Malware City/Blog/

Mar
31
Filed Under:
WEEKLY REVIEW

Weekly Malware Review: Pandora’s Removable Device

31 March 2010
Discovered in December 2009, Trojan.VB.Chinky.U has been popping out of removable devices of all kinds and onto computers ever since. And even though it appears as running in Task Manager, it nonetheless cannot be terminated by simply killing its process from the list.

Moreover, the Trojan will be difficult to spot as it disables the “Show hidden files" option in Windows Explorer.

It creates two copies of itself with two different file extensions: an “.exe” one and a “.scr” one, while keeping a previously generated name. Plus it makes copies of itself under random names in the "%Documents and settings%" folder. In order to execute itself repeatedly, Chinky generates a registry key in HKCU\Software\Microsoft\ Windows\CurrentVersion\ Run\%RandomName% with the value %Documents and settings% \%UserName% \%RandomName%.exe.

Just as most other recent malware, Trojan.VB.Chinky.U also has a worm component which allows it to spread using flash drives and other media, such as USB external hard disks and even mapped drives across the network.

The “autorun.inf” component assures the automatic execution of the “.exe” file and it also changes the icon of the infected removable drive into a Windows standard folder icon. Six more shortcut files pointing to the “.scr” file are created and displayed on the removable drive with different names and icons: New Folder, Passwords, Documents, Music, Documents, and Pictures.      


This is not the end of it. The downloader component of Trojan.VB.Chinky.U would subsequently drop and install other e-threats on the infected system, such as backdoors, password stealers, Rogue AV and other offers that are too hot to handle.





By Loredana Botezatu
Loredana sees in BitDefender a new challenge and a fresh approach to her professional development. Her enthusiasm, curiosity and, of course, lots of research, are some of the features that make her a competitive player in the security industry.

Related

02-03-2010 | Win32.Xorer.EK – Discrete though Highly Intelligent

05-02-2010 | Social Networks SOS: Worm Week in Review

04-02-2010 | Win32.Worm.IM.J – the Worm Crawling the IM Network

22-01-2010 | Weekly Malware Review - Trojan.Downloader.Bredolab.CJ

Comments:

iSolve said on Apr-6-2010 08:38

I would assume a quality malware program with acceptable heuristics would easily detect this Trojan and worm. This malware is still being spreaded because of weak layered defense with computer configuration and antivirus programs. One step is to disable auto run for all devices; another is to instruct antivirus programs to scan flash drives. This thing will continue to spread without good administrative practices and defense.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.