W32/Inject

Threat risk

Threat risk medium


Detection files published: 2008-10-26	Description created: 2009-12-10	Description updated: 2009-12-10

Malware type: Trojan	Alias: Backdoor:Win32/Gaertob, Backdoor-DWV, Backdoor.Trojan	Spreading mechanism Other, Webpage

Payload:

Summary
Spreading description
Threat description
Sandbox analysis
Removal

Summary

Inject is a protection mechanism used by malware in order to avoid detection. The injector stores the malware as an encrypted resource, which it decrypts and injects into a running process. The injector may also contain various checks for Virtual Machines and System tools in order to hinder analysis.

Spreading description

W32/Incejct spreads through browser exploits and false cracks.

Threat description

Sample on execution opens Internet Explorer in the background in the suspended state and injects the backdoor code to it.

Injector uses various checks for Virtual Machines and System tools in order to hinder analysis. All the modules needed for the file to inject the malicious code will be loaded dymanically and the Address of the imports will be saved in the Import Address Table.

Text section of Internet Explorer will be completely overwritten by the malicious code before the malicious code is executed.

This injector is known to be used by the following malware families:

Worm: Win32/Pushbot
Worm: Win32/Hamweq
Worm: Win32/Rimecud
PWS: Win32/Zbot
Backdoor: Win32/Bifrose
Backdoor: Win32/Rbot

It’s difficult to identify the threat since it doesn’t show obvious symptoms that indicate the presence of this malware on an affected machine. It just injects the malicious code into some legitimate process in order to avoid detection.

Sandbox analysis

[ DetectionInfo ]
* Filename: C:\Documents and Settings\norman\Desktop\injector\injector\625d7c2f3b44cdd0aaa21f6d464e2182d82cac5e.bin.
* Sandbox name: .
* Signature name: NOT_SCANNED.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 161821 bytes.
* MD5 hash: d2c81ef5586546e67f62a261874a979e.
* Entry-point detection: Microsoft Visual C++.

[ Process/window information ]
* Creates a window with name "WriteProcessMemory".
* Creates a window with name "".

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Utilisation	Titre	Commentaire
	Stopper la propagation des virus sur les partages réseau
	Cleaning of back-up folders on Windows Me and XP

Imprimer la page