BitDefender weekly review
its encrypted body (first phase), responsible for injecting the shell-code at a specific address into the attacked process.
several NOP (No Operation) instructions at the begging of that code to make sure execution of the shell-code starts at the beginning.
The shell-code (~450 B) will first decrypt the rest of the code (second phase), make sure certain API functions are available to it, then attempt a download for an executable file located at http://netcorb[removed]/load.php which will be saved under the current folder with the name “~.exe”. If the download is successful, the script will launch the executable.
This Trojan is a versions of the Cutwail (Pushdo/Pandex) Trojan that forms the second largest spam BotNet on the planet – sending proximately 7.7 billion emails per day.
When first executed, the main installer (which is actually nothing but a downloader) unpacks itself in memory. It then makes a copy of the original *.exe into %userprofile%%username%.exe
and registers it to start at every system startup, then deletes the original file.
In order to protect itself, it will continuously launch, do its job, then exit. This makes it almost impossible to kill because of the rapidly changing process identifier.
Its main purpose is to download the other two components of the Trojan: the rootkit dropper and the spammer.
If successful, it will execute the rootkit first, which was saved in %temp% under the name BN[number].tmp. This file will drop a driver inside %windir%system32drivers[name].sys where name can be any of the following: ntmd, fat16s, fat32s, pusi, gen_vok, ws2_32sik, netsik, port135sik, nicsk32, ksi32sk, systemntmi, securentm, fips32cup, ati64si, i386si, amd64si, acpi32.
Regardless of the file name, the driver creates a symbolic link to the file which is “ndis_ver2”. If the driver is already present it will update it to the latest version.
After this process, the *.tmp file will be deleted.
The driver contains another copy of the original downloader and will inject it into services.exe from kernel mode, to make removal even harder.
After the driver has been launched, the spammer component follows. It will be injected by the downloader into svchost.exe, which trnasforms the system into a spam-bot, sending hundreds of unwanted emails per day.
Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Balazs Biro
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021
June 22, 2022
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight
April 15, 2022
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users
April 14, 2022