about the city contact us
search
 
 
 
 
 
 
Malware city / Blog / BitDefender weekly review – Take care of your MSN
Print | Send on Yahoo! | PDF version | Feed RSS | Filed Under: WEEKLY REVIEW

BitDefender weekly review – Take care of your MSN

Date: 09/19/2009
Author: Andrei Bereczki

This week we have another online games password stealing Trojan that is encrypting the game names in its body really well in order to make it hard for security suites to determine its real purpose. Also MSN is targeted again as a spreading medium. A worm is sending messages with links to the whole contact list when someone is logging in to MSN from an infected computer.

Trojan.Dropper.Microjoin.WA

This Trojan is used to steal sensible information from games.

Every time the malware is executed, it drops a clean application named rxcf-green.exe and a malware file named xq.exe in %userprofile%\local settings\temp and runs both of them.

The malware (xq.exe) creates a malicious dll named [random].dll in %windir%\system32 and makes certain registry entries to ensure it will be loaded on every system boot.

The created dll file has a random 8 char name, different size and a different overlay every time. It's injected into the memory space of explorer.exe and every other application wich has explorer.exe as parent.

After that xq.exe will use a batch script to delete itself from the disk.

 

Win32.Worm.Autorun.SS

This worm tries to spread through MSN and USB removable devices.

When first executed, it checks its own filename and if it's not "sysdate.exe" it creates a folder in \RECYCLER, with the name starting with "S-1-5-21" and makes a copy of itself in it. Then it creates a Desktop.ini file to hide the executable from explorer.exe. If the filename is "sysdate.exe", it checks for the Desktop.ini file to ensure it's hidden and continues execution.

Sysdate.exe will make certain changes to the registry so that it get executed every time the system boots then performs a code injection in the memory space of explorer.exe which assures that both "sysdate.exe" and "Desktop.ini" are seen as read-only.

If a USB stick is inserted into an infected computer the worm will create a new folder called "temp" in the root folder of the drive and copy itself in it under the name "winsetup.exe". It will hide the temp folder by creating another "Desktop.ini" file with special instructions inside it. It also creates an autorun.inf file which will execute the copy from the flash drive if it's inserted in any system that has the autorun feature enabled.

Information in this article is available courtesy of BitDefender virus researcher: Geroge Cabau

Share our story:
DiggStumbleUpondel.icio.usYahooMyWebFurlGoogle
RELATED:

Comment on this:
Name:
Email:
Your email address will not be published!

Please enter the code from the image below.
The code is not case sensitive
Verification Image
Reload image
 
 
Calendar
March 2010
MoTuWeThFrSaSu
1234567
891011121314
15161718192021
22232425262728
293031    
« Feb March Apr »
CategoriesMISCELLANEOUS
WEEKLY REVIEW
VIRUSES DESCRIPTIONS
CONTEST
MALWARE HISTORY
HOW TO....
BOTNETS
ALERTS
SPAM REVIEW
Tag Claud
worm trojan exploit software bitdefender online antivirus security spam file review omelette system malware rogue conficker word message infected canadian data microsoft pharmacy virus downadup twitter computer files messages windows
RSS Feeds
Blogs And Comments RSS News
Malware City Powered by BitDefender © 2010 |  privacy policy   |  city map