Print
|
Send on Yahoo!
|
PDF version
|
RSS
|
Filed Under: WEEKLY REVIEW
BitDefender weekly review – Email spam posing as DHL Express Service spreads backdoors
This week is more relaxed. We have decided to check out another rogue antivirus (what a surprise!) and a backdoor which allows complete control over the infected machine through a remote webserver.
Trojan.FakeAV.VE
The purpose
of this e-threat is to download and execute "Antivirus Pro 2010" a rogue application which poses to be security
software. The installation is composed of two steps. First it will try to
download a randomly named file, from several locations, which will be saved as "%user_documents%\Application
Data\lizkavd.exe". The new executable attempts to connect to new locations,
using a name and a password and download a password protected archive. This
archive actually contains the fakealert malware (Tojan.FakeAV.VH) which will be installed in %Programs%\AntivirusPro_2010.
Before starting the download process, it will copy itself to %user_documents%\application data\svcst.exe and %user_documents%\application data\seres.exe. These will be started together and will protect each other from being terminated by the user using two named mutexes.
The above two copies are also registered at the system startup by changing
certain registry keys.
It will lower security settings by allowing execution of invalid signatures
and adding certain extensions to the low risk list.
After setting the above, the malware will start the download process by
accessing several addresses like the ones below:
hxxp://erta[removed]ert.com/s1fb0Uv5MS8X[removed]
hxxp://abu[removed]hkamid.com/nQ1Zx0E5X8[removed]
Trojan.Generic.2581209
The malware
is distributed in a zip archive attached to an e-mail which claims to be from
"DHL express services".
Called Glecia, this e-threat cannot propagate by itself, so it makes use of a
third party to send the spam.
The email examples look like this:
Subject:
DHL Express Services. Please get your parcel NR.56449
Headers:
From: "****" <****@dhl-usa.com>
Subject: DHL Express Services. Please get your parcel NR.56449
Body:
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personally!
Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.
Thank you for attention.
DHL Services.
Attachments:
DHL_print_label_582b9.zip (16.23KB)
The archive contains the malware executable which drops a BHO to %SYSTEM%\bhdvgtueyitf.dll and registers it as "Microsoft Online Helper!" or "Google Accelerator!" with CLSID {CEE2864E-1144-4B8F-9A43-4CEAC4553560}.
When done, the dropper creates and runs a batch file called sys.bat in order to
delete itself.
The BHO is a backdoor that can be used by the attacker to take control over the infected computer. When executed it will try to connect to a Russian domain to receive further instructions. These can be any of the following:
Send system information
Open a given URL
Execute files
Delete all files from the root, Windows, and Program Files folders
Information in this article is available courtesy of BitDefender virus researcher: Ovidiu Visoiu and Horea Coroiu
Powered by