BKDR_FUCOBHA.EH

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following component file(s):

• %Windows%\wdmaud.drv - also detected as BKDR_FUCOBHA.EH

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• myhorse_macfee

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download Files
• Upload Files
• Execute Files
• Perform Remote Shell

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}n.net/jd/upload.aspx?filepath=info&filename={Host Name}_{Local IP Address}.jpg
• http://{BLOCKED}n.net/jd/upload.aspx?filepath=ok&filename={Host Name}_{Local IP Address}.jpg

Download Routine

This backdoor accesses the following websites to download files:

• http://{BLOCKED}n.net/jd/order/{Host Name}_{Local IP Address}.jpg

It saves the files it downloads using the following names:

• %User Temp%\order.dat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Information Theft

This backdoor gathers the following data:

• Host Name
• Local IP Address
• Proxy Server (if any)
• Currently logged on user name
• System directory
• OS and System Version
• List of active processes in the machine

Stolen Information

This backdoor saves the stolen information in the following file:

• %User Temp%\tmp.dat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}n.net/jd/upload.aspx?filepath=info&filename={Host Name}_{Local IP Address}.jpg
• http://{BLOCKED}n.net/jd/upload.aspx?filepath=ok&filename={Host Name}_{Local IP Address}.jpg

Other Details

However, as of this writing, the said sites are inaccessible.

NOTES:

It deletes %User Temp%\tmp.dat after the stolen information are sent.

It only executes properly on Windows Vista and later Windows OS versions.