3 min read

BitDefender weekly review

Bogdan BOTEZATU

May 15, 2009

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
BitDefender weekly review

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}

Trojan.JS.PYZ

This is yet
another malicious JavaScript that tries to exploit vulnerabilities in Adobe
Acrobat Reader and Adobe Flash Player.

When
accessing the specially crafted website, the script will launch two ActiveX
objects: AcroPDF.PDF or PDF.PdfCtrl to open a *.pdf file (readme.pdf) and
ShockWaveFlash.ShpckwaveFlash to open a *.swf file (flash.swf). These files
contain the actual exploits, and when opened, will download an executable file
without any user interaction.

The
download URL was of the form: http://sitesupports.cn/[removed]?id=0 and the executable is detected by
BitDefender as Backdoor.Zdoogu.F.

 

Backdoor.Zdoogu.F

When
executed the Backdoor will create a copy of itself in
%windir%system32digiwet.dll with the extension and executable type changed to
DLL. In order to have the copy execute at every windows startup it will add
specific registry keys.

After this
it launches a new instance of svchost.exe and overwrites its image from memory
with the payload.

The
infected svchost.exe creates a file called wiaservim.log in %windir% in which
it will record its activity. It then connects twice to 78.109.29.112, first to
download several files, second to report back with other data.

The
downloaded executables belong to the Backdoor.IRCBot family, which allows an
attacker to control the infected computers via IRC (Internet Relay Chat).

 

Win32.Delicium.A

This is a
file infector that has two main components:

  1. The code that gets injected
    into the *.exe files
  2. The DLL which performs the
    actual infections

When an
infected file gets executed, the virus will do the following:

–       
drop
a DLL into %windir%system32dotnetfx.dll

–       
run
the DLL by passing it as an argument to rundll32.dll

–       
pass
execution to the host

The DLL
file is responsible for making the actual infections. When first ran it will
make changes to the registry to it gets executed at system startup. It then
adds another registry value, A, which it will increment every time it is run.
When the letter becomes Z, the virus starts its actual infection routine.

The virus
will loop through all accessible drives searching for files to infect or
delete. It only injects code into *.exe files and deletes every file with the
extension: xls, mdb, doc, jpg, frm, wmv, mp3, sis, as, fla, APP, ppt, avi, mpg,
3gp, vb, jar, css, asp, aspx, jsp, java, pdf, psd, gif, cad, zip, rar or 3ds.

In order to
infect a file, it will first read its header information and check if the file
is not already infected. As an infection marker, it will write the string
“PROZIUM32” at the physical offset 0x4E (78 in decimal) in the file. If the
file is not already infected, it will append the malicious code to the end of
the executable and update its characteristics by recalculating the size and
properties of the file.

It might
also create a random-length overlay, probably to prevent infection by other
viruses. The overlay has the last 4 bytes set to the ASCII characters “.MTS”.

Information
in this article is available courtesy of BitDefender virus researchers: Balazs
Biro and Lutas Andrei Vlad

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read