Print | Send on Yahoo! | PDF version | RSS | Filed Under: WEEKLY REVIEW

The Storm Worm continues its spread

After last weeks appearances in the Storm Worm world, we have found new threats emerging on the same storyline.

After last weeks appearances in the Storm Worm world (see Trojan.JS.Encrypted.A ), we have found new threats emerging on the same storyline.

It's called Trojan.Downloader.Gadja.C and its family is a new appearance on the scene. Trojan.Downloader.Gadja.A has been signed on 06.06.2008 and has been updated in these 38 days to Gadja.C. This e-threat does not have its own spreading routine but it is being sent out as attachments in spam messages. After infection, it copies the original %sysdir%/userinit.exe into %sysdir%/userini.exe, then disables system protection and overwrites the original userinit.exe file with itself in order to execute at system startup. In order for Windows to start normally Trojan.Downloader.Gadja.C also starts userini.exe, the original copy of userinit.exe.

After it deletes the file it has been originally executed from, the malware drops another file detected as Trojan.Downloader.Gadja.D. It also starts a new instance of svchost.exe and injects its code to bypass firewalls. The it downloads additional malware like Trojan.Peed.JOP from certain sources.

 

 

Img 1: Fake flash player spreading the Storm Worm

The next e-threat helping Trojan.Peed's spread is Trojan.Downloader.HTML.FM. This is a web page that shows the user a fake flash player (see the image below). The fake player window is actually a link to an executable called "fireworks.exe". This file is probably the Peed Trojan itself or another downloader that stealthily installs the storm worm on the victims' computer. Beneath the image a text tries to trick users into click it: "Colorful Independence Day events have already started throughout the country. The largest firework happens on the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it."

When opened, the Web page automatically tries to run and install a remote access Java Script with several layers of encrypted data - the Trojan.JS.Encrypted.A. This Trojan uses an exploit to execute the encrypted shell code.

 

In addition, when the fake player window is clicked, the Web browser automatically downloads and installs a file called fireworks.exe (rather than play a movie). This executable does not hold any compressed or self running multimedia content, but just another threat - Trojan.PEED.JLV. It has its own malicious multiplication and distribution mechanisms: once it penetrates a system, the Trojan copies itself in the OS folder and modifies the Windows Firewall settings. In addition, it registers the compromised computer as a peer in its malware network and uses a randomly chosen port to communicate with the other peers and update its peers' list.

Besides Trojan.Peed, Exploit.SWF.Gen has proven active as well, climbing another place on the BitDefender top 10, getting on the 6^th spot with 7.10% of all infections.

The activity of Trojan.HTML.Zlob.W remains constant, still on place 8 with 6.82% of all infections, compared to its last months 6.96%.

Its little brother, Trojan.HTML.Zlob.AA, makes a glorious comeback on place 10 with 6.32% of all infections after having disappeared totally from the top.

They are both adware trojans, and spread through websites that try to trick users into downloading a certain codec or ActiveX component that supposedly helps viewing the content of a video file.

A new entry in this weeks top10 on the 9th spot is Trojan.Autorun.TE, which is a generic name given to a collection of autorun.inf files created by e-threats. These files are usually located in the root folder of all infected drives. They are an alternative/complementary solution to autorun registry keys for the malware to ensure its execution.