2 min read

[Malware Review] MSN-spreading batch worm

Bitdefender

May 29, 2009

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
[Malware Review] MSN-spreading batch worm

Rootkit.Indag.A

This is a small generic rootkit driver that can be bundled in any malware. Its purpose is to kill any antivirus that can’t be killed in user-mode (that have a self-protection driver).

The rootkit is a driver, which is loaded as a device under the name “GanDiao”. Any user mode application has the possibility to kill any process when this driver is loaded.

To achieve this, an application only has to issue a DeviceIOControl request, passing as arguments, among others, 0x88888888 as an I/O control code and the PID (Process ID) of the targeted process to the driver. The rootkit will lookup the process’ EPROCESS structure, and, using an undocumented kernel function (MmUnmapViewOfSection), it will unmap a special portion of the ntdll.dll inside the attacked process, causing it to quit without warnings or errors.

Win32.Worm.Mafraz.A

This e-threat comes bundled inside a Delphi executable, which is nothing but a file generated by Quick Batch File compiler. QBF is used to “compile” batch files into executables. “Compile” is rather a wrong term, since it only generates an executable, that embeds the batch file and drops and runs that batch file from the %temp% folder.

When executed, it will first drop a batch file which does the following:

– will create a folder called “Global” inside the root folder of every drive, and will copy the executable file inside it as “Global.exe”

– will create an autorun.inf file and set the hidden attribute on it. This file will launch “Global.exe” every time the drive Is accessed, if the autorun feature is enabled.

– will disable Task Manager by making specific registry changes

– will make another copy of the executable under %windir%system32sistemaGlobal.exe or %windir%system32Global.exe

– will add registry entries to point to one of the files above in order to get executed at every system startup

– if it finds winrar.exe it will archive the “Global.exe” file and save it under %windir%system32GlobalFotos-Chaos-Global.rar

– if it finds MSN Messenger installed it will create a JavaScript file inside %programfiles%Messenger Plus! LiveScriptsMSN PLUSMSN PLUS.js and add the path to a specific registry entry

This file is used to attempt infection of other machines using MSN Messenger. The process works as follows:

– when a new chat window is opened the JavaScript file will be executed

– the script will automatically send the archived file to the contacted person along with some random text. The text can contain the following strings:

“En El 2009Por El Calentamiento Global”
“(-AZAFRAM-)”
“Visita forolibre.com.ar y registrate”

Next, the batch file will do the following:

– connect to a ftp server (ftp.by[removed]3.com), log in with a predefined username and password

– it will upload a file named %username%.txt where %username% is the username of the user under which the batch file runs. Inside the text file it will write specific hardware details (the output of the systeminfo command), the exact date and time of infection and the IP configuration of the infected computer

– it will change Internet Explorer’s home page to http://f[removed]ibre.com.ar

– it will set the hidden attribute to the folders %windir% and %windir%system32

– it will add some registry keys to mark it’s presence on the system

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read