Virus:TR/Vilsel.ior
Date discovered:20/10/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:44.544 Bytes
MD5 checksum:e6bc86359946024ea7547ae8e9915e61
IVDF version:7.01.06.127 - Tuesday, October 20, 2009

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Packed.Win32.Krap.ah
   •  F-Secure: Trojan-Downloader:W32/Fakerean.AG
   •  Eset: Win32/Kryptik.AVJ
   •  Bitdefender: Trojan.FakeAV.VC


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Lowers security settings
   • Registry modification
Falsley reports malware infection or system problems and offers to fix them if the user buys the application.


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %home%\Application Data\seres.exe
   • %home%\Application Data\svcst.exe




It tries to download a file:

– The location is the following:
   • http://ertanue5skayert.com/**********M
It is saved on the local hard drive under: %home%\Application Data\lizkavd.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.FraudLo.osj

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "mserv"="%home%\Application Data\seres.exe"
   • "svchost"="%home%\Application Data\svcst.exe"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
   Associations]
   New value:
   • "LowRiskFileTypes"="zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav"
   • "SaveZoneInformation"=dword:00000001

Lower security settings from Internet Explorer:
– [HKCU\Software\Microsoft\Internet Explorer\Download]
   Old value:
   • "CheckExeSignatures"="yes"
   • "RunInvalidSignatures"=dword:00000000
   New value:
   • "CheckExeSignatures"="no"
   • "RunInvalidSignatures"=dword:00000001

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
   • Conflicker.B Infection Alert



Body:
The body of the email is the following:

   • Dear Microsoft Customer,
     
     Starting 18/10/2009 the 'Conficker' worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.
     
     To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.
     
     Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.
     
     Regards,
     Microsoft Windows Agent
     2 (Hollis)
     Microsoft Windows Computer Safety Division


Attachment:
The filename of the attachment is:
   • install.zip

The attachment is an archive containing a copy of the malware itself.



The email looks like the following:


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Tuesday, October 20, 2009
Description updated by Philipp Wolf on Tuesday, October 20, 2009

Back . . . .