After the two entries about file replacing virus, I received feedback from Mary Landesman - Scansafe. I have re-checked and have discovered that it is an interesting finding. Thank you, Mary. And now I will talk about it.
To illustrate the entry with paths and screenshots, it is my wont to use the latest variant of malware. Indeed, I did not think that the virus had changed. The previous variant, that I debugged, overwrites Adobe, Java, etc. updaters as described here. (TrendMicro also had some analysis about this updater file replacing malware).
But to the lastest variant, while the malware continues to overwrite Java updater, its strategy with Adobe has changed. It drops a new file in the same folder with the program and disguises as Adobe updater. The file is named AcrobatUpdater.exe, which which is the same as AcrobatUpdater.dll, an available one. The newly generated file has same icon and version information with the real Acrobat Updater.
As you can see, the malware has changed for better disguising. In the previous entry, I was talking about the three generations of file replacing malware with the updater file replacing virus as the 3rd generation. The 1st gen overwrites system files – easy to make the system corrupted; then, the 2nd gen overwrites start-up program files – easy to damage the program operations; and most recent, the 3rd gen overwrites updater files of some programs – does not affect the softwares’ operations but makes the update components unable to function. With the lastest malware variant, I would call it the 3.5th generation.
Exactly as what I wrote in the previous blog - “They are still changing the infection methods as bad guys never stop finding ways to introduce troubles to AVs”.
Nguyen Cong Cuong
Senior Malware Researcher