This
small Trojan is probably used by malware writers to spread rogue security
software and other e-threats like those. It is possibly downloaded by other
malware or sent out through spam emails.
It
resides in %system% with a random filename.
It
tries to redirect its victims to another website by adding the following lines
to the hosts file:
82.98.xxx.xx
browser-security.microsoft.com
82.98.xxx.xx [xxx]-click-scanner.info
82.98.xxx.xx [xxx]virus-xp-pro-2009.com
82.98.xxx.xx microsoft.infosecuritycenter.com
82.98.xxx.xx microsoft.softwaresecurityhelp.com
82.98.xxx.xx [xxx]nenotifyq.net
82.98.xxx.xx [xxx]virusxp-pro-2009.com
82.98.xxx.xx microsoft.browser-security-center.com
We suspect
this is another website for spreading the fake antivirus. It is also trying to
connect to a hardcoded URL in order to download its payload:
http://85.12.xx.xx/go/?cmp=hstwtch&ver=XXX&d=XXX
Another
online games password stealer, this time however it fights security products in
order to stay undetected.
After
execution, it creates a hidden copy of itself in %system% under the name
olhrwef.exe and will create a registry key to be executed at boot time.
Then it
will drop the password stealing component. Found in %system% as well, by the
name nmdfgds0.dll or nmdfgds1.dll. This DLL file monitors mouse gestures and
keystrokes. It is targeting well known titles like: MapleStory, Age Of Conan,
Rohan, The Lord OF The Rings, Knight Online, Lands Of Aden and others.
In order to
further spread, the malware creates a hidden autorun.inf file on each removable
drive (including usb sticks) which points to another copy of itself residing in
%drive_letter%1ogf.exe.
To fight
malware and protect itself, this Trojan installs a driver file, which will be
registered as a system service and started at each boot automatically. The file
is called klif.sys and it resides in %system% along with another DLL file,
ANTIVM.dll, which will be used to disable the update capability of different
antivirus software or to stop processes that may be used to monitor running
programs behavior (a technology often used by antivirus products to proactively
detect malware).
It also
adds some registry keys so that the user will not be able to see hidden files
and folders in explorer.
Further it
will download a file from http://[removed]uw2..com/xmfx/ called help1.rar but
sadly it was unavailable at the time this paper was made so we don’t really
know what it is.
Information
in this article is available courtesy of BitDefender virus researchers: Stefan
Catalin Hanu and Dana Stanut
tags
November 14, 2024
September 06, 2024