Malware City/Blog/

May
04
Filed Under:
WEEKLY REVIEW

BitDefender weekly review – Password stealing galore

04 May 2009
This week another wave of password stealers has hit the landscape. However not all are targeting MMORPGs. Another obfuscated variation of the fierce Zeus Spybot is on the loose, looking for online banking details at the most unsuspecting users.

Trojan.Spy.Zeus.W

This version of the Zeuz bot tries to trick users into executing it by displaying the icon of a *.chm (Microsoft Compiled Help File) as its own icon. The file is generally sent out by spam messages containing various messages (pornography, cataclysmic events, etc).

After decryption BitDefender engines detect the resulting file to be Trojan.Spy.Zeus.C. Its first action is to inject code into "winlogon.exe" allowing it to run and manipulate the filesystem undetected.

It copies itself to "%windir%\system32\sdra64.exe" with a different size and creates a folder "lowsec" in which it drops 3 files which contain encrypted data. All the files are hidden from Windows Explorer.

Trojan.Spy.Zeus.W also creates registry keys in order to be executed at every system startup and a mutex in order to mark its presence.

The Zeus family has the capability to be used as for stealing information (mostly online banking authentication details), remote control and spamming.

 

Trojan.PWS.OnlineGames.KBXS

This password stealer comes bundled inside another application that is used to remove certain security features. The dropper is detected as PWS.OnlineGames.KBZA and after execution it will copy "%windir%\system32\sfc_os.dll" (used by windows to protect files) into "%windir%\system32\mmsfc1.dll". Then it calls a certain function from "mmsfc1.dll" in order to overwrite "%windir%\system32\comres.dll" with its own, encryted, dll (the password stealer). The original "comres.dll" will be saved in "%windir%\system32\sysGHT.dll".

The new "comres.dll" will be injected into every running process and will monitor the keystrokes and mouse gestures of the user. The final goal of the application is to steal authentication data from QQ Login, Dungeon and Fighter and Tenio.

A copy of the password stealer (the replaced comres.dll) will be also created in "%windir%\fOntS" which is injected into all the processes the first time the PC gets infected. After reboot the replaced "comres.dll" is launched by the system automatically.

The component responsible with sending the gathered information is also dropped inside "%windir%\fOntS" as the file GHT60366.ttf detected by BitDefender as Trojan.PWS.OnlineGames.KBXJ.

Usernames, passwords, server, ingame currency, equipment, level a.s.o will be sent to web pages located on:

http://www.wg210.com/mail.asp
http://www.wg210.com/mibao.asp
http://1.qq594358080.cn/kanxin/004/mail.asp

 After a successful infection, the dropper deletes itself.

Information in this article is available courtesy of BitDefender virus researchers: Stefan Catalin Hanu and Dana Stanut





Related

24-04-2009 | BitDefender weekly review – Remember Sina.DLoader?

10-04-2009 | BitDefender weekly review – Gamers take even more care

06-04-2009 | BitDefender weekly review – Gamers take care

27-03-2009 | BitDefender weekly review – The marvelous Antivirus 360

Comment on this

Name:

Email:

Website:

Your email adress will not be published.