BitDefender weekly review – Password stealers and mail bombers

Trojan.Autorun.ALG

The purpose of this Trojan is to steal login information from massive multiplayer online role playing games (MMORPGs). When executed, the e-threat will create two files inside %temp%: herss.exe (a copy of itself) and cvasds0.dll which will be injected in every running process.

Additionally it will create "3c.exe" and an autorun.inf file pointing at the executable, inside the root folders of ever accessible drive. As a result, the Trojan will be executed every time any of the drives are accessed.

It will also make certain registry changes in order to ensure the file herss.exe will be executed on every reboot. Show hidden files and folders is disabled as well by making changes to the registry.

The infected DLL file is responsible of the actual account stealing.

Trojan.Tofsee.AM

When the malware is run, the program makes two copies of itself in %windir%\system32\[random-name].exe and %userprofile%\[random-name2].exe. They will also be added to the registry in order for them to be executed at every system startup.

Next the %windir%\system32\[random-name].exe is executed and the initial file is deleted using a bat file. This executable will modify the security settings of Internet Explorer and add itself to the Windows Firewall trusted application list.

The malware will try to connect to the following servers to get new instrucitons: 193.27.246.157, 212.95.32.52, 89.107.104.110, 213.155.7.242.

The infected computer is then transformed into a spamming relay, in this sense a smtp server and an email generator is implemented in the malware body.

Information in this article is available courtesy of BitDefender virus researcher: Lutas Andrei Vlad and Ovidiu Visoiu