Print | Send on Yahoo! | PDF version | RSS | Filed Under: WEEKLY REVIEW

Your privacy is in danger

This week’s review start with a couple of e-threats that target your private data or monitor the actions undertaken on a computer. All the collected data is sent back to the attacker. Nobody wants it’s passwords stolen, or internet browsing habits made public, so you’d do well to update you antivirus products, or install a security suite if you don’t already own one.

Trojan.Spy.Agent.NXS

This threat hides itself by using a folder icon. It's also a trick to fool unknowing users into executing it.

After it has been launched, it creates three directories in %windir%\system32\ in one of which it copies itself and drops several files. It sets the hidden and system attributes to these folders so they remain hidden from normal users.

In order to execute at every system boot it creates a shortcut of itself in the users Startup folder and checks its existence periodically.

After installation, the malware remains resident in the memory and monitors user activity. It also checks the internet connection from time to time and if it's available it tries to download new updates of itself. Sometimes new malware are downloaded as well.

Trojan.Spy.Agent.NXS  also presents backdoor capabilities. Remote commands can be executed on the users machine through it, but a permanent connection to an attackers server is not available.

Trojan.Banker.LCG

After execution, this Trojan drops two files: %windir%\system32\cabpck.dll and %windir%\system32\krnlcab.sys. Cabpck.dll is executed and the initial file it has been ran from, which is packed with a custom packer that pretends to be UPX, is deleted.

Krnlcab.sys is a rootkit component, set to execute as a system service. It has protective role, hiding all the files and registry entries of the malware.

Cabpck.dll is executed at startup by means of the registry as well. Other keys are created for the malware to run in safe mode as well. It is creating firewall exceptions for rundll32.exe as well, in order to execute itself unhindered.

Trojan.Banker.LCG tries to steal user passwords by accessing sensitive areas in the registry which hold encrypted user data.

It has usually as a webserver from which it receives instructions. The communication is done through a script which can run multiple jobs on the host computer. It can download and execute different versions of the rogue antivirus "XP Antivirus", update the windows hosts file or execute other administrative commands.

Trojan.Exploit.ANNZ

We all remember Trojan.Exploit.SSX and Exploit.SinaDLoader.B which used Trojan.Exploit.JS.RealPlr.S as an obfuscator right? Well, this time, Trojan.Exploit.JS.RealPlr.S is replaced by Trojan.Exploit.ANNZ which is a know javascript packer that has the form: eval(function(p,a,c,k,e,d){ [packed_code] }.

This time it downloads something different with the name "help.exe", that is detected as Backdoor.Generic.76302.

Two new versions of the Wimad scheme have been released. They act the same as Trojan.Downloader.Wimad.A only that one of them downloads a file named Codec.exe.

Details: 

- Trojan.Downloader.WMA.Wimad.Z

- Trojan.Downloader.WMA.Wimad.S

Also some new Rogue antivirus is trying to spread its wings, with not much success however. Trojan.FakeAlert.ACJ is actually a website that offers you a free scan with this rogue product, called: AntiSpywareMaster, TrustedAntivirus, PCVirusless or SpyGuardPro. After the fake scan, it will ask you to download these applications. Once on your computer, they act just like any other rogue security product, nagging with fake infection, asking you to buy the software.