Virtual environments are popular products in the security industry, especially amongst us virus researchers. Virtualization software allows you to execute programs (including malware) in a virtual environment allowing you to execute as many functions as you like and then revert to the original if should something go wrong.
While this is fantastic in theory, it’s important to consider how many of these “virtual machines” are actively running antivirus software. If you don’t have security running inside the virtual environment, the following may interest you.
Recently, a new malware attracted our attention. It has some interesting features along with outmoded ones, such as infecting VMware and Windows mobile devices. This malware is spread via exploits and poisoned websites, as it’s dropped by a JAR package. It has two versions, one for Windows, and the other for Mac.
Vmdk file infections
The malware reads the preferences.ini file from VMware installation directory and searches for string “.vmx\” to get the vmx file path, which is the configuration file of a virtual machine.
Then it opens the vmx file and gets the path of vmdk file (VMWare Virtual Machine Disk Format). A vmdk file is the virtual disk of the virtual machine.
After the vmdk file is located, the malware will infect it. It first runs the process of vixDiskMountServer.exe which is a module of VMware and usually dormant.
Then it sends a certain device control code to device \\\\.\\vstor2-ws60 to mount the vmdk files as a local disk.
After that, the malware can modify the vmdk file by accessing the mounted disk. All the changes made to the mounted disk will reflect to the related disk partition in the virtual machine which the vmdk file belongs to.
What’s interesting is that the malware wants to make itself start up with the virtual machine. So it copies its dropped files to “Program Data\Microsoft\Windows\Start Menu\Programs\Startup\” directory. When the virtual machine starts, the malware will also be activated.
“Local Disk Z:”is actually a virtual disk, but it is mounted as a local disk.
Windows mobile phone infection
This malware also targets Windows mobile devices. The process of infecting a Windows mobile phone is nearly the same as for virtualisation software, dropping and copying some files to target directory.
If the file autorun.zoo exists in Windows phone’s directory, meaning this phone has been infected, the malware will do nothing. Otherwise, it copies the original autorun.exe to autorun4.exe and drops a new autorun.exe and autorun.zoo in the same directory. Then, it uses the RAPI (Remote API) “CeCreateProcess” to start autorun.exe. Now, a malware process is created in your phone.
Besides, this malware also infects removable devices by dropping autorun.inf into root directory.
Once the malware has been run successfully, it will monitor all of your operations, including keylogging, accessing the clipboard, controlling the screen and camera, monitoring your IM applications, such as MSN, yahoo messenger, etc.
Malicious JAR package (md5: ba170664095b53d97690b5be208927e2) is detected as Trojan horse Dropper.Generic6.AOLYand dropped malware components are detected as variants of Trojan horse BackDoor.Generic.
Xing Liu and AVG Viruslab Research Group
Leave a reply