BitDefender weekly review – The fight continues, the opponents are unworthy

Win32.Worm.VBS.J

This is a Visual Basic Script that comes encrypted with a simple algorithm in order to hide its purpose. The first action it takes is decrypting the actual body of the script encapsulated in a string variable.

After decryption the worm performs the following actions:

-        change the values for DisplayLogo and Timeout of the Windows Script Host in order to hide its execution

-        modify the registry so it displays 2 new options on the contextual menu when right clicking an executable file: "Scan for virus,s" and "Open application". The first executes a copy of the worm located in %windir%\system32\regedit.sys, the second %windir%\win.exe (dicussed later)

-        modify the registry to hijack execution from several security software applications, screensavers and other commercial applications as well as debug and system tools like: drwtsn32.exe, taskmgr.exe, regedit.exe, rstrui.exe. Instead of these, its copy from %windir%\system32\regedit.sys will be launched

The worm will also remove several backdoors and other malware from the computer it infected to ensure its singular presence on the PC.

It will create and autorun.inf file in every removable drive to get execute when the drive is accesses.

The  %windir%\win.exe file is a backdoor dropped by the worm to allow remote access to the attacker.

Further it checks the registry and makes sure that Windows Scripting Host is not disabled, that hidden and system files aren't visible in explorer, that file extensions are hidden and that the autorun feature is enabled.

Trojan.Buzus.DL

This Trojan is made of 2 components:

1.      the main executable written in Delphi

2.      the secondary executable written in VisualC which resides packed inside the resource section of the main executable

When executed, the main program will launch a second instance of the same executable which will unpack the encrypted executable located in the .rsrc section and inject it in its own virtual memory space then terminate.

The decrypted code will inject itself into a separate thread of explorer.exe then quit. This thread will create a copy of itself inside directories like %SystemDrive%\Recycler\[dirname]\bfrss.exe. [dirname] will have a structure similar to S-1-5-21-1582865268-5844291516-424947749-0960 for example. Besides the executable it also creates a Desktop.ini file inside those directories, which has the role to hide the presence of the malware file.

The Injected code will also make sure it spread to all removable drives (USB sticks) by creating a copy of itself in the root folder of the drive under the name usbcheck.exe. An autorun.inf file will ensure the execution of the file.

Trojan.Delf.Inject.BK

When executed, this Trojan creates a copy of itself in %windir%\system32\tray.exe and registers it to execute at system startup.

When that copy is launched, it will try to connect to an IRC server called warraca.elcrazyfrog.com. It has the potential of downloading and executing other files (probably malware) if the command is issued by the attacker through the IRC network.

The Trojan will also search for sensitive data inside browser-related files like: profiles.ini, signons.txt.

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Ovidiu Visoiu