BitDefender weekly review – IRCBots and file infectors

Backdoor.IRCBot.ACTN

This worm is packed and encrypted in order to avoid av detection and hide its malicious purpose. When first run, it creates a hidden copy of itself in %windir%, under the name usb_magr.exe and makes specific changes to the registry to ensure that the copy will be executed at every system start up.

Next it drops a file named x.bat which will disable the Security Center service. As a consequence of disabling this service, the user will not be notified if virus protection, firewall and automatic updates are enabled or not. The bat file deletes itself afterwards.

It spreads on removable drives using the autorun.inf technique. The executable is hidden in a RECYCLER folder to hide its presence and will be executed each time the drive is accessed if the autorun feature is enabled.

Then it will try to connect to an IRC server using the following authentication details:

User: MEAT* 0
Nick: {iNF-00-USA---}
Pass: prison

By opening this backdoor the attacker will be able to control the system, download other files or upgraded versions of the backdoor by executing IRC commands,

Win32.Tufik.M

This file infector is made out of two components:
- A small code that will receive execution before the infected file and will drop the main executable
- The main executable file, which is responsible for the rest of the malicious actions

The main executable will perform the following, upon execution:
- create a new mutex: BLACKSEEDER1.1, in order to avoid multiple instances of the same executable
- copy itself inside "%windir%\Downloaded Program Files" as xxxxxxxx.exe (where each x is a number from 0 to 9 or a character from A to F, ex: 00094648.exe) and continue execution from there
- drop a small dll file, xxxxxxxx.dat (the .exe file and the .dat file will have the same 8-characters sequence), which will be injected in every running process; it has only one purpose: downloading files from the following URL: http://www.wangzhe[removed].com/girl/

- it will infect .htm, .html, .php, .asp, .aspx files by adding an invisible iframe pointing to: http://www.wangzhe[removed].com/girl/picture.htm
- create a desktop.ini file inside this folder, to make sure the malware-files are not visible under Explorer
- register itself at startup by making changes to the registry
- make a copy of itself inside the root directory of every accessible drive
- create an autorun.inf file on every accessible drive, which will point to the file described above

It is also its responsibility to search and infect other files, with the extentions: .exe, .com, .bat, .scr, .cmd, if they are valid PE files. The infection process is the following:
- checks if the file is not already infected (last section-name is not BSDR1.1)
- checks if the file has an overlay (it will not infect files with overlay)
- If the file is not infected, it will create a new section at the end of the executable, where it will add the main-code that will get executed inside the host, and the main executable file.
- modify the entry-point in order for the virus to be executed first
- modify the SizeOfImage and SizeOfCode fields inside headers, in order the reflect the new changes after infection

The "viral code" (1436 B) will receive the execution inside the infected file, before the host (it is done by modifying the
Original entry-point of the infected application) and perform the following:
- create a new mutex: BLACKSEEDER1.1, in order to avoid multiple instances
- retrieve addresses of some API functions it will use
- retrieve temp-folder path
- drop and execute the main exe file (which is located immediately after the viral code) inside temp folder, as BLACKSEEDER1.1
- Jump back to the host code

- The worm will also kill any process with one of the following names:
vstskmgr.exe, naprdmgr.exe, updaterui.exe, tbmon.exe, scan32.exe, ravmond.exe, ccenter.exe, ravtask.exe, rav.exe, ravmon.exe, ravmond.exe, ravstub.exe, kvxp.kxp, kvmonxp.kxp, kvcenter.kxp, kvsrvxp.exe, kregex.exe, uihost.exe, trojdie.kxp, frogagent.exe, 360Safe.exe, AST.exe ...

... and terminate the following services, if present on the system:
kavsvc, AVP, AVPkavsvc, McAfeeFramework, McShield, McTaskManager, McAfeeFramework McShield, McTaskManager, navapsvc, KVWSC, KVSrvXP, Schedule, sharedaccess, RsCCenter, RsRavMon, RsCCenter, RsRavMon, wscsvc, KPfwSvc, SNDSrvc, ccProxy, ccEvtMgr, ccSetMgr, SPBBCSvc, Symantec, Core LC, NPFMntor, MskService, FireSvc, Alerter

Information in this article is available courtesy of BitDefender virus researchers: Dana Stanut and Lutas Andrei Vlad