Analyzing malware is a comprehensive task which takes up a lot of manpower and involves many hours of reverse engineering intricate encryption algorithms. BitDefender is glad to have the resources to provide this service to it’s readers.
This weeks activity has been dangerously aggressive. Several e-threats have been analyzed by the BitDefender Research team that pose a high security risk. Let us go through the agenda step by step and see what they do and how they do it.
Let’s start with a less critical Trojan called
Trojan.Crypt.Delf.F . This malware copies itself with the name msnmsgr.exe into the windows’ system directory. When launched with this name it looks less suspicious to the user, leaving him with the false impression it’s actually MSN Messenger. It creates two files temper.txt and ctzz.txt and downloads another hotst.txt. In order to execute at every system startup it adds itself to the registry.
Another similar Trojan is
Trojan.Spy.Webmoner.CE which however installs itself as a system service in order to execute at startup. The service description contains only the service name or dubious random characters. It creates copies of itself in the Windows folder under the names iexplore.exe or svchost.exe (sometimes svchust.exe). It creates a .bat file to delete the original file it has been launched from. It is also downloading executable files from urls like lzw[removed].vicp.net or hack[removed]2.org.
Next let’s look at more serious threats.
Trojan.PWS.Kurz.A is the name of a Trojan that acts basically like a password stealer however instead of sending password to the attacker, it sends system information like the Windows CD Key or Windows Product ID. It generally comes bundled with hacktools like keygens or Yahoo! Hack. The program hides under the names cmd32.exe or cmd_32.exe in the system32 folder and sets itself to run at system startup.
After infection, the program forces the deletion of all the files with the extensions *.jpg, *.jpeg, *.bmp, *.xml, *.xsl, *.pst, *.doc, *.xls, *.ppt, *.txt, *.mp3, *.wav, *.mp4, *.avi, *.mpg, *.mpeg, *.wmv, *.iso, *.nrg, *.ccd, *.bin, and *.dll from C: and D: drives all its subdirectories through a *.bat file detected by BitDefender as Trojan.BAT.AAAH. It then sends a command to the system to shutdown. After restart, Trojan.PWS.Kurz.A starts in the background gathering information and sending them by email to [removed]
[email protected].
Trojan.PWS.OnlineGames.ZNH however is indeed a password stealer. It’s stealing account data from online games like: Silkroad Online, KnightOnline, Lineage, Cabal Online and others. In order to do so, it creates two dll files called adsntzt.dll and crtdll.dll which will be injected in every running process. It creates the following CLSID {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} which it adds to the registry afterwards. The Trojan also downloads and reads two files from different websites.
Trojan.FakeAlert.YF is a trojan that tricks the user into installing rogue security products. It also modifies the wallpaper and screen saver on the compromised machine.
When executed, Trojan.FakeAlert.YF drops three files with random name in the %System% directory: lphc1soj0enfp.bmp, lphc1soj0enfp.scr, lphc1soj0enfp.exe
It adds the following registry entry to automatically execute itself on system startup:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunlphc1soj0enfp = “lphc1soj0enfp.exe”
The trojan also creates and executes a VBS file in the %Temp% folder, with the filename “.tt[random number].tmp.vbs”. The VBS file sets the current infected system setup as the system’s restore point. Then Win32/FakeAlert.YF executes the screen saver file designed to mislead the user into believing their system has crashed.
Trojan.FakeAlert.YF changes the system desktop wallpaper as shown below by modifying various registry entries. The trojan makes these modifications:
Changes the desktop background color to blue:
HKCUControl PanelColorsBackground = 0 0 255
Changes the wallpaper position to centered:
HKCUControl PanelDesktopWallpaperStyle = 0
HKCUControl PanelDesktopTileWallpaper = 0
Sets the dropped file as the desktop wallpaper:
HKCUControl PanelDesktopWallpaper =”%System%lphc1soj0enfp.bmp”
HKCUControlPanelDesktopOriginalWallpaper=”%System%lphc1soj0enfp.bmp”
HKCUControl PanelDesktopConvertedWallpaper = “%System%lphc1soj0enfp.bmp”
Trojan.FakeAlert.YF also makes the following registry modifications affecting the screen saver mentioned in Method of Infection without displaying the EULA.
HKCUControl PanelDesktopSCRNSAVE.EXE =”%System%blphc1soj0enfp.scr”
HKCUControl PanelDesktopScreenSaveActive = 1
HKCUControl PanelDesktopScreenSaveTimeOut = 600
HKCUSoftwareSysinternalsBluescreen Screen SaverEulaAccepted = 1
It also prevents user from selecting the Background or Screen Saver tabs from Display in the Control Panel menu, effectively disabling the ability to add to, configure, or change the screen saver:
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoDispBackgroundPage =1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemNoDispScrSavPage = 1
Trojan.FakeAlert.YF contacts av-xp-08.com and www.winifixer.com which host rogue antispyware products, and downloads the alleged security products in a very insidious way.
The setup applications are hidden in an encrypted form inside gif images, like the one shown below. After downloading the image, it extracts the obfuscated code, and executes it, which will keep nagging the victim about infections that do not exist on his system. The technique is very useful because it can bypass any firewall and gateway settings. Only active monitoring of the local filesystem could detect an imminent infection.
This way of bypassing is said to be used for more then three years successfully by the RBN (Russian Business Network) and the Storm Worm.
Trojan.FakeAlert.YF retrieves information stored in cookies associated with the domain youpornztube.com.
It also collects the following system information:
Processor speed
Operating system version
Installed software
Running processes