Threat Spotlight

For the week of 09 Nov 2009
Threat 1

Malicious email attachment hides spying malware

Threat Name:

Trojan: Troj/Zbot-JS

Users at Risk:

Windows users

Also Known As:

  • Avira: TR/Spy.ZBot.dyt.8
  • Kaspersky: Trojan-Spy.Win32.Zbot.gen
  • McAfee: Artemis!34A6E21CDEC4
  • Microsoft: PWS:Win32/Zbot.Gen!R
  • Trend Micro: Trend: TROJ_ZBOT.BWC

Removal Instructions:

If you've received an alert for a virus or spyware, then follow the instructions for removing the Trojan.

About:

Troj/Zbot-JS is a member of the Zbot family of malware, also known as Zeus. It is aggressively spammed out in multiple campaigns with various social engineering lures.

The spammers behind this scheme use fake password reset emails such as:

Subject: Myspace Password Reset Confirmation
Because of the measures taken to provide safety to our clients, your
password has been changed. You can find your new password in attached
document.

The also employs fake delivery notices, similar to those seen recently in fake anti-virus scams:

Thank you for setting the order No.8794354
Thank you for ordering at our online store. Your order: Sony VAIO
VPC-X11Z1E/X, was sent at your address. The tracking number of your
postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

In both cases, the file attached to the email message is a zip file that contains a malicious program.

When run, Troj/Zbot-JS copies itself to the Windows system directory as sdra64.exe. It changes a registry entry to make sure the file is run when Windows starts:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Usually this registry data is set to C:\WINDOWS\system32\userinit.exe, but now the Trojan will add its own name, changing the data to:

C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\sdra64.exe

When active, Troj/Zbot-JS opens a random high-numbered TCP port for listening. Members of the Zbot malware family typically allow a remote attacker to take control of a computer and subsequently spy on its activity. Zbot Trojans are often associated with online banking theft.

Users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Troj/Zbot-JS. When this Trojan attempts to install itself, it triggers the HIPS rule HIPS/FileMod-001.

Threat 2

Application modifies your default search engine

Threat Name:

Potentially Unwanted Application: Make The Web Better

Also Known As:

  • FastBrowserURLDownload.exe
  • FastBrowserSearchProtection.exe

Removal Instructions:

Please follow these instructions on how to remove Potentially Unwanted Applications (PUAs).

About:

Make The Web Better is a potentially unwanted application (PUA) from Fast Browser Search.

This application creates an icon in the system tray, which allows the user to change search settings. It gives the option to make Fast Browser Search the default search engine or to switch to another search provider.

Make The Web Better may update itself from: http://updater.fastbrowsersearch.com/.

In order to create the system tray icon and change the user's default settings, this application makes a number of changes to the user's registry.

First, upon installation, the application creates the file <Root>\mtwb.dat.

It then changes search settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}\
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\

The PUA also sets the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}\DisplayName
Fast Browser Search

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}\URL
http://fastbrowsersearch.com/results/results.aspx?q={searchTerms}&c=web&s=DSP&v=9

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs
http://www.fastbrowsersearch.com/new-tab/?v=9&tid=0

Additionally, it creates these registry entries:

HKCU\Software\FBSearch\ProgramPath
c:\
0x00000000

HKCU\Software\FBSearch\Disable
Threat 3

Password-stealing worm targets online gamers

Threat Name:

Worm: W32/Taterf-C

Users at Risk:

Windows users

Also Known As:

  • Avira: TR/OnlineGam.105329
  • Kaspersky: Trojan-GameThief.Win32.Magania.bhfk
  • McAfee: Generic PWS.ak
  • Microsoft: Worm:Win32/Taterf.B
  • Symantec: Win32.Gammima.AG
  • Trend: WORM_GAMETHI.FHO

Removal Instructions:

If you believe you've been infected, then follow these instructions for removing the worm.

About:

W32/Taterf-C is a password-stealing worm that targets online game players. When installed, W32/Taterf-C will run automatically, copy itself to the <WINDOWS>\system32 folder and then create files in that folder. From that point, it can then steal confidential information and disable other software—including anti-virus, firewall and security related applications.

W32/Taterf-C spreads by copying itself to mapped and removable drives and creating an autorun.inf file, which will cause Windows to run the copy of the worm automatically when a user accesses the drive.

Upon installation, the worm creates these files:

<System>\dllcache\cdaudio.sys
<System>\nmdfgds0.dll
<System>\olhrwef.exe

W32/Taterf-C also creates this registry entry to run olhrwef.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
cdoosoft
<System>\olhrwef.exe

This worm also attempts to download and install additional malware from ngjk34.net.

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy