2 min read

[Malware Review] MSN-spreading batch worm

Bitdefender

May 29, 2009

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
[Malware Review] MSN-spreading batch worm

Rootkit.Indag.A

This is a small generic rootkit driver that can be bundled in any malware. Its purpose is to kill any antivirus that can’t be killed in user-mode (that have a self-protection driver).

The rootkit is a driver, which is loaded as a device under the name “GanDiao”. Any user mode application has the possibility to kill any process when this driver is loaded.

To achieve this, an application only has to issue a DeviceIOControl request, passing as arguments, among others, 0x88888888 as an I/O control code and the PID (Process ID) of the targeted process to the driver. The rootkit will lookup the process’ EPROCESS structure, and, using an undocumented kernel function (MmUnmapViewOfSection), it will unmap a special portion of the ntdll.dll inside the attacked process, causing it to quit without warnings or errors.

Win32.Worm.Mafraz.A

This e-threat comes bundled inside a Delphi executable, which is nothing but a file generated by Quick Batch File compiler. QBF is used to “compile” batch files into executables. “Compile” is rather a wrong term, since it only generates an executable, that embeds the batch file and drops and runs that batch file from the %temp% folder.

When executed, it will first drop a batch file which does the following:

– will create a folder called “Global” inside the root folder of every drive, and will copy the executable file inside it as “Global.exe”

– will create an autorun.inf file and set the hidden attribute on it. This file will launch “Global.exe” every time the drive Is accessed, if the autorun feature is enabled.

– will disable Task Manager by making specific registry changes

– will make another copy of the executable under %windir%system32sistemaGlobal.exe or %windir%system32Global.exe

– will add registry entries to point to one of the files above in order to get executed at every system startup

– if it finds winrar.exe it will archive the “Global.exe” file and save it under %windir%system32GlobalFotos-Chaos-Global.rar

– if it finds MSN Messenger installed it will create a JavaScript file inside %programfiles%Messenger Plus! LiveScriptsMSN PLUSMSN PLUS.js and add the path to a specific registry entry

This file is used to attempt infection of other machines using MSN Messenger. The process works as follows:

– when a new chat window is opened the JavaScript file will be executed

– the script will automatically send the archived file to the contacted person along with some random text. The text can contain the following strings:

“En El 2009Por El Calentamiento Global”
“(-AZAFRAM-)”
“Visita forolibre.com.ar y registrate”

Next, the batch file will do the following:

– connect to a ftp server (ftp.by[removed]3.com), log in with a predefined username and password

– it will upload a file named %username%.txt where %username% is the username of the user under which the batch file runs. Inside the text file it will write specific hardware details (the output of the systeminfo command), the exact date and time of infection and the IP configuration of the infected computer

– it will change Internet Explorer’s home page to http://f[removed]ibre.com.ar

– it will set the hidden attribute to the folders %windir% and %windir%system32

– it will add some registry keys to mark it’s presence on the system

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read