2 min read

Newly Found Dropper Skirts Startup List by Hijacking Critical DLL File

Loredana BOTEZATU

February 22, 2012

Newly Found Dropper Skirts Startup List by Hijacking Critical DLL File

Viruses, worms and Trojans all need to be running with the operating systems to cause any damage. Most add themselves to the Startup list by adding their path to the Startup Registry key, but this makes them easy to detect by antivirus solutions or computer-savvy users. Unlike this “regular malware”, Trojan.Dropper.UAJ comes with its own approach – it patches a vital code library (comres.dll) forcing all applications that rely on comres.dll to execute this particular e-threat, as well.

The Trojan makes a copy of the genuine comres.dll file, patches it and then saves it in the Windows directory folder, where the operating system looks for a DLL to load when it is required by an application in the same folder – i.e. explorer.exe.

The dropper patches the code library by adding a single new malicious function to the imported list to be launched with the rest of its functions.Next, the Trojan drops the file “prfn0305.dat” (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system. And everything is now in place. The moment the system calls the code library, the malware is turned on.

Cyber-crooks chose to go for comres.dll because it is widely used by most internet browsers, in some communication applications or networking tools – which makes it popular and basically indispensable for the operating system.

Since the dropper attacks the DLL file found on the system, rather than trying to overwrite its own version, Trojan.Dropper.UAJ is able to run on Windows7, Windows Vista, Windows 2003, Windows 2000 or Windows NT in both 32- and 64-bit environments.

This attack unites two types of exploitation. One is commonly known as “DLL load hijacking” which means a coding vulnerability in which some applications have specified only the name of the dll needed, instead of a full path to that dll. And if a compromised dll is placed “closer” to the app (ie in the application”s folder), the app will use that maliciously altered file (with the same name) instead of the genuine one. And the other one which is new refers to the function import technique, detailed in paragraphs two and three.

The affected DLL file references code that can add or delete users, change passwords, add or remove user privileges, and run executable files with elevated rights.

 

This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read