BitDefender weekly review – How an IRCBot infection can start

Trojan.JS.PYZ

This is yet another malicious JavaScript that tries to exploit vulnerabilities in Adobe Acrobat Reader and Adobe Flash Player.

When accessing the specially crafted website, the script will launch two ActiveX objects: AcroPDF.PDF or PDF.PdfCtrl to open a *.pdf file (readme.pdf) and ShockWaveFlash.ShpckwaveFlash to open a *.swf file (flash.swf). These files contain the actual exploits, and when opened, will download an executable file without any user interaction.

The download URL was of the form: http://sitesupports.cn/[removed]?id=0 and the executable is detected by BitDefender as Backdoor.Zdoogu.F.

Backdoor.Zdoogu.F

When executed the Backdoor will create a copy of itself in %windir%\system32\digiwet.dll with the extension and executable type changed to DLL. In order to have the copy execute at every windows startup it will add specific registry keys.

After this it launches a new instance of svchost.exe and overwrites its image from memory with the payload.

The infected svchost.exe creates a file called wiaservim.log in %windir% in which it will record its activity. It then connects twice to 78.109.29.112, first to download several files, second to report back with other data.

The downloaded executables belong to the Backdoor.IRCBot family, which allows an attacker to control the infected computers via IRC (Internet Relay Chat).

Win32.Delicium.A

This is a file infector that has two main components:

1. The code that gets injected into the *.exe files
2. The DLL which performs the actual infections

When an infected file gets executed, the virus will do the following:

-        drop a DLL into %windir%\system32\dotnetfx.dll

-        run the DLL by passing it as an argument to rundll32.dll

-        pass execution to the host

The DLL file is responsible for making the actual infections. When first ran it will make changes to the registry to it gets executed at system startup. It then adds another registry value, A, which it will increment every time it is run. When the letter becomes Z, the virus starts its actual infection routine.

The virus will loop through all accessible drives searching for files to infect or delete. It only injects code into *.exe files and deletes every file with the extension: xls, mdb, doc, jpg, frm, wmv, mp3, sis, as, fla, APP, ppt, avi, mpg, 3gp, vb, jar, css, asp, aspx, jsp, java, pdf, psd, gif, cad, zip, rar or 3ds.

In order to infect a file, it will first read its header information and check if the file is not already infected. As an infection marker, it will write the string "PROZIUM32" at the physical offset 0x4E (78 in decimal) in the file. If the file is not already infected, it will append the malicious code to the end of the executable and update its characteristics by recalculating the size and properties of the file.

It might also create a random-length overlay, probably to prevent infection by other viruses. The overlay has the last 4 bytes set to the ASCII characters ".MTS".

Information in this article is available courtesy of BitDefender virus researchers: Balazs Biro and Lutas Andrei Vlad