about the city contact us
search
 
 
 
 
 
 
Malware city / Blog / BitDefender weekly review – Rogues and thieves
Print | Send on Yahoo! | PDF version | Feed RSS | Filed Under: ALERTS

BitDefender weekly review – Rogues and thieves

Date: 10/05/2009
Author: Andrei Bereczki

People playing Flyff, Mentin2, Age of Conan, Runewaker, Lord of the Rings Online, Knight Online, WoW, Cabal Online and MapleStory should be cautious when logging in since a new version of last weeks password stealer is running amok.

Trojan.FakeAV.SQ

Take AV Trokan

This e-threat is a very known and wide spread type of malware. Fake AV or rogue security software are the same concepts and have been talked about a lot in the past. Please refer to our other pages about this subject for more information.

Besides the classic routine of detecting inexistent infections on infected PCs and demanding purchase of the product in order to rid the victim of those infections, this rogue also downloads other malware to the computer.

There is a confirmation message before installation which sounds like this: "This program will download and install Total Security on your PC."

The malware makes changes to the registry in order to be executed at every system startup. In order to protect itself it disables many tools used by malware researchers. It does this by regularly iterating the list of running processes and checking for specific window names. If any of the targeted processes is found, it is killed, an error message is returned to the user and its file is deleted.

The rogue "Total Security" is part of the "XP Antivirus" family.

 

Worm.Generic.88465

When executed, the malware will copy itself under the name "herss.exe" and drop "cvasds[number].exe" in the victim's %temp% folder, where [number] is usually 0, e.g.: "cvasds0.dll". After this it injects the dropped dll into the memory space of explorer.exe, and all the processes which have explorer.exe as parent.

Then it creates a new entry in the registry at "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" named "cdoosoft" and sets it's value to "%temp%\herss.exe", making sure the malware will run each time the computer starts.
 
The injected dll monitors user activity and steals sensitive data from mmorp games. The stolen information will be sent to different servers. It will also copy "%temp%\herss.exe" under the name "lhh3v.exe" and create an "autorun.inf" file, on every root folder of every drive, including removable devices. The "autorun.inf" file will be responsible for running the "lhh3v.exe" when the drive will be opened by Explorer. After the malware will run it's malicious code, it will open the folder requested by the user to put aside any suspicion.

The injected dll also contains another embedded dll which could disable the update service of several antivirus products, making the victim vulnerable to other viruses.
Trojan.PWS.OnlineGames.KCVU
This e-threat is directly related to Trojan.PWS.OnlineGames.KCVU described last week.

Information in this article is available courtesy of BitDefender virus researcher: Daniel Chipiristeanu and George Cabau

Share our story:
DiggStumbleUpondel.icio.usYahooMyWebFurlGoogle
RELATED:

Comment on this:
Name:
Email:
Your email address will not be published!

Please enter the code from the image below.
The code is not case sensitive
Verification Image
Reload image
 
 
Calendar
March 2010
MoTuWeThFrSaSu
1234567
891011121314
15161718192021
22232425262728
293031    
« Feb March Apr »
CategoriesMISCELLANEOUS
WEEKLY REVIEW
VIRUSES DESCRIPTIONS
CONTEST
MALWARE HISTORY
HOW TO....
BOTNETS
ALERTS
SPAM REVIEW
Tag Claud
conficker trojan rogue malware bitdefender antivirus twitter computer infected message messages files data security online omelette canadian word virus downadup worm system microsoft file software pharmacy windows review exploit spam
RSS Feeds
Blogs And Comments RSS News
Malware City Powered by BitDefender © 2010 |  privacy policy   |  city map