BKDR_EMDIVI.POL

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following component file(s):

• %User Temp%\kptl.doc - decoy document file
• %User Temp%\vmwere.exe - also detected as BKDR_EMDIVI.POL

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• d10ab3dd12f7124d3d2ecc82b41225d2

Autostart Technique

This backdoor drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:

• %Start Menu%\Programs\Startup\vmwere.lnk (Windows Vista and higher versions)
• %Common Startup%\vmwere.lnk (Versions lower than Windows Vista)

(Note: %Start Menu% is the Start Menu folder, where it usually is C:\Documents and Settings\{user name}\Start Menu on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Common Startup% is the system's shared Startup folder, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003.)

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Enumerate files and folders
• Delete files and folders
• Download files
• Upload files
• Execute files
• Get file attributes
• Enumerate processes
• Perform remote shell
• Loads a library using LoadLibrary API
• Import functions from a library using GetProcAddress API
• Gather credentials using CredEnumerate or PStoreCreateInstance API
• Gather Firefox settings from prefs.js
• Gather proxy settings from proxy.pac
• Gather proxy settings from windows registry
• Sleep

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://www.{BLOCKED}ori.com/wp-includes/news/scripts/index.php
• http://www.{BLOCKED}to.jp/html/mainland/index.php

As of this writing, the said sites are inaccessible.

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• http://www.microsoft.com
• http://www.msftncsi.com
• http://www.yahoo.co.jp

NOTES:

It enumerates all visible windows and compares each window's title bar text with the following strings:

• Ollydbg
• Process Explorer
• Process Hacker
• Process Monitor
• SoftICE
• W32Dasm
• WireShark

If a window's title bar text contains any of the said strings, it will pause the execution of its malicious routine by performing a Sleep command.

It has a document icon and drops the non-malicious file kptl.doc. It will then open the file kptl.doc to deceive users that it is a normal file.

It does not have rootkit capabilities.

It does not exploit any vulnerability.