2 min read

BitDefender weekly review

Bogdan BOTEZATU

September 11, 2009

BitDefender weekly review

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}

Trojan.Autorun.ALG

The purpose
of this Trojan is to steal login information from massive multiplayer online
role playing games (MMORPGs). When executed, the e-threat will create two files
inside %temp%: herss.exe (a copy of itself) and cvasds0.dll which will be
injected in every running process.

Additionally
it will create “3c.exe” and an autorun.inf file pointing at the executable,
inside the root folders of ever accessible drive. As a result, the Trojan will
be executed every time any of the drives are accessed.

It will
also make certain registry changes in order to ensure the file herss.exe will
be executed on every reboot. Show hidden files and folders is disabled as well
by making changes to the registry.

The
infected DLL file is responsible of the actual account stealing.

 

Trojan.Tofsee.AM

When the
malware is run, the program makes two copies of itself in
%windir%system32[random-name].exe and %userprofile%[random-name2].exe. They
will also be added to the registry in order for them to be executed at every
system startup.

Next the
%windir%system32[random-name].exe is executed and the initial file is deleted
using a bat file. This executable will modify the security settings of Internet
Explorer and add itself to the Windows Firewall trusted application list.

The malware
will try to connect to the following servers to get new instrucitons: 193.27.246.157,
212.95.32.52, 89.107.104.110, 213.155.7.242.

The
infected computer is then transformed into a spamming relay, in this sense a
smtp server and an email generator is implemented in the malware body.

Information
in this article is available courtesy of BitDefender virus researcher: Lutas
Andrei Vlad and Ovidiu Visoiu

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read