Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}
When
executed this malware creates a copy of itself under herss.exe and adds this
copy at startup by making changes in the registry
It drops a .dll file in %TEMP% next, under the name cvasds[random_digit].dll
and injects it in every running process.
This dll is the actual password stealing component. Some of the targeted games
are the usual MapleStory, The Lord Of The Rings Online, Knight Online and
Dekaron. The gathered data is sent to many IPs found hardcoded inside the .dll
file.
Both components of the malware are packed using the NSAnti packer in order to
avoid AV detection.
This
e-threat has the only purpose of downloading fake-AV applications on the
victims’ computer.
When
executed, it will perform the following actions:
– unpack its main body, which resides inside the .data section
– see if Antivirus PRO 2010 is already “installed” on the machine, by checking
the registry for its traces
– make copies of itself inside
Documents and Settings[user-name]Application Data, as seres.exe and svcst.exe
– add the two executables into the registry’s startup keys
– execute svcst.exe
The new process will create a new instance of the malware, by running seres.exe
These 2
created processes will make sure that they are running constantly on the
attacked computer, therefore, if one of them is terminated, the other process
will re-launch it into execution. The infamous little red cross icon will
appear in the system tray, and fake-alert notification-messages will be displayed
from a separate thread running inside the malware: “Your computer is
infected!”, “Windows has detected spyware infection!”, “It
is recommended to use special antispyware tools to pervent data loss. Windows
will now download and install the most up-to-date antispyware for you.”,
“Click here to protect your computer from spyware!”.
The downloaded “antispyware” software is obviously nothing but the
fake security application Antivirus
Pro 2010, which can be downloaded from various sources. The file
will be located inside Documents
and Settings[user-name]Application Datalizkavd.exe or inside
%windir%Application
Datalizkavd.exe.
Here
are a couple of URL examples from where the malware is downlaoded:
hxxp://[removed]dferbotario.com/X1j0uHc5Htr8Lw0i4Wv6Jz7Ha
hxxp://[removed]erhpabewuit.com/id1Ci0j5t8yv0MsB4D6O7Tn
hxxp://[removed]torswabure.com/byK1aKH0a5afM8om0mwB4/6fa7K
hxxp://[removed]bunerkadosa.com/SYp1Bt0M5h8oL0Ta4One6Qnc7Gs
hxxp://[removed]amerkafdolo.com/id1F0x5UUG8xsY0u4pFq6X7pi
hxxp://[removed]rtugabusrav.com/Y1Zh0s5Ske8p0pi4bAR6OT7O
hxxp://[removed]ertaguboert.com/YLz1T0fC5VaT8fb0X4AH6op7Y
hxxp://[removed]okaveanubares.com/LVN1GL0Pu5RwQ8RK0WeT4j6Ifj7oJX
hxxp://[removed]ropihdertan.com/w1W0sT5wM8V0SUs4tU6AB7zOc
Behind any
of these links lies the same executable file (currently detected as
Trojan.FakeAV.UO), which will be installed on the affected computer after being
downloaded.
Note: [user-name] represents the actual user-name of the
logged-on user.
Information
in this article is available courtesy of BitDefender virus researcher: Dana
Stanut and Lutas Andrei Vlad
tags
November 14, 2024
September 06, 2024