About Viruses Variant

All Information



Overview -

-- Update August 29, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.bbc.co.uk/1/hi/technology/7583805.stm

--


This description is for a password stealing trojan which attempts to steal user information for certain online games.


The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

Aliases




  • Trj/Lineage.BZE [Panda]



  • Trojan.Win32.Vaklik.bkh [Kaspersky]



  • Trojan:Win32/Meredrop [Microsoft]



  • W32.Gammima.AG [Symantec]



  • W32/Autorun-CL [Sophos]




Characteristics


Characteristics -

-- Update August 29, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.bbc.co.uk/1/hi/technology/7583805.stm


--


When executed, this password stealer drops a copy of itself in the following locations:



  • %windir%\system32\tavo.exe
  • %windir%\system32\tavo0.dll [Injected into many running processes]

  • %temp%\lawb.dll

The tavo0.dll file harvests the names of gaming servers, players passwords, PIN numbers and other information for well known online games and this information may be uploaded to a pre-defined site as configured by the attacker.


The malware also attempts to download an updated copy of itself, from the following URLs:



  • www.hgff46.net/[removed]/ff.exe
  • www.hgff46.net/[removed]/cc.exe

These downloaded files drop the following files which are new variants of the same malware:



  • %windir%\system32\tavo.exe
  • %windir%\system32\tavo1.dll

  • %windir%\system32\kavo0.exe
  • %windir%\system32\kavo0.dll
  • %systemdrive%\l1.com
  • %systemdrive%\autorun.inf
  • %windir%\xmg.exe
  • %windir%\tt.exe
  • %windir%\rb.exe
  • %windir%\system32\mmvo.exe
  • %windir%\system32\mmvo0.dll
  • %windir%\system32\ckvo.exe
  • %windir%\system32\ckvo0.dll

The malware also creates the following registry keys to ensure the malware's execution at system startup:



  • HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "kava"
    Data: %windir%\system32\kavo.exe

  • HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run "tava"
    Data: %windir%\system32\tavo.exe

The following security related processes may be terminated by the malware:



  • Kav.exe
  • Rav.exe
  • Avp.exe
  • Kavsvc.exe

This password stealer is also capable of spreading through removable devices by dropping a copy of itself along with an AutoRun.inf configuration file in all removable devices, the root of all fixed drives and the system folders.


"Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.


This configuration file is usually intended as a convenience feature, however is often misused by malware authors to create malware that spread automatically without any user interaction.



Note:


%System% is a variable that refers to the System folder. By default, this is C:\Windows\System32 for Windows XP


Given below is a screenshot of the contents of a typical Autorun.inf configuration file:



Miscellaneous Information:


Users who would like to prevent worms which execute without any user interaction using an “AutoRun.inf” file, can disable the Windows AutoRun feature completely with the help of the Windows group policy editor (Gpedit.msc).


ScreenShot below:



 


Symptoms



Symptoms -


  • Presence of files and registry entries mentioned earlier
  • Software based firewall, if any installed on the machine, might alert about an unknown program attempting to connect to the internet


Method of Infection


Method of Infection -


This password stealer may spread by copying itself to removable devices, along with an “Autorun.inf”.


Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.


The malware can also spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Tidak ada komentar:

Posting Komentar