2 min read

Weekly Review - Oldschool reborn

Bogdan Botezatu

January 30, 2009

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Weekly Review - Oldschool reborn

 

Adware.NaviPromo.Gen.3

The
Adware.NaviPromo malware family is
an advanced and difficult-to-detect adware that runs silently on the infected
computer. It uses rootkit techniques to hide its files on disk and memory. It
also hides its registry entries.

It
comes bundles with other applications that can be downloaded from the following
locations: netgamebox.com,
ediaplayer.com, planet.com, skinner.com, stro.com, cord.com, ngerskinner.com

Adware.Navipromo usually resides in
%system% or the Local SettingsApplication Data folder of the current user.

After
its first execution it creates the one or more of the following files in the
same directory it was ran from: [random_name].dat,
[random_name]_nav.dat, [random_name]_navps.dat, [random_name]_navup.dat, [random_name]_navtmp.dat,
[random_name]_m2s.xml, [random_name]_m2s.zl

It
injects code into explorer.exe and connects to the Internet. After monitoring
the victims browsing habits it sends the data to its creators and receives
targeted advertising material. This is displayed by the e-threat in annoying
pop-ups on the desktop.

Adware.Navipromo also tries to update itself by downloading an executable file in
%tempdir%aup.tmp.

It
also adds registry entries to mark its presence on the system.

Trojan.Mebroot.B

This is a
small e-threat that resides in the Master Boot Record (MBR) of the disk. When
the infected PC starts up Trojan.Mebroot is executed. The Trojan first
reserves memory for its body by subtracting 2 from the total amount of
conventional memory installed (in order to hide its trances and prevent the OS
from overwriting it).

If will
hook certain BIOS functions responsible with disk reading and loading sectors
into memory. After this step, it will load the original MBR into memory and
execute it. Because the disk services are hooked, all the read actions
performed by the MBR or the boot sector will activate the virus (true only
while the processor is in real mode).

During the
boot sequence the e-threat will execute its own kernel loader which will
execute and patch the windows kernel into memory, in order to make it load a
specific rootkit-driver and prepare the execution of other malware already
present on the system (most probably password stealers).

 

Information in this article is
available courtesy of BitDefender virus researchers: Stefan Catalin Hanu and Lutas Andrei Vlad

tags


Author



You might also like

Bookmarks


loader