Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Inject

Overview

Threat Risk MEDIUM MEDIUM
Destructivity Unknown UNKNOWN
Payload
Detection files published 25 Oct 2008 03:00:00
Description created 10 Dec 2009 02:30:00
Description updated 10 Dec 2009 02:30:00
Malware type TROJAN
Alias Backdoor:Win32/Gaertob
Backdoor-DWV
Backdoor.Trojan
Spreading mechanism OTHER
UNKNOWN
Summary

W32/Inject

Spreading

W32/Incejct spreads through browser exploits and false cracks.

Payload Details

Sample on execution opens Internet Explorer in the background in the suspended state and injects the backdoor code to it.
Injector uses various checks for Virtual Machines and System tools in order to hinder analysis. All the modules needed for the file to inject the malicious code will be loaded dymanically and the Address of the imports will be saved in the Import Address Table.
Text section of Internet Explorer will be completely overwritten by the malicious code before the malicious code is executed.
This injector is known to be used by the following malware families:
Worm: Win32/Pushbot Worm: Win32/Hamweq Worm: Win32/Rimecud PWS: Win32/Zbot Backdoor: Win32/Bifrose Backdoor: Win32/RbotIt’s difficult to identify the threat since it doesn’t show obvious symptoms that indicate the presence of this malware on an affected machine. It just injects the malicious code into some legitimate process in order to avoid detection.
 

Analysis

[ DetectionInfo ] * Filename: C:\Documents and Settings\norman\Desktop\injector\injector\625d7c2f3b44cdd0aaa21f6d464e2182d82cac5e.bin. * Sandbox name: . * Signature name: NOT_SCANNED. * Compressed: NO. * TLS hooks: NO. * Executable type: Application. * Executable file structure: OK. * Filetype: PE_I386. [ General information ] * File length: 161821 bytes. * MD5 hash: d2c81ef5586546e67f62a261874a979e. * Entry-point detection: Microsoft Visual C++. [ Process/window information ] * Creates a window with name "WriteProcessMemory". * Creates a window with name "".  

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10