about the city contact us
search
 
 
 
 
 
 
Malware city / Blog / BitDefender weekly review – Tricky Word documents
Print | Send on Yahoo! | PDF version | Feed RSS | Filed Under: WEEKLY REVIEW

BitDefender weekly review – Tricky Word documents

Date: 09/25/2009
Author: Andrei Bereczki

Files aren't always what they seem to be. This week BitDefender Labs found a downloader Trojan that is hiding under the icon of a Word Document. It is not uncommon for e-threats to use this kind of disguise, especially because Microsoft Window has the “Hide extensions for known file types” enabled by default and people tend to trust icons.

Trojan.Downloader.Bredolab.AM

The malware is disguised as a Microsoft Office Word Document by having its usual executable file icon changed, to trick users into launching it.

When executed, it will drop a .DLL file in %windir%\system32 with a random name composed of 9 letters (e.g: frjacnwrm.dll). The file will be registered as a BHO (Browser Helper Object) by making changes to specific registry values that affect Internet Explorer's behavior.

The downloader next drops a batch file, sys.bat, that is used to delete itself.

The BHO is used to monitor the users browsing behavior and the gathered data is sent to a domain similar to: http://[removed]idbredov.ru

 

Trojan.PWS.OnlineGames.KCVU

Uppon execution this password stealer will perform the following operations:

-        copy itself under the name herss,exe inside %temp%

-        drop a file called cvasds0.dll inside %temp%

-        make changes to the registry in order for the copy to get executed at every system startup

After the "installation", the Trojan will inject the dropped DLL file into every running process and make other copies of itself inside the root folder of every removable drive. These copies are named bychft.exe and are pointed to by an autorun.inf file which will ensure their execution each time the drive is accessed, if the Windows' autorun feature is enabled.

The injected DLL is responsible of the password stealing. It will check the processes of MapleStory, AgeOfConan, The Lord of the Rings Online, Knight Online, Metin 2 and FlyFF. If valid login data was submitted inside any of these games the Trojan will send these to a large number of compromised computers which it keeps as a list of hardcoded IP addresses.

Information in this article is available courtesy of BitDefender virus researcher: Dana Stanut and Lutas Andrei Vlad

Share our story:
DiggStumbleUpondel.icio.usYahooMyWebFurlGoogle
RELATED:

Comment on this:
Name:
Email:
Your email address will not be published!

Please enter the code from the image below.
The code is not case sensitive
Verification Image
Reload image
 
 
Calendar
March 2010
MoTuWeThFrSaSu
1234567
891011121314
15161718192021
22232425262728
293031    
« Feb March Apr »
CategoriesMISCELLANEOUS
WEEKLY REVIEW
VIRUSES DESCRIPTIONS
CONTEST
MALWARE HISTORY
HOW TO....
BOTNETS
ALERTS
SPAM REVIEW
Tag Claud
infected system twitter antivirus canadian bitdefender online downadup pharmacy phishing software files worm omelette windows file security microsoft messages review conficker exploit virus rogue spam trojan message computer word malware
RSS Feeds
Blogs And Comments RSS News
Malware City Powered by BitDefender © 2010 |  privacy policy   |  city map