Complex Trojan takes advantage of a vulnerability in Windows code to stay hidden and active
Viruses, worms and Trojans all need to be running with the operating systems to cause any damage. Most add themselves to the Startup list by adding their path to the Startup Registry key, but this makes them easy to detect by antivirus solutions or computer-savvy users. Unlike this “regular malware”, Trojan.Dropper.UAJ comes with its own approach - it patches a vital code library (comres.dll) forcing all applications that rely on comres.dll to execute this particular e-threat, as well.
The Trojan makes a copy of the genuine comres.dll file, patches it and then saves it in the Windows directory folder, where the operating system looks for a DLL to load when it is required by an application in the same folder - i.e. explorer.exe.
The dropper patches the code library by adding a single new malicious function to the imported list to be launched with the rest of its functions.Next, the Trojan drops the file “prfn0305.dat” (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system. And everything is now in place. The moment the system calls the code library, the malware is turned on.
Cyber-crooks chose to go for comres.dll because it is widely used by most internet browsers, in some communication applications or networking tools - which makes it popular and basically indispensable for the operating system.
Since the dropper attacks the DLL file found on the system, rather than trying to overwrite its own version, Trojan.Dropper.UAJ is able to run on Windows7, Windows Vista, Windows 2003, Windows 2000 or Windows NT in both 32- and 64-bit environments.