Newly Found Dropper Skirts Startup List by Hijacking Critical DLL File

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Complex Trojan takes advantage of a vulnerability in Windows code to stay hidden and active


Viruses, worms and Trojans all need to be running with the operating systems to cause any damage. Most add themselves to the Startup list by adding their path to the Startup Registry key, but this makes them easy to detect by antivirus solutions or computer-savvy users. Unlike this “regular malware”, Trojan.Dropper.UAJ comes with its own approach - it patches a vital code library (comres.dll) forcing all applications that rely on comres.dll to execute this particular e-threat, as well.

The Trojan makes a copy of the genuine comres.dll file, patches it and then saves it in the Windows directory folder, where the operating system looks for a DLL to load when it is required by an application in the same folder - i.e. explorer.exe.

The dropper patches the code library by adding a single new malicious function to the imported list to be launched with the rest of its functions.Next, the Trojan drops the file “prfn0305.dat” (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system. And everything is now in place. The moment the system calls the code library, the malware is turned on.

Cyber-crooks chose to go for comres.dll because it is widely used by most internet browsers, in some communication applications or networking tools - which makes it popular and basically indispensable for the operating system.

Since the dropper attacks the DLL file found on the system, rather than trying to overwrite its own version, Trojan.Dropper.UAJ is able to run on Windows7, Windows Vista, Windows 2003, Windows 2000 or Windows NT in both 32- and 64-bit environments.

Read more
 

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
So use SpyDllRemover by SecurityXploded.com: http://securityxploded.com/spydllremover.php

Our topic 'Spy Dll Remover' by ZOU1 is here, in 'Other Security Products' section: http://malwaretips.com/Thread-Spy-DLL-Remover?highlight=spydllremover

Thank you!:D
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top