Home / malwarePDF  

Win32.Tufik.M


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Tufik.M.

Explanation :

This file infector is made out of two components:
- A small code that will receive execution before the infected file and will drop the main exe file
- The main exe file, which is responsible for the rest of the malicious actions

The "viral code" (1436 B) will receive the execution inside the infected file, before the host (it is done by modifying the
Original entry-point of the infected application) and perform the following:
- create a new mutex: BLACKSEEDER1.1, in order to avoid multiple instances
- retrieve addresses of some API functions it will use
- retrieve temp-folder path
- drop and execute the main exe file (which is located immediately after the viral code) inside temp folder, as BLACKSEEDER1.1
- Jump back to the host code

The main executable will perform the following, upon execution:
- create a new mutex: BLACKSEEDER1.1, in order to avoid multiple instances of the executable file
- copy itself inside %windir%Downloaded Program Files as xxxxxxxx.exe (where each x is a number from 0 to 9 or a character from A to F, example 00094648.exe) and continue execution from there
- drop a small dll file, xxxxxxxx.dat (the .exe file and the .dat file will have the same 8-characters sequence), which will be injected in every running process; it has only one purpose: downloading files from the following URL: http://www.wangzhe[removed].com/girl/
- create a desktop.ini file inside this folder, to make sure the malware-files are not visible under Explorer
- register itself at startup, by adding the following registry key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunMSLOGON, which will point to the malware-exe file located inside %windir%downloaded program files
- make a copy of itself inside the root directory of every accessible drive
- create an autorun.inf file on every accessible drive, which will point to the file described above

Also, it is his responsibility to search and infect other files. It will search files with .exe, .com, .bat, .scr, .cmd extension and it will infect them, if they are valid PE files. The infection process is the following:
- checks if the file is not already infected (last section-name is not BSDR1.1)
- checks if the file has an overlay (it will not infect files with overlay)
- If the file is not infected, it will create a new section at the end of the executable, where it will add the main-code that
will get executed inside the host, and the main executable file.
- modify the entry-point in order for the virus to be executed first
- modify the SizeOfImage and SizeOfCode fields inside headers, in order the reflect the new changes after infection

- It will kill any process with one of the following names:
vstskmgr.exe, naprdmgr.exe, updaterui.exe, tbmon.exe, scan32.exe, ravmond.exe, ccenter.exe, ravtask.exe, rav.exe, ravmon.exe, ravmond.exe, ravstub.exe, kvxp.kxp, kvmonxp.kxp, kvcenter.kxp, kvsrvxp.exe, kregex.exe, uihost.exe, trojdie.kxp, frogagent.exe, 360Safe.exe, AST.exe

- It will terminate the following services, if present on the system:
kavsvc, AVP, AVPkavsvc, McAfeeFramework, McShield, McTaskManager, McAfeeFramework McShield, McTaskManager, navapsvc, KVWSC, KVSrvXP, Schedule, sharedaccess, RsCCenter, RsRavMon, RsCCenter, RsRavMon, wscsvc, KPfwSvc, SNDSrvc, ccProxy, ccEvtMgr, ccSetMgr, SPBBCSvc, Symantec, Core LC, NPFMntor, MskService, FireSvc, Alerter

- It will attempt to download files from the following URL:
http://www.wangzhe[removed].com/girl/
and it will infect .htm, .html, .php, .asp, .aspx files by adding an invisible iframe to: http://www.wangzhe[removed].com/girl/picture.htm.

Last update 21 November 2011

 

TOP