Malware City/Blog/

Sep
04
Filed Under:
WEEKLY REVIEW

BitDefender weekly review – Romania on the malware landscape

04 September 2009
This week we found obvious traces inside a chain of e-threats that Romania is actively writing malware. The first hint was the website spreading the Visual Basic script which attempted to exploit vulnerable Adobe plugins of Internet Explorer in order to infect the user with Backdoor.Ardu.A.

The website contains information about the romanian celebrity "Elena Udrea", hence the name of the backdoor: Udrea - Ardu (udrea in reverse without the e). A comment string inside the backdoors' code also shows the romanian origin of the malware writer. It reads: "link important de tinut sus" which translates to "important link to be held online".

 

Trojan.Downloader.VBS.DA

This small downloader is written in VBS and is embedded in websites to infect users. When it receives control, it will attempt to download 4 files from the following location: http://love[removed].org/css. The files being downloaded are:

- AutoCfg.exe - infected, detected by BitDefender as Backdoor.Ardu.A

- Instexnt.exe, Autoexnt.exe, Servmess.dll - clean files, used for running scripts before a user logs on

After downloading these files, it will attempt to install the AutoExNT service and it will create the file  AutoExNT.bat, where the infected application (AutoCfg.exe) will be listed. This way, the malware will be execute after every reboot, even if there is no user logged on that computer.

 

Backdoor.Ardu.A

This backdoor will most likely end up on a system after being downloaded by other malware (ie: Trojan.Downloader.VBS.DA) under the name %windir%\system32\AutoCfg.exe.
This is nothing but a big executable that carries inside its overlay a Ruby interpreter together with several runtime libraries it will need for running the infected script. After getting executed, it will drop all these files inside %temp% and execute them. The malware script will perform the following actions:
- retrieve local computer name
- retrieve local user name
- retrieve victims IP address
- retrieve a file (ip.txt) from the following URL: http://www.run[removed].com/examples/ip.txt, which contains (as its name says) an IP address
- will connect to the IP address on port 2009
- will send the data gathered about the victim (ip address, computer name, user name)
- will listen for commands that an attacker may send; If the command contains "Goodbye", the session will be closed; any other command will be appended to the file %windir%\system32\AutoCfg.bat (created by the malware)

 

The bat file and the backdoors executable are registered to run at every system startup.

Information in this article is available courtesy of BitDefender virus researcher: Lutas Andrei Vlad





Related

28-08-2009 | BitDefender weekly review – Malware authors keep being ingenious

24-08-2009 | BitDefender weekly review – Is the Delphi virus harmfull?

14-08-2009 | BitDefender weekly review – IRCBots and file infectors

07-08-2009 | BitDefender weekly review – Rogues are sill out there ...

Comment on this

Name:

Email:

Website:

Your email adress will not be published.