Virus:TR/Vilsel.iop
Date discovered:15/10/2009
Type:Trojan
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:21.504 Bytes
MD5 checksum:7d96ce7f588613f0343049918de70665
IVDF version:7.01.06.111 - Thursday, October 15, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: FakeAlert-AB.dldr
   •  Kaspersky: Trojan.Win32.Vilsel.iop
   •  F-Secure: Trojan-Downloader:W32/Fakerean.Y
   •  Eset: Win32/Kryptik.AUZ
   •  Bitdefender: Trojan.Downloader.FakeAlert.DH

Similar detection:
   •  TR/Vilsel.ioq


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Lowers security settings
   • Registry modification
Falsley reports malware infection or system problems and offers to fix them if the user buys the application.


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %home%\Application Data\seres.exe
   • %home%\Application Data\svcst.exe




It tries to download a file:

– The location is the following:
   • http://tsarbunerkadosa.com/x**********
It is saved on the local hard drive under: %home%\Application Data\lizkavd.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • mserv="%home%\Application Data\seres.exe"
   • svchost="%home%\Application Data\svcst.exe"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Associations]
   New value:
   • "LowRiskFileTypes"="zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav"
   • "SaveZoneInformation"=dword:00000001

Lower security settings from Internet Explorer:
– [HKCU\Software\Microsoft\Internet Explorer\Download]
   Old value:
   • "CheckExeSignatures"="yes"
   • "RunInvalidSignatures"=dword:00000000
   New value:
   • "CheckExeSignatures"="no"
   • "RunInvalidSignatures"=dword:00000001

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
   • A new settings file %receiver's email address% has just been
      released



Body:
The body of the email is the following:

   • Dear user of the %recipient's domain% mailing service!
     
     We are informing you that because of the security upgrade of the mailing
     service your mailbox %receiver's email address% settings were changed. In order to
     apply the new set of settings open zip attached file.
     
     Best regards, %recipient's domain% Technical Support.


Attachment:
The filename of the attachment is:
   • install.zip

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Thursday, October 15, 2009
Description updated by Thomas Wegele on Thursday, October 15, 2009

Back . . . .