BKDR_WMIGHOST.A


 ALIASES:

Gen:Variant.Unruy.1 (BitDefender)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

  TECHNICAL DETAILS

File Size:

45,056 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

13 Feb 2013

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Download and Upload Files
  • Remote Code Execution

It connects to the following websites to send and receive information:

  • owner.102.shoptupian.com/r6/all.php

Information Theft

This backdoor accesses the following site to download its configuration file:

  • http://{BLOCKED}acharya.blog.com/feed
  • http://{BLOCKED}p123.wordpress.com/feed
  • http://{BLOCKED}din2004.blog.com/feed

It gathers the following data:

  • Hostname
  • MAC Address
  • Operating System
  • Malware Version
  • Malware Owner

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

9.724.03

FIRST VSAPI PATTERN DATE:

13 Feb 2013

Step 1

Scan your computer with your Trend Micro product to delete files detected as BKDR_WMIGHOST.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 2

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

NOTES:

<Deleting Malicious Script

To delete the malicious script created by this malware using WMI Command-line Tool:

  1. Open a WMI command-line. To do this, click Start>Run, type WMIC in the text box provided, then press Enter.
  2. Type the following on the command-line tool and delete the malicious event consumer:
    /namespace:\\root\subscription PATH __EventConsumer delete
  3. Press Y and Enter when prompted to delete the following, press N and enter if other values are seen:
    \\{computer name}\\ROOT\subscription:ActiveScriptEventConsumer.Name="Microsoft WMI Comsumer Security Event_consumer"
  4. Type the following on the command-line tool and delete the event filter:
    /namespace:\\root\subscription PATH __EventFilter delete
  5. Press Y and Enter when prompted to delete the following, press N and enter if other values are seen: \\{computer name}\\ROOT\subscription:__EventFilter.Name="Microsoft WMI Comsumer Security Event_filter"
  6. Type the following on the command-line tool and delete the event timer instruction:
    /namespace:\\root\subscription PATH __TimerInstruction delete
  7. Press Y and Enter when prompted to delete the following, press N and enter if other values are seen: \\{computer name}\\ROOT\subscription:__TimerInstruction.TimerId="Microsoft WMI Comsumer Security Event_WMITimer"
  8. Type the following on the command-line tool and delete the FiltertoConsumerBinding: /namespace:\\root\subscription PATH __FilterToConsumerBinding delete
  9. Press Y and Enter when prompted to delete the following, press N and enter if other values are seen:
  10. \\{computer name}\\ROOT\subscription:__FilterToConsumerBinding.Consumer="\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name="Microsoft WMI Comsumer Security Event_consumer\"",Filter="\\\\.\\root\\subscription:__EventFilter.Name="Microsoft WMI Comsumer Security Event_filter\""
  11. Type quit or exit to close the command-line tool


Did this description help? Tell us how we did.