BitDefender weekly review – More fakeav and pws

Trojan.PWS.OnlineGames.KCWP

When executed this malware creates a copy of itself under herss.exe and adds this copy at startup by making changes in the registry

It drops a .dll file in %TEMP% next, under the name cvasds[random_digit].dll and injects it in every running process.

This dll is the actual password stealing component. Some of the targeted games are the usual MapleStory, The Lord Of The Rings Online, Knight Online and Dekaron. The gathered data is sent to many IPs found hardcoded inside the .dll file.

Both components of the malware are packed using the NSAnti packer in order to avoid AV detection.

Trojan.Downloader.FakeAlert.DK

This e-threat has the only purpose of downloading fake-AV applications on the victims' computer.

When executed, it will perform the following actions:
- unpack its main body, which resides inside the .data section
- see if Antivirus PRO 2010 is already "installed" on the machine, by checking the registry for its traces
- make copies of itself inside Documents and Settings\[user-name]\Application Data, as seres.exe and svcst.exe
- add the two executables into the registry's startup keys
- execute svcst.exe

The new process will create a new instance of the malware, by running seres.exe

These 2 created processes will make sure that they are running constantly on the attacked computer, therefore, if one of them is terminated, the other process will re-launch it into execution. The infamous little red cross icon will appear in the system tray, and fake-alert notification-messages will be displayed from a separate thread running inside the malware: "Your computer is infected!", "Windows has detected spyware infection!", "It is recommended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you.", "Click here to protect your computer from spyware!". The downloaded "antispyware" software is obviously nothing but the fake security application Antivirus Pro 2010, which can be downloaded from various sources. The file will be located inside Documents and Settings\[user-name]\Application Data\lizkavd.exe or inside %windir%\Application Data\lizkavd.exe.

Here are a couple of URL examples from where the malware is downlaoded:
hxxp://[removed]dferbotario.com/X1j0uHc5Htr8Lw0i4Wv6Jz7Ha
hxxp://[removed]erhpabewuit.com/id1Ci0j5t8yv0MsB4D6O7Tn
hxxp://[removed]torswabure.com/byK1aKH0a5afM8om0mwB4/6fa7K
hxxp://[removed]bunerkadosa.com/SYp1Bt0M5h8oL0Ta4One6Qnc7Gs
hxxp://[removed]amerkafdolo.com/id1F0x5UUG8xsY0u4pFq6X7pi
hxxp://[removed]rtugabusrav.com/Y1Zh0s5Ske8p0pi4bAR6OT7O
hxxp://[removed]ertaguboert.com/YLz1T0fC5VaT8fb0X4AH6op7Y
hxxp://[removed]okaveanubares.com/LVN1GL0Pu5RwQ8RK0WeT4j6Ifj7oJX
hxxp://[removed]ropihdertan.com/w1W0sT5wM8V0SUs4tU6AB7zOc

Behind any of these links lies the same executable file (currently detected as Trojan.FakeAV.UO), which will be installed on the affected computer after being downloaded.

Note: [user-name] represents the actual user-name of the logged-on user.

Information in this article is available courtesy of BitDefender virus researcher: Dana Stanut and Lutas Andrei Vlad