Malware City/Blog/

Oct
05
Filed Under:
ALERTS

BitDefender weekly review – Rogues and thieves

05 October 2009
People playing Flyff, Mentin2, Age of Conan, Runewaker, Lord of the Rings Online, Knight Online, WoW, Cabal Online and MapleStory should be cautious when logging in since a new version of last weeks password stealer is running amok.

Trojan.FakeAV.SQ

Take AV Trokan

This e-threat is a very known and wide spread type of malware. Fake AV or rogue security software are the same concepts and have been talked about a lot in the past. Please refer to our other pages about this subject for more information.

Besides the classic routine of detecting inexistent infections on infected PCs and demanding purchase of the product in order to rid the victim of those infections, this rogue also downloads other malware to the computer.

There is a confirmation message before installation which sounds like this: "This program will download and install Total Security on your PC."

The malware makes changes to the registry in order to be executed at every system startup. In order to protect itself it disables many tools used by malware researchers. It does this by regularly iterating the list of running processes and checking for specific window names. If any of the targeted processes is found, it is killed, an error message is returned to the user and its file is deleted.

The rogue "Total Security" is part of the "XP Antivirus" family.

 

Worm.Generic.88465

When executed, the malware will copy itself under the name "herss.exe" and drop "cvasds[number].exe" in the victim's %temp% folder, where [number] is usually 0, e.g.: "cvasds0.dll". After this it injects the dropped dll into the memory space of explorer.exe, and all the processes which have explorer.exe as parent.

Then it creates a new entry in the registry at "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" named "cdoosoft" and sets it's value to "%temp%\herss.exe", making sure the malware will run each time the computer starts.
 
The injected dll monitors user activity and steals sensitive data from mmorp games. The stolen information will be sent to different servers. It will also copy "%temp%\herss.exe" under the name "lhh3v.exe" and create an "autorun.inf" file, on every root folder of every drive, including removable devices. The "autorun.inf" file will be responsible for running the "lhh3v.exe" when the drive will be opened by Explorer. After the malware will run it's malicious code, it will open the folder requested by the user to put aside any suspicion.

The injected dll also contains another embedded dll which could disable the update service of several antivirus products, making the victim vulnerable to other viruses.
Trojan.PWS.OnlineGames.KCVU
This e-threat is directly related to Trojan.PWS.OnlineGames.KCVU described last week.

Information in this article is available courtesy of BitDefender virus researcher: Daniel Chipiristeanu and George Cabau




Article rating:

  • Share our story:
  • Share on Twitter

Related

29-09-2009 | Samantha Geimer’s abuse and Roman Polanski’s arrest used to spread Personal Antivirus-like rogue

28-09-2009 | Roman Polanski’s arrest exploited by Twitter spammers

19-09-2009 | Fake IRS Notice of Underreported Income

10-09-2009 | SMB 2.0 Flaw Triggers BSOD

Comment on this

Name:

Email:

Website:

Your email adress will not be published.