealing. It will check the
processes of MapleStory, AgeOfConan, The Lord of the Rings Online, Knight
Online, Metin 2 and FlyFF. If valid login data was submitted inside any of
these games the Trojan will send these to a large number of compromised
computers which it keeps as a list of hardcoded IP addresses.
Information
in this article is available courtesy of BitDefender virus researcher: Dana
Stanut and Lutas Andrei Vlad
tags
November 14, 2024
September 06, 2024