2 min read

BitDefender weekly review

Bitdefender

June 12, 2009

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
BitDefender weekly review

Trojan.Downloader.JS.NN

Yet another JavaScript that is used to exploit one of the Adobe Reader and Acrobat code execution vulnerabilities described in detail here: CVE-2008-2992. If the malicious PDF file is executed, the JavaScript inside it will do the following:

– decrypt

its encrypted body (first phase), responsible for injecting the shell-code at a specific address into the attacked process.

– Place
several NOP (No Operation) instructions at the begging of that code to make sure execution of the shell-code starts at the beginning.

The shell-code (~450 B) will first decrypt the rest of the code (second phase), make sure certain API functions are available to it, then attempt a download for an executable file located at http://netcorb[removed]/load.php which will be saved under the current folder with the name “~.exe”. If the download is successful, the script will launch the executable.

Trojan.Dropper.Cutwail.AT

This Trojan is a versions of the Cutwail (Pushdo/Pandex) Trojan that forms the second largest spam BotNet on the planet – sending proximately 7.7 billion emails per day.

When first executed, the main installer (which is actually nothing but a downloader) unpacks itself in memory. It then makes a copy of the original *.exe into %userprofile%%username%.exe
and registers it to start at every system startup, then deletes the original file.

In order to protect itself, it will continuously launch, do its job, then exit. This makes it almost impossible to kill because of the rapidly changing process identifier.

Its main purpose is to download the other two components of the Trojan: the rootkit dropper and the spammer.

If successful, it will execute the rootkit first, which was saved in %temp% under the name BN[number].tmp. This file will drop a driver inside %windir%system32drivers[name].sys where name can be any of the following: ntmd, fat16s, fat32s, pusi, gen_vok, ws2_32sik, netsik, port135sik, nicsk32, ksi32sk, systemntmi, securentm, fips32cup, ati64si, i386si, amd64si, acpi32.

Regardless of the file name, the driver creates a symbolic link to the file which is “ndis_ver2”. If the driver is already present it will update it to the latest version.

After this process, the *.tmp file will be deleted.

The driver contains another copy of the original downloader and will inject it into services.exe from kernel mode, to make removal even harder.

After the driver has been launched, the spammer component follows. It will be injected by the downloader into svchost.exe, which trnasforms the system into a spam-bot, sending hundreds of unwanted emails per day.

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad and Balazs Biro

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read