New complex Trojan bug stays hidden in Windows machines
Users of computers running Microsoft's Windows OS were warned this week against a new malware that exploits a bug to hijack a critical file and remain hidden and active in the system. BitDefender's Malware City blog said the complex Trojan identified as Trojan.Dropper.UAJ seeks to elude detection by antivirus products by not adding itself to the lists of programs that run at startup. "Trojan.Dropper.UAJ comes with its own approach – it patches a vital code library (comres.dll) forcing all applications that rely on comres.dll to execute this particular e-threat, as well," it said. According to BitDefender, comres.dll is widely used by most Internet browsers, in some communication applications or networking tools – which makes it popular and basically indispensable for the operating system. It said the Trojan makes a copy of the genuine comres.dll file, patches it and then saves it in the Windows directory folder, where the operating system normally looks for a DLL (dynamic-link library) to load when it is required. This means the Trojan would copy itself instead of the genuine file with the exact same name. Next, the Trojan drops the file “prfn0305.dat” (identified as Backdoor.Zxshell.B) that contains the function that compromises the system. "And everything is now in place. The moment the system calls the code library, the malware is turned on," it said. BitDefender said Trojan.Dropper.UAJ can run on Windows7, Windows Vista, Windows 2003, Windows 2000 or Windows NT in both 32- and 64-bit environments. It added this attack unites two type of exploitation, one of which is commonly known as "DLL load hijacking” which means a coding vulnerability in which some applications have specified only the name of the dll needed, instead of a full path to that dll. A compromised dll that is placed “closer” to the app – like in the application’s folder – will be used by the app instead of the genuine one. The other form of exploitation refers to the function import technique. — LBG, GMA News