2 min read

BitDefender weekly review

Bitdefender

June 12, 2009

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
BitDefender weekly review

Trojan.Downloader.JS.NN

Yet another JavaScript that is used to exploit one of the Adobe Reader and Acrobat code execution vulnerabilities described in detail here: CVE-2008-2992. If the malicious PDF file is executed, the JavaScript inside it will do the following:

– decrypt

its encrypted body (first phase), responsible for injecting the shell-code at a specific address into the attacked process.

– Place
several NOP (No Operation) instructions at the begging of that code to make sure execution of the shell-code starts at the beginning.

The shell-code (~450 B) will first decrypt the rest of the code (second phase), make sure certain API functions are available to it, then attempt a download for an executable file located at http://netcorb[removed]/load.php which will be saved under the current folder with the name “~.exe”. If the download is successful, the script will launch the executable.

Trojan.Dropper.Cutwail.AT

This Trojan is a versions of the Cutwail (Pushdo/Pandex) Trojan that forms the second largest spam BotNet on the planet – sending proximately 7.7 billion emails per day.

When first executed, the main installer (which is actually nothing but a downloader) unpacks itself in memory. It then makes a copy of the original *.exe into %userprofile%%username%.exe
and registers it to start at every system startup, then deletes the original file.

In order to protect itself, it will continuously launch, do its job, then exit. This makes it almost impossible to kill because of the rapidly changing process identifier.

Its main purpose is to download the other two components of the Trojan: the rootkit dropper and the spammer.

If successful, it will execute the rootkit first, which was saved in %temp% under the name BN[number].tmp. This file will drop a driver inside %windir%system32drivers[name].sys where name can be any of the following: ntmd, fat16s, fat32s, pusi, gen_vok, ws2_32sik, netsik, port135sik, nicsk32, ksi32sk, systemntmi, securentm, fips32cup, ati64si, i386si, amd64si, acpi32.

Regardless of the file name, the driver creates a symbolic link to the file which is “ndis_ver2”. If the driver is already present it will update it to the latest version.

After this process, the *.tmp file will be deleted.

The driver contains another copy of the original downloader and will inject it into services.exe from kernel mode, to make removal even harder.

After the driver has been launched, the spammer component follows. It will be injected by the downloader into svchost.exe, which trnasforms the system into a spam-bot, sending hundreds of unwanted emails per day.

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Balazs Biro

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read