Print
|
Send on Yahoo!
|
PDF version
|
RSS
|
Filed Under: WEEKLY REVIEW
BitDefender weekly review – Don't judge a book by its cover
A pretty famous saying that perfectly applies to the malware world as well. This week we have several e-threats that try to trick users into executing them by faking different icons. A common technique among malware.
Backdoor.SDBot.DGBR
The backdoor tries to trick users into executing it by displaying and icon identical to that of flash player. If the user got tricked, the application will create another copy of itself under %windir%\fxinstaller.exe. This copy will be executed right afterwards.
The copy will first drop a small batch file called removeMeXXXX.bat (where each X is a random number) which will delete the original executable.
The copy has a size of 166912 bytes, is written in Delphi and is not packed or encrypted. The real threat however is an approximate 13Kb area in the resource section, which is packed. The purpose of the executable is to unpack that code, inject it into its own virtual-memory space and pass control to it. That code performs the following actions:
- it will connect to an IRC channel
- listen for specific commands from the attacker
The instructions can tell it to:
- spread using MSN
- update itself via web by downloading new versions from specified locations
- download and execute files from the attackers computer
- retrieve various information about the infected computer: IP address, host name, OS version, IM client used, active processes, running threads
Under certain circumstances the Bot will send back messages to the attacker:
"!!!Security!!!. Lamer detected. coming back next reboot, cya"
"!!!Security!!!. Lamer detected. Comming back in 24hrs, download and update disabled."
The backdoor will keep the attacker informed regarding any action it takes. For example, when attempting to spread via MSN, it will send to the attacker the total number of messages and files successfully sent.
Win32.Worm.NUD
This Visual Basic Script uses the same trick to fool users into executing it, just that the icon is a folder icon this time. In order to act like an authentic folder it will open "%windir%\Web\Wallpaper".
Next it will drop a "wav.wav" file into "%windir%\Fonts" which is a copy of the default Windows XP "error sound".
It will create many copies of itself in various system folders:
"%windir%\Fonts\Fonts.exe"
"%windir%\pchealt\helpctr\binaries\HelpHost.com"
"%windir%\pchealt\Global.exe"
"%windir%\system32\drivers\drivers\drivers.cab.exe"
... a.s.o.
It will also create another VBS script which adds certain registry entries that will launch the worm if the computer is rebooted.
Three copies of it will always be running, creating a protective chain. Each one will protect the other two from being killed.
The worm spread through network and removable drives by creating a copy of itself and an autorun.inf file in them. If the autorun feature of the drives is enabled, the copy will get executed when the devices are accessed or plugged in.
Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Ovidiu Visoiu
Powered by