2 min read

BitDefender weekly review

Bogdan Botezatu

September 11, 2009

Promo Protect all your devices, without slowing them down.
Free 30-day trial
BitDefender weekly review

Normal
0

false
false
false

EN-US
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:”Table Normal”;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:””;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:”Times New Roman”,”serif”;}

Trojan.Autorun.ALG

The purpose
of this Trojan is to steal login information from massive multiplayer online
role playing games (MMORPGs). When executed, the e-threat will create two files
inside %temp%: herss.exe (a copy of itself) and cvasds0.dll which will be
injected in every running process.

Additionally
it will create “3c.exe” and an autorun.inf file pointing at the executable,
inside the root folders of ever accessible drive. As a result, the Trojan will
be executed every time any of the drives are accessed.

It will
also make certain registry changes in order to ensure the file herss.exe will
be executed on every reboot. Show hidden files and folders is disabled as well
by making changes to the registry.

The
infected DLL file is responsible of the actual account stealing.

 

Trojan.Tofsee.AM

When the
malware is run, the program makes two copies of itself in
%windir%system32[random-name].exe and %userprofile%[random-name2].exe. They
will also be added to the registry in order for them to be executed at every
system startup.

Next the
%windir%system32[random-name].exe is executed and the initial file is deleted
using a bat file. This executable will modify the security settings of Internet
Explorer and add itself to the Windows Firewall trusted application list.

The malware
will try to connect to the following servers to get new instrucitons: 193.27.246.157,
212.95.32.52, 89.107.104.110, 213.155.7.242.

The
infected computer is then transformed into a spamming relay, in this sense a
smtp server and an email generator is implemented in the malware body.

Information
in this article is available courtesy of BitDefender virus researcher: Lutas
Andrei Vlad and Ovidiu Visoiu

tags


Author



You might also like

Bookmarks


loader