4 min read

BitDefender weekly review

Bitdefender

May 08, 2009

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
BitDefender weekly review

 

Cyber criminals wage a war against them and these are some of the ways they do it:

Trojan.KillAV.PT

This Trojan is a really nice piece of work. It was not easy to analyze and although it’s not that complex, it is interesting to see how intricate an attackers mind can get in order to reach his goal.

The Trojan starts by dropping 3 components at which we will look closer below.

 

  1. The antivirus killer
    (killdll.dll)
    :

– is saved in %windir%system32, gets loaded first and contains two encrypted drivers. It is deleted after 15 seconds.

1.1. The first is used to disable the following services belonging to security products vendors:

avp.exe
DrUpdate.exe
QQDoctorRtp.exe
KWatch.exe
Uplive.exe
udaterui.exe
McTray.exe
SHSTAT.exe
ccSvcHst.exe
xcommsvr.exe
vsserv.exe
livesrv.exe
bdagent.exe
mcinsupd.exe
mcshell.exe
FrameworkService.exe
vstskmgr.exe
mcagent.exe
mcnasvc.exe
mcmscsvc.exe
mcsysmon.exe
mfevtps.exe
mcupdmgr.exe
vptray.exe
ccapp.exe
rtvscan.exe
defwatch.exe
ccEvtMgr.exe
ccSetMgr.exe
KVSrvXP.exe
KPFW32.exe
engineserver.exe
KavStart.exe
kmailmon.exe
KPfwSvc.exe
KISSvc.exe
MPSVC3.exe
MPSVC.exe
MpfSrv.exe
naPrdMgr.exe
rsnetsvr.exe
mcshield.exe
McProxy.exe
QQDoctor.exe
Rav.exe
ScanFrm.exe
RsTray.exe
RavStub.exe
CCenter.exe
RavTask.exe
RavMonD.exe
RavMon.exe
egui.exe
mfeann.exe
RsAgent.exe
ekrn.exe
antiarp.exe
360tray.exe
360Safebox.exe
safeboxTray.exe

To achieve this, the driver is saved under %windir%system32driversAsyncMac.sys, replacing the original driver with the same name which was a Microsoft Remote Access Network Serial driver.

Then it will disable the system start feature of these services so they will not be loaded again after restart. When it’s done the driver file will be unloaded and deleted.

1.2. The second driver is saved under %windir%system32driversaec.sys, replacing the original driver as well, which used to be a Microsoft Acoustic Echo Canceler. This component deactivates commonly used proactive detection techniques by undoing the changes made by antivirus software to the kernel memory. After it has finished it is unloaded and deleted.

 

  1. The downloader ([random_value]_xeex.exe):

– is saved in %windir% after killdll.dll has finished its job. Upon execution this component check first where it has been started from. If it is injected in userinit.exe then it will first execute explorer.exe (default userini.exe behavior) so the user doesn’t notice the infection. Then it will continue with its own routine. If it’s not userinit.exe it will continue with its own routine
without starting explorer.exe.

It will send the MAC address, operating system version and the file version (probably provided by the creation date) to the following script: http://[removed]518js.com/30330/count.asp

It will download and execute about 30 files specified by an online text file located at: http://[removed]518js.com/30330/newfz.txt If the downloader version provided above is outdated the list will contain a new version of the Trojan as well in order to update itself, the rest of the files belong to the OnlineGames password stealers family.

It will register the parent executable image to start with system startup using the windows registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun, with the following key name: RsTray.

  1. The overwriter (pcidump.sys):

– is saved in %windir%system32drivers, loaded into memory and after it finished its job it will be deleted.

The driver has the function to overwrite unserinit.exe, a core Windows component, with the downloader part in order for it to be executed at every system startup. Under normal circumstances unserinit.exe quits after initializing all the necessary processes. If infected with the downloader however, it stays resident in memory, giving the victim a hint of the malware’s presence.

The main executable also copies itself into %windir%system32scvhost.exe and delete the original file it has been executed from afterwards.

Win32.Worm.VB.NXY

Upon execution the worm copies itself to %windir%userinit.exe and makes changes to the registry in order to ensure the copies’ execution at system startup.

A second copy will be created inside %windir%system32system.exe.

Both executables, while running, will protect each other from being terminated.

After this, the worm will try to update itself from the following locations: t35.com, titanichost.com, 110mb.com. The downloaded file is saved under %windir%system32task.exe and after it’s launched it will replace the two copies of the worm.

In order to protect itself, it will deny access to the following security websites by making changes to the %windir%system32driversetchosts file:

download.f-secure.com
mirror02.gdata.de
download.avg.com
spftrl.digitalriver.com
www.grisoft.cz
download1us.softpedia.com
download.softpedia.com
www.bitdefender.co.uk
www.bitdefender.com
virusscan.jotti.org
bkav.com.vn
www.bkav.com.vn
download.com.vn
www.download.com.vn
9down.com
www.9down.com
download.eset.com
www.download.com

A third file is created as %windir%kdcoms.dll. This file is actually nothing but a text file containing the following message: “Don’t worry! I will protect your computer”. After update, the file contains the current date.

The worm spreads on all removable drives by making a copy of itself in the root folder of the drive using forever.exe as a filename. An autorun.inf file will be created to point to this file.

Information
in this article is available courtesy of BitDefender virus researchers: Balazs Biro and Ovidiu Visoiu

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read