In order to hide his actions, when is first run, the trojan will inject its code into the memory of Explorer.exe using low-level methods and a remote thread pointing to this zone will be started. This code (executed by Explorer) will be responsible to inject into all running processes a dll dropped by the trojan (%USERPROFILE%\Local Setings\Temp\cvasd0.dll).The injected DLL contains two components. An online games password stealer (with the targets: KnightOnline, Metin2, AgeOfConan,TheLordOfTheRings,Maple...). Another embedded DLL (ANTIVM.dll) will try to disable some known security solutions usually by stopping the update services modules (Liveserv.exe, vsupdate.exe, Update.exe, AVP.exe, avgupd.exe).
The code injected in Explorer.exe process will copy itself to %ROOT%[random_name].exe and will create an Autorun.inf file pointing to this copy.
The following registry key is also modified by the malware:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cdoosoft" = "%TEMP%\herss.exe" ,where the executable is a copy of the malware
Then the trojan will try to download an updated encrypted version (detected also Trojan.PWS.Onlinegames) from:
www.googlem7k.com/[removed]/am.rar
www.sinap4k.com/[removed]/am.rar
SYMPTOMS:
presence of the files and registry key specified in the technical description unavailability to update some of the security solutions software.
Spreading: low
Damage: medium
Size: 113KB
Discovered: 2009 Dec 01
Use BitDefender Antivirus for disinfect your files. Download Free Here
No comments:
Post a Comment