2 min read

BitDefender weekly review

Bogdan BOTEZATU

September 04, 2009

BitDefender weekly review

The website
contains information about the romanian celebrity “Elena Udrea”, hence the name
of the backdoor: Udrea – Ardu (udrea in reverse without the e). A comment
string inside the backdoors’ code also shows the romanian origin of the malware
writer. It reads: “link important de tinut sus” which translates to “important
link to be held online”.

 

Trojan.Downloader.VBS.DA

This
small downloader is written in VBS and is embedded in websites to infect users.
When it receives control, it will attempt to download 4 files from the
following location: http://love[removed].org/css. The files being downloaded
are:


AutoCfg.exe – infected, detected by BitDefender as Backdoor.Ardu.A


Instexnt.exe, Autoexnt.exe, Servmess.dll – clean files, used for running
scripts before a user logs on

After
downloading these files, it will attempt to install the AutoExNT service and it
will create the file  AutoExNT.bat, where
the infected application (AutoCfg.exe) will be listed. This way, the malware
will be execute after every reboot, even if there is no user logged on that
computer.

 

Backdoor.Ardu.A

This
backdoor will most likely end up on a system after being downloaded by other
malware (ie: Trojan.Downloader.VBS.DA) under the name
%windir%system32AutoCfg.exe.
This is nothing but a big executable that carries inside its overlay a Ruby
interpreter together with several runtime libraries it will need for running
the infected script. After getting executed, it will drop all these files
inside %temp% and execute them. The malware script will perform the following
actions:
– retrieve local computer name
– retrieve local user name
– retrieve victims IP address
– retrieve a file (ip.txt) from the following URL:
http://www.run[removed].com/examples/ip.txt, which contains (as its name says)
an IP address
– will connect to the IP address on port 2009
– will send the data gathered about the victim (ip address, computer name, user
name)
– will listen for commands that an attacker may send; If the command contains
“Goodbye”, the session will be closed; any other command will be
appended to the file %windir%system32AutoCfg.bat (created by the malware)

 

The bat
file and the backdoors executable are registered to run at every system
startup.

Information
in this article is available courtesy of BitDefender virus researcher: Lutas
Andrei Vlad

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read