Downloader-CJX Uses Microsoft .LNK Flaw to Spread Malware

The research team at McAfee has found a new variety of Downloader-CJX that expanded its previous .LNK circulation strategy using social engineering with the new Exploit-CVE2010-2568 .LNK files, as reported by the McAfee on July 26, 2010.

The exploit CVE-2010-2568 is the new Microsoft zero-day flaw. The vulnerability exists as Windows wrongly parses shortcuts in such a manner that malicious code may be inserted when the icon of a specifically crafted shortcut is presented.

The security experts explained that Downloader- CJX was a malware family that installed .LNK files copying current windows and users folders such as Music, New Folder or Documents. These folders were generally in size of 1 KB's (Kilo Byte).

The malware Downloader-CJX propagates by replicating itself to other removable devices and network shares with an "Autorun.inf" file.

The process of infection initiates either with the manual execution of the infected file or by easily navigating through the folders enclosing the infected files, by which the "Autorun.inf" file can cause automated execution of the worm.

The most general installation methods involve security or system exploitation and innocent users manually carrying out unfamiliar programs. Installation can also be done through various distribution channels such as e-mail, hacked or malicious web pages, peer- to -peer networks, and Internet Relay Chat, etc.

In addition, the malware changes the elements of the original folder to hide it from the Explorer, and drops the .LNK files along with folder icons, so that the user is allured into clicking on these malicious links that look like genuine folders. When found in an infected system, these .LNK files are identified as Downloader-CJX!lnk.

Further, the malware generates the following registry entries: Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run Data: "mbvoj.exe" = "%userprofile%\mbvoj.exe"

The malware then tries to link with the URL (ns1.thepicture [removed].net, bert [removed].com) to download extra malware.

This new variant of the Downloader-CJX also leaves two .exe files on the infected computers, naming "pmnol.exe" and "x.exe". Out of the two files, x.exe is just the replica of Downloader-CJX that in turn drops xxx.dll, a DLL element of Downloader-CJX. The new Downloader-CJX variant is identified as the Downloader-CJX.gen.g.

The security experts suggested users to make sure that they were using security software in order to protect their computers from being hit by these types of malware attacks.

Related article: Downloader Trojans Hide in Counterfeit Video Clippings on YouTube

» SPAMfighter News - 8/6/2010