2 min read

Weekly Review

Bogdan BOTEZATU

March 02, 2009

Weekly Review

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:”Calibri”,”sans-serif”;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:”Times New Roman”;
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:”Times New Roman”;
mso-bidi-theme-font:minor-bidi;}

 

Backdoor.Agent.AADK

 

Upon
execution overwrites a non-critical Windows driver “beep.sys” with a rootkit
detected by BitDefender as Trojan.Rootkit.GGR and enables access to SSDT (System Service Descriptor Table).

A
second component is dropped in %windir%system32 and is loaded as a service at
every system startup. The service is called “MS Media Control Center
and has the description “Provides support for T*m*t*D.dll“, where * are
random ASCII characters. This *.DLL is detected as Backdoor.PCClient.TEO.

 

The
backdoor tries to connect to awen667788.3322.org on TPCP port 1122 sending
synchronization packets and waiting for remote commands and a new malware file
which is saved as C:1.exe.

 

 

Trojan.Downloader.JS.Psyme.SR

This Trojan
uses obfuscated VBScript and JavaScript code to download and execute other
malware on the users’ computer. It is not executed from a web page, it runs on
the infected computer.

It is part
of a drive-by exploit chain (like Trojan.Exploit.SSX
http://www.bitdefender.com/VIRUS-1000396-en–Trojan.Exploit.SSX.html) which
uses known vulnerabilities to infiltrate unpatched systems. This one tries to
exploit a vulnerability in Microsoft Data Access Component (MDAC) ActiveX
Object through it’s CLSID BD96C556-65A3-11D0-983A-00C04FC29E36
in order to download a file from hxxp://?.weixk.com/[removed].css
which is detected by BitDefender as Rootkit.Agent.AIWN.
The file is save under %temp% with the name “GameeeEeee.pif“.

Afterwards
it creates another VBScript file with the content:

‘I LOVE gameee TEAM’I LOVE gameee
TEAM
Set Love_gameee = CreateObject(“Wscript.Shell”)’I LOVE gameee TEAM
‘I LOVE gomeee TEAM’i LOVE gomeee TEAM
Love_gameee.run (“%Temp%GameeeEeee.pif”)
‘I LOVE gameee TEAM’I LOVE gameee TEAM

 

 

This file
will run the downloaded rootkit as a shell object.

Information in this article is
available courtesy of BitDefender virus researchers: Ovidiu Visoiu, Daniel Chipiristeanu.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read