BitDefender weekly review – Malware authors keep being ingenious

Win32.Worm.Autorun.TF

When the worm is executed, it will make certain changes to the registry to ensure it will be run on every system startup on the infected machine. Next it will create the hidden file "C:\boot.ini.ini" in which it will write the current time and logged in user. Then it creates a copy of itself inside the root directory of every accessible drive under the name "ntdetect.exe" and create an autorun.inf file which point to the previously mentioned executable.

In order to avoid antivirus detection it creates another copy of itself in %windir%\system32\system.exe and continues execution from that new location.

The new instance will perform the following actions every 125ms:

-        rewrite the startup registry key

-        check if any of its files have been removed, in which case it simply recreates them

-        make new copies of autorun.inf, boot.ini.ini and ntdetect.exe on every drive

-        make changes to the registry so that hidden files are not displayed, file extensions are not shown and system directories are not searchable with windows explorer

In case the registry editor or the task manager are started by the user, the worm immediately kills them by searching all opened window titles that contain the strings "registry editor" or "windows task manager". In case a window with "folder options" is opened, it will minimize it and change its title to "Registry error!".

The worm has a tricky way of removing itself or stopping execution, probably remnants since its author was debugging it. It check windows titles for the strings "! Exit" or "! Restore". If they are found, it changes the windows title to "Type Exit Password" or "Type Restore Password" respectively. Then The worm wait for the window to change its title to the correct password, which was "M13Exit" to stop execution of the worm or "M13Restore" to make it uninstall from the infected system.

Another command it was able to understand through this method is "! ShowUsers" which made the worm generate a *.html file containing a list of users it infected till that time.

Trojan.Dialer.VYA

The malware downloads a text file from "http://91.[removed].122/Dialer_Min/number.asp" to "c:\windows\number.txt".
"number.txt" contains a single high-cost phone number which is randomly generated from a list.
The number is dialed if a modem is attached to your computer, thus inflating your phone bill.

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Horea Coroiu