2 min read

BitDefender weekly review

Bogdan BOTEZATU

October 23, 2009

BitDefender weekly review

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Calibri”,”sans-serif”;
mso-fareast-font-family:Calibri;}

Trojan.FakeAV.VE

The purpose
of this e-threat is to download and execute “Antivirus Pro 2010″ a rogue application which poses to be security
software. The installation is composed of two steps. First it will try to
download a randomly named file, from several locations, which will be saved as “%user_documents%Application
Datalizkavd.exe”
. The new executable attempts to connect to new locations,
using a name and a password and download a password protected archive. This
archive actually contains the fakealert malware (Tojan.FakeAV.VH) which will be installed in %Programs%AntivirusPro_2010.

Before
starting the download process, it will copy itself to
%user_documents%application datasvcst.exe
and %user_documents%application dataseres.exe.
These will be started together and will protect each other from being
terminated by the user using two named mutexes.

 The above two copies are also registered at the system startup by changing
certain registry keys.
It will lower security settings by allowing execution of invalid signatures
and adding certain extensions to the low risk list.

 After setting the above, the malware will start the download process by
accessing several addresses like the ones below:
 hxxp://erta[removed]ert.com/s1fb0Uv5MS8X[removed]
 hxxp://abu[removed]hkamid.com/nQ1Zx0E5X8[removed]

Trojan.Generic.2581209

The malware
is distributed in a zip archive attached to an e-mail which claims to be from
“DHL express services”.
Called Glecia, this e-threat cannot propagate by itself, so it makes use of a
third party to send the spam.

 
The email examples look like this:

Subject:
DHL Express Services. Please get your parcel NR.56449

Headers:
From: “****” <****@dhl-usa.com>
Subject: DHL Express Services. Please get your parcel NR.56449

Body:
Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personally!

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Thank you for attention.
DHL Services.

Attachments:
DHL_print_label_582b9.zip (16.23KB)

The
archive contains the malware executable which drops a BHO to
%SYSTEM%bhdvgtueyitf.dll and registers it as “Microsoft Online
Helper!” or “Google Accelerator!” with CLSID
{CEE2864E-1144-4B8F-9A43-4CEAC4553560}.

When done, the dropper creates and runs a batch file called sys.bat in order to
delete itself.

The BHO is
a backdoor that can be used by the attacker to take control over the infected
computer. When executed it will try to connect to a Russian domain to receive
further instructions. These can be any of the following:

Send system
information

Open a
given URL

Execute
files

Delete all
files from the root, Windows, and Program Files folders

Information
in this article is available courtesy of BitDefender virus researcher: Ovidiu
Visoiu and Horea Coroiu

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read