Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}
The
backdoor tries to trick users into executing it by displaying and icon
identical to that of flash player. If the user got tricked, the application
will create another copy of itself under %windir%fxinstaller.exe. This copy
will be executed right afterwards.
The copy
will first drop a small batch file called removeMeXXXX.bat (where each X is a
random number) which will delete the original executable.
The copy
has a size of 166912 bytes, is written in Delphi and is not packed or
encrypted. The real threat however is an approximate 13Kb area in the resource
section, which is packed. The purpose of the executable is to unpack that code,
inject it into its own virtual-memory space and pass control to it. That code
performs the following actions:
–
it
will connect to an IRC channel
–
listen
for specific commands from the attacker
The
instructions can tell it to:
–
spread
using MSN
–
update
itself via web by downloading new versions from specified locations
–
download
and execute files from the attackers computer
–
retrieve
various information about the infected computer: IP address, host name, OS
version, IM client used, active processes, running threads
Under
certain circumstances the Bot will send back messages to the attacker:
“!!!Security!!!.
Lamer detected. coming back next reboot, cya”
“!!!Security!!!.
Lamer detected. Comming back in 24hrs, download and update disabled.”
The backdoor
will keep the attacker informed regarding any action it takes. For example,
when attempting to spread via MSN, it will send to the attacker the total
number of messages and files successfully sent.
This Visual Basic Script uses the same trick to fool users
into executing it, just that the icon is a folder icon this time. In order to
act like an authentic folder it will open “%windir%WebWallpaper”.
Next it will drop a “wav.wav” file into “%windir%Fonts”
which is a copy of the default Windows XP “error sound”.
It will create many copies of itself in various system
folders:
“%windir%FontsFonts.exe”
“%windir%pchealthelpctrbinariesHelpHost.com”
“%windir%pchealtGlobal.exe”
“%windir%system32driversdriversdrivers.cab.exe”
… a.s.o.
It will also create another VBS script which adds certain
registry entries that will launch the worm if the computer is rebooted.
Three copies of it will always be running, creating a
protective chain. Each one will protect the other two from being killed.
The worm spread through network and removable drives by
creating a copy of itself and an autorun.inf file in them. If the autorun
feature of the drives is enabled, the copy will get executed when the devices
are accessed or plugged in.
Information
in this article is available courtesy of BitDefender virus researchers: Lutas
Andrei Vlad and Ovidiu Visoiu
tags
November 14, 2024
September 06, 2024