BKDR_POISON.VA

This report is based on several samples detected by the one-to-many detection of BKDR_POISON.VA.

This backdoor arrives contained inside a self-extracting archive (RAR SFX) and attached in email messages. The SFX drops and execute the malware. It also drops encrypted component files. Upon execution, it checks for the account user of the affected system if it has administrator rights. If it does, it copies itself to an alternate data stream (ADS) or as physical file in the %System% driectory. If it doesn't, it copies itself under certain file names.

It stays memory resident by injecting codes in the processes. It queries the default web browser by accessing a registry entry. It then launches a hidden web browser process (e.g. iexplore.exe). It then injects its code in the said process which contains its backdoor routines.

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This backdoor adds the following mutexes to ensure that only one of its copies runs at any one time:

• 8-16'rat
• 9-15'rat
• 6-22'rat

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{D1205094-EBD5-AF8F-F1CE-085E19CF52AF}
StubPath = "{malware path and file name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{647AA609-B451-CBE5-1283-5F68699030BC}
StubPath = "{malware path and file name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9345EC6C-B9AD-E1CD-6127-F50AB6CF9BFD}
StubPath = "{malware path and file name}"

Backdoor Routine

This backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}ain.rm6.org
• {BLOCKED}irus.sytes.net
• {BLOCKED}rus-groups.com

NOTES:

This report is based on several samples detected by the one-to-many detection of BKDR_POISON.VA

It arrives may arrive contained inside a self extracting archive (RAR SFX) and attached in email messages.

The SFX will drop and execute this malware as the following:

• %User Temp%\fuck.exe
• %User Temp%\query.exe
• %User Temp%\antivirus_update.exe

The SFX will also drop the following encrypted component files:

• %User Temp%\ophcrack.txt
• %User Temp%\query.txt

Upon execution, it checks for the account user of the affected system if it has administrator rights.

If it does, it copies itself to an alternate data stream (ADS) or as physical file in the %System% driectory:

• %System%:mscv91.exe
• %System%\lsyae.exe
• %System%:msvcr71.exe

If the user has no administrator rights, it copies itself as the following:

• %User Profile%\Application Data\mscv91.exe
• %User Profile%\Application Data\lsyae.exe
• %User Profile%\Application Data\msvcr71.exe

It copies the encrypted component files as the following:

• %Program Files%\Common Files\ODBC\ODUBC.DLL
• %System%\jql.sys
• %Program Files%\NetMeeting\netsa.dll
• %Windows%\java\java.dll

It stays memory resident by injecting codes in the following process:

• Explorer.exe

Backdoor Routine

It queries the default web browser by accessing the following registry entry:

HKEY_CLASSES_ROOT\http\shell\open\command

It then launches a hidden web browser process. (e.g. iexplore.exe) The malware then injects its code in the said process which contains its backdoor routines.

This backdoor has the following capabilities:

• Send system information (IP address, computer name, user name, operating system)
• Delete, search, and upload files
• Modify and search the registry entries
• Manage processes and services
• View and terminate active windows and ports
• Perform a shell command
• Download and inject remote codes to legitimate processes
• Log keystrokes and active windows
• Capture screenshots
• View webcam activity
• Listen to microphone audio
• Update/uninstall the malware