Virus:TR/Vilsel.swd
Date discovered:15/02/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:34.308 Bytes
MD5 checksum:98d00c91854a13f839b1b923961520f8
IVDF version:7.10.04.59 - Monday, February 15, 2010

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Sophos: Mal/EncPk-ND
   •  Panda: Trj/Vilsel.U
   •  Eset: Win32/AutoRun.FakeAlert.DU
   •  Bitdefender: Trojan.Zbot.HNM


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %drive%\autorun.exe
   • %SYSDIR%\logon.exe



It overwrites a file.
%SYSDIR%\drivers\aec.sys



It deletes the initially executed copy of itself.



It deletes the following files:
   • %TEMPDIR%\rdl3.tmp.exe
   • %ALLUSERSPROFILE%\Application Data\Macromedia\SwUpdate\UTemp.dtd
   • %TEMPDIR%\rdl2.tmp
   • %TEMPDIR%\alg.exe
   • %TEMPDIR%\rdl1.tmp



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\rdl3.tmp.exe
– %ALLUSERSPROFILE%\Application Data\Macromedia\SwUpdate\Ui.dtd
– %ALLUSERSPROFILE%\Application Data\Macromedia\SwUpdate\swupdate.dll
– %ALLUSERSPROFILE%\Application Data\Macromedia\SwUpdate\UTemp.dtd
– %ALLUSERSPROFILE%\Application Data\Macromedia\SwUpdate\Local.dtd
%TEMPDIR%\rdl1.tmp Further investigation pointed out that this file is malware, too. Detected as: RKIT/Bezopi.G

%TEMPDIR%\rdl2.tmp
%TEMPDIR%\alg.exe



It tries to download some files:

– The location is the following:
   • http://wc-lost.info/**********


– The location is the following:
   • http://teamstream.biz/**********


– The locations are the following:
   • http://gp2x.ws/zg/**********?v=%number%&rs=%character string%&n=%number%&uid=%number%
   • http://gp2x.ws/zg/**********?v=%number%&rs=%character string%&n=%number%&uid=%number%&cc=%number%


– The location is the following:
   • http://wc-zone.info/common/**********




It tries to executes the following files:

– Filename:
   • %TEMPDIR%\rdl3.tmp.exe


– Filename:
   • %TEMPDIR%\\alg.exe


– Filename:
   • netsh.exe firewall add allowedprogram program = "%TEMPDIR%\alg.exe" name = "Application Layer Gateway Service" mode = ENABLE scope = ALL profile = ALL


– Filename:
   • netsh.exe firewall add allowedprogram program = "%SYSDIR%\lsass.exe" name = "LSA Shell" mode = ENABLE scope = ALL profile = ALL

 Registry It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\DomainProfile\AuthorizedApplications\List]
   • "%TEMPDIR%\alg.exe"="%TEMPDIR%\alg.exe:*:Enabled:Application Layer Gateway Service"
   • "%SYSDIR%\lsass.exe"="%SYSDIR%\lsass.exe:*:Enabled:LSA Shell"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   ShellServiceObjectDelayLoad]
   • "SwUpdate"="{003541A1-3BC0-1B1C-AAF3-040114001C01"

– [HKLM\SOFTWARE\Classes\CLSID\{003541A1-3BC0-1B1C-AAF3-040114001C01}\
   InProcServer32]
   • "@"="%ALLUSERSPROFILE%\Application Data\Macromedia\SwUpdate\swupdate.dl"
   • "ThreadingModel"="Apartmen"

– [HKLM\SOFTWARE\Classes\CLSID\
   {003541A1-3BC0-1B1C-AAF3-040114001C01}]
   • "@"="SwUpdat"



The following registry keys are changed:

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   New value:
   • "ParseAutoexec"="1"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe logon.exe"

 Injection – It injects itself as a remote thread into a process.

    All of the following processes:
   • svchost.exe
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, May 14, 2010
Description updated by Petre Galan on Friday, May 14, 2010

Back . . . .