Trojan.Inject.WX

( Trojan.Win32.Buzus.dfer; Trojan.Siggen.64270 )
Spreading: medium
Damage: medium
Size: ~260KB
Discovered: 2010 Feb 19

SYMPTOMS:

- The presence of a hidden file named wcoredg.exe in %windir%\system32\
- Increased network activity.

TECHNICAL DESCRIPTION:

           When executed the malware verifies if it is being debugged and searches the list of running processes for different tools that can unmask his presence/behavior (like Process Monitor, Vbox.exe, VMWareService.exe, etc). If the malware finds such a process it will display the message box below and then it will exit.

                                            

 
          If  debugging or monitoring tools were not found, it will continue its execution by making a copy of itself inside %windir%\system32\wcoredg.exe (hidden) and then it will delete the original file. Next it will run the copied file as a hidden process and it will inject foreign code into the memory space of the explorer.exe process .

* In order to avoid detection:
- it will disable services associated to various firewall and anti-virus products(like KPF4, SophosClientFirewall, Nod32krn,etc) if they are present;
- it will add itself in the Windows Firewall's exceptions list under the name "LAN Router";
- it will try to end the following processes(if found):
WITSETUP.EXE
AVINSTALL.EXE
K7TS_SETUP.EXE
P08PROMO.EXE
ISSDM_EN_32.EXE
VIPRE.EXE
UNLOCKER.EXE
UNLOCKERASSISTANT.EXE
UNLOCKER1.8.7.EXE
REGUNLOCKER.EXE
COMPAQ_PROPIETARIO.EXE
ATF-CLEANER.EXE
SAFEBOOTKEYREPAIR.EXE
OTMOVEIT3.EXE
HOSTSXPERT.EXE
DAFT.EXE
VIRUS.EXE
HIJACK-THIS.EXE
MRT.EXE
MRTSTUB.EXE
WINDOWS-KB890930-V2.2.EXE
HJ.EXE
ELISTA.EXE
PENCLEAN.EXE
MBAM-SETUP.EXE
MBAM.EXE
AVZ.EXE
JAJA.EXE
OTMOVEIT.EXE
MBAM-SETUP.EXE
REGMON.EXE
COMBO-FIX.EXE
COMBOFIX.BAT
COMBOFIX.SCR
COMBOFIX.COM
NTVDM.EXE
GUARD.EXE
LISTO.EXE
TCPVIEW.EXE
REGEDIT.COM
REGEDIT.SCR
FOLDERCURE.EXE
KILLAUTOPLUS.EXE
MYPHOTOKILLER.EXE
REG.EXE
TASKKILL.EXE
AUTORUNS.EXE
SRENGPS.EXE
COMBOFIX.EXE
SDFIX.EXE
CATCHME.EXE
GMER.EXE
MBR.EXE
CF9409.EXE
REGUNLOCKER.EXETSNTEVAL.EXE
XP_TASKMGRENAB.EXE
SUPERANTISPYWARE.EXE
BOOTSAFE.EXE
SRESTORE.EXE
MSNCLEANER.EXE
BUSCAREG.EXE
KAKASETUPV6.EXE
SUPERKILLER.EXE
DUBATOOL_AV_KILLER.EXE
DELAYDELFILE.EXE
SEEM.EXE
BC5CA6A.EXE
ROOTALYZER.EXE
ROOTKITBUSTER.EXE
HELIOS.EXE
DARKSPY105.EXE
HOOKANLZ.EXE
PAVARK.EXE
SRENGLDR.EXE
APORTS.EXE
FPORT.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
NETSTAT.EXE
OLLYDBG.EXE
HJTINSTALL.EXE
HJTSETUP.EXE
HIJACKTHIS_SFX.EXE
HIJACKTHIS.EXE
HIJACKTHIS_V2.EXE
MSNFIX.EXE
PROCEXP.EXE
TASKMAN.EXE
TASKLIST.EXE
TASKMON.EXE
PSKILL.EXE
ROOTKITREVEALER.EXE
FSBL.EXE
FSB.EXE
AVGARKT.EXE
ROOTKIT_DETECTIVE.EXE
UNHACKME.EXE
HACKMON.EXE
RKD.EXE
ROOTKITNO.EXE
REANIMATOR.EXE
HOOKANLZ.EXE
ROOTREPEAL.EXE
ICESWORD.EXE
LORDPE.EXE
PG2.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
SPYBOTSD160.EXE
TEATIMER.EXE
SPYBOTSD.EXE
WIRESHARK.EXE
APM.EXE
APT.EXE
ASVIEWER.EXE
CPORTS.EXE
CPROCESS.EXE
DLLCOMPARE.EXE
A2HIJACKFREESETUP.EXE
EULALYZERSETUP.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXPATH.EXE
HOSTSFILEREADER.EXE
IEFIX.EXE
AVENGER.EXE
INSTALLWATCHPRO25.EXE
KILLBOX.EXE
NETALYZ.EXE
OBJMONSETUP.EXE
PGSETUP.EXE
FIXBAGLE.EXE
CUREIT.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
REGALYZ.EXE
REGCOOL.EXE
REGISTRAR_LITE.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGX2.EXE
SPF.EXE
SRENGLDR.EXE
STARTDRECK.EXE
SYSANALYZER_SETUP.EXE
UNIEXTRACT.EXE
UNLOCKER1.8.7.EXE
RAVP.EXE
MBAM.EXE
USBGUARD.EXE
AVZ.EXE
OTL.EXE
CPF.EXE
ZLCLIENT.EXE

    - If it finds but cannot kill a process from the above list the computer will be shutdown.

* It modifies the following registry values:
            -for automatic execution at windows start-up:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conime.exe (clean file)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe\Debugger = wcoredg.exe

            -for disabling SystemRestore:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR = 1

            -for hiding antivirus and firewall security related warnings:
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = 1
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = 1

 
* It modifies the hosts file in order to redirect various anti-malware sites to the address 203.151.73.99:

* Spreading capabilities:
-USB drives: it has the capability to infect USB drives by using the autorun.inf technique.
-Network: through network shares and IM (Microsoft Messenger);
It can download newer versions of itself from the following URL:       
                                
                     http://secure.u[removed]24.org.uk/net/debug.zip

This malware has also backdoor capabilities.It contains an IrcBot which allows a remote attacker to connect to the affected computer and to run various remote commands.

Removal instructions:

- Replace the contents of the hosts (%windir%\system32\drivers\etc\hosts) file with the following line:
                        127.0.0.1       localhost

- Let BitDefender to disinfect the rest of the files.

ANALYZED BY:

Calin Groza, virus researcher