4 min read

BitDefender weekly review

Bitdefender

May 08, 2009

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
BitDefender weekly review

 

Cyber criminals wage a war against them and these are some of the ways they do it:

Trojan.KillAV.PT

This Trojan is a really nice piece of work. It was not easy to analyze and although it’s not that complex, it is interesting to see how intricate an attackers mind can get in order to reach his goal.

The Trojan starts by dropping 3 components at which we will look closer below.

 

  1. The antivirus killer
    (killdll.dll)
    :

– is saved in %windir%system32, gets loaded first and contains two encrypted drivers. It is deleted after 15 seconds.

1.1. The first is used to disable the following services belonging to security products vendors:

avp.exe
DrUpdate.exe
QQDoctorRtp.exe
KWatch.exe
Uplive.exe
udaterui.exe
McTray.exe
SHSTAT.exe
ccSvcHst.exe
xcommsvr.exe
vsserv.exe
livesrv.exe
bdagent.exe
mcinsupd.exe
mcshell.exe
FrameworkService.exe
vstskmgr.exe
mcagent.exe
mcnasvc.exe
mcmscsvc.exe
mcsysmon.exe
mfevtps.exe
mcupdmgr.exe
vptray.exe
ccapp.exe
rtvscan.exe
defwatch.exe
ccEvtMgr.exe
ccSetMgr.exe
KVSrvXP.exe
KPFW32.exe
engineserver.exe
KavStart.exe
kmailmon.exe
KPfwSvc.exe
KISSvc.exe
MPSVC3.exe
MPSVC.exe
MpfSrv.exe
naPrdMgr.exe
rsnetsvr.exe
mcshield.exe
McProxy.exe
QQDoctor.exe
Rav.exe
ScanFrm.exe
RsTray.exe
RavStub.exe
CCenter.exe
RavTask.exe
RavMonD.exe
RavMon.exe
egui.exe
mfeann.exe
RsAgent.exe
ekrn.exe
antiarp.exe
360tray.exe
360Safebox.exe
safeboxTray.exe

To achieve this, the driver is saved under %windir%system32driversAsyncMac.sys, replacing the original driver with the same name which was a Microsoft Remote Access Network Serial driver.

Then it will disable the system start feature of these services so they will not be loaded again after restart. When it’s done the driver file will be unloaded and deleted.

1.2. The second driver is saved under %windir%system32driversaec.sys, replacing the original driver as well, which used to be a Microsoft Acoustic Echo Canceler. This component deactivates commonly used proactive detection techniques by undoing the changes made by antivirus software to the kernel memory. After it has finished it is unloaded and deleted.

 

  1. The downloader ([random_value]_xeex.exe):

– is saved in %windir% after killdll.dll has finished its job. Upon execution this component check first where it has been started from. If it is injected in userinit.exe then it will first execute explorer.exe (default userini.exe behavior) so the user doesn’t notice the infection. Then it will continue with its own routine. If it’s not userinit.exe it will continue with its own routine
without starting explorer.exe.

It will send the MAC address, operating system version and the file version (probably provided by the creation date) to the following script: http://[removed]518js.com/30330/count.asp

It will download and execute about 30 files specified by an online text file located at: http://[removed]518js.com/30330/newfz.txt If the downloader version provided above is outdated the list will contain a new version of the Trojan as well in order to update itself, the rest of the files belong to the OnlineGames password stealers family.

It will register the parent executable image to start with system startup using the windows registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, with the following key name: RsTray.

  1. The overwriter (pcidump.sys):

– is saved in %windir%system32drivers, loaded into memory and after it finished its job it will be deleted.

The driver has the function to overwrite unserinit.exe, a core Windows component, with the downloader part in order for it to be executed at every system startup. Under normal circumstances unserinit.exe quits after initializing all the necessary processes. If infected with the downloader however, it stays resident in memory, giving the victim a hint of the malware’s presence.

The main executable also copies itself into %windir%system32scvhost.exe and delete the original file it has been executed from afterwards.

Win32.Worm.VB.NXY

Upon execution the worm copies itself to %windir%userinit.exe and makes changes to the registry in order to ensure the copies’ execution at system startup.

A second copy will be created inside %windir%system32system.exe.

Both executables, while running, will protect each other from being terminated.

After this, the worm will try to update itself from the following locations: t35.com, titanichost.com, 110mb.com. The downloaded file is saved under %windir%system32task.exe and after it’s launched it will replace the two copies of the worm.

In order to protect itself, it will deny access to the following security websites by making changes to the %windir%system32driversetchosts file:

download.f-secure.com
mirror02.gdata.de
download.avg.com
spftrl.digitalriver.com
www.grisoft.cz
download1us.softpedia.com
download.softpedia.com
www.bitdefender.co.uk
www.bitdefender.com
virusscan.jotti.org
bkav.com.vn
www.bkav.com.vn
download.com.vn
www.download.com.vn
9down.com
www.9down.com
download.eset.com
www.download.com

A third file is created as %windir%kdcoms.dll. This file is actually nothing but a text file containing the following message: “Don’t worry! I will protect your computer”. After update, the file contains the current date.

The worm spreads on all removable drives by making a copy of itself in the root folder of the drive using forever.exe as a filename. An autorun.inf file will be created to point to this file.

Information
in this article is available courtesy of BitDefender virus researchers: Balazs Biro and Ovidiu Visoiu

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read