Backdoor.Win64.VICERCON.A

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following processes:

• %System%\clients.exe xhrslqlge
• %Windows%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
• %System%\svchost.exe -k LocalServiceAndNoImpersonation
• %Windows%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
• %System%\sppsvc.exe
• "%System Root%\Program Files\Windows Media Player\wmpnetwk.exe"
• %System%\svchost.exe -k WerSvcGroup
• %System%\svchost.exe -k NetworkService

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

• %Fonts%\Msbuild
• %Fonts%\clientdb\ds
• %Fonts%\clientdb
• %Fonts%\clientdb\gt

(Note: %Fonts% is the Windows Fonts folder, which is usually C:\Window\Fonts on Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\xhrslqlge
ImagePath = "%System%\clients.exe xhrslqlge"

Other System Modifications

This Backdoor deletes the following files:

• %Windows%\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
• {malware file path and name}
• %Windows%\LastGood.Tmp

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
staticpeer = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
sha1 = "ad6a5342d7358a8676eadd60503e5d7117f1a887"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
peer = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
notice = "4dad7a07676665646b6a69686f6e6d6c737271707776"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
tunnel = "a3d8b8ca7c7d7e7f7071"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
intranet = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
comment = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SHTinfo
notice = "1af94d98d36b6968676665644e429fbd8c377d7c7b7a"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
UPnP Device Host\HTTP Server\VROOTS\
/upnphost
(Default) = "{random characters}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\xhrslqlge
DisplayName = "Profile Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\xhrslqlge
Start = "SERVICE_AUTO_START"

Dropping Routine

This Backdoor drops the following files:

• %Windows%\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
• %AppDataLocal%\Microsoft\Media Player\CurrentDatabase_372.wmdb

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Backdoor connects to the following possibly malicious URL:

• {BLOCKED}.190.3
• {BLOCKED}.190.2
• {BLOCKED}.190.0
• {BLOCKED}.185.3
• {BLOCKED}.185.2
• {BLOCKED}.185.0
• {BLOCKED}200.4
• {BLOCKED}200.3
• {BLOCKED}200.1
• {BLOCKED}200.0
• {BLOCKED}.230.3
• {BLOCKED}.230.2
• {BLOCKED}.230.0
• {BLOCKED}.99.3
• {BLOCKED}198.9
• {BLOCKED}198.8
• {BLOCKED}198.6
• {BLOCKED}198.5
• {BLOCKED}198.2
• {BLOCKED}198.189
• {BLOCKED}185.4
• {BLOCKED}185.3
• {BLOCKED}185.1
• {BLOCKED}185.0
• {BLOCKED}.27.8
• {BLOCKED}.27.7
• {BLOCKED}.27.4
• {BLOCKED}.27.3
• {BLOCKED}.27.10
• {BLOCKED}140.4
• {BLOCKED}140.2
• {BLOCKED}140.1
• {BLOCKED}.6.9
• {BLOCKED}.6.7
• {BLOCKED}.6.6
• {BLOCKED}.6.3
• {BLOCKED}.6.2
• {BLOCKED}.6.10
• {BLOCKED}.50.237
• {BLOCKED}.40.3
• {BLOCKED}.40.2
• {BLOCKED}.40.0
• {BLOCKED}5.4
• {BLOCKED}5.2
• {BLOCKED}5.1
• {BLOCKED}201.97
• {BLOCKED}201.8
• {BLOCKED}201.6
• {BLOCKED}201.5
• {BLOCKED}201.4
• {BLOCKED}201.2
• {BLOCKED}201.1
• {BLOCKED}150.4
• {BLOCKED}150.3
• {BLOCKED}150.1
• {BLOCKED}150.0
• {BLOCKED}147.71
• {BLOCKED}140.3
• {BLOCKED}140.0
• {BLOCKED}109.9
• {BLOCKED}109.7
• {BLOCKED}109.6
• {BLOCKED}109.5
• {BLOCKED}109.3
• {BLOCKED}109.173
• {BLOCKED}109.10
• {BLOCKED}.30.8
• {BLOCKED}.30.7
• {BLOCKED}.30.4
• {BLOCKED}.30.3
• {BLOCKED}.30.10
• {BLOCKED}100.4
• {BLOCKED}100.2
• {BLOCKED}100.1
• {BLOCKED}50.4
• {BLOCKED}50.2
• {BLOCKED}50.1
• {BLOCKED}252.4
• {BLOCKED}252.2
• {BLOCKED}252.1
• {BLOCKED}.65.4
• {BLOCKED}.65.2
• {BLOCKED}.65.1
• {BLOCKED}.170.4
• {BLOCKED}.170.2
• {BLOCKED}.170.1
• {BLOCKED}.20.3
• {BLOCKED}.20.2
• {BLOCKED}.20.0
• {BLOCKED}.50.3
• {BLOCKED}.50.0
• {BLOCKED}.5.4
• {BLOCKED}.5.3
• {BLOCKED}.5.1
• {BLOCKED}.5.0
• {BLOCKED}.73.9
• {BLOCKED}.73.68
• {BLOCKED}.73.5
• {BLOCKED}.73.3
• {BLOCKED}.73.2
• {BLOCKED}.60.4
• {BLOCKED}.60.3
• {BLOCKED}.60.1
• {BLOCKED}.60.0
• {BLOCKED}85.3
• {BLOCKED}85.2
• {BLOCKED}254.221
• {BLOCKED}.39.8
• {BLOCKED}.39.74
• {BLOCKED}.39.5
• {BLOCKED}.39.4
• {BLOCKED}.39.2
• {BLOCKED}.39.10
• {BLOCKED}.90.2
• {BLOCKED}.90.1
• {BLOCKED}.21.60
• {BLOCKED}.21.4
• {BLOCKED}.21.3
• {BLOCKED}.21.10
• {BLOCKED}81.9
• {BLOCKED}81.6
• {BLOCKED}81.5
• {BLOCKED}81.3
• {BLOCKED}81.2
• {BLOCKED}186.8
• {BLOCKED}186.7
• {BLOCKED}186.5
• {BLOCKED}186.4
• {BLOCKED}186.2
• {BLOCKED}186.196
• {BLOCKED}186.10
• {BLOCKED}60.4
• {BLOCKED}60.3
• {BLOCKED}60.1
• {BLOCKED}60.0
• {BLOCKED}.93.9
• {BLOCKED}.93.7
• {BLOCKED}.93.6
• {BLOCKED}.93.4
• {BLOCKED}.93.10
• {BLOCKED}33.170
• {BLOCKED}202.9
• {BLOCKED}202.8
• {BLOCKED}202.6
• {BLOCKED}202.3
• {BLOCKED}202.2
• {BLOCKED}195.104
• {BLOCKED}37.8
• {BLOCKED}37.7
• {BLOCKED}37.5
• {BLOCKED}37.2
• {BLOCKED}37.188
• {BLOCKED}37.10
• {BLOCKED}246.9
• {BLOCKED}246.8
• {BLOCKED}246.6
• {BLOCKED}246.5
• {BLOCKED}246.3
• {BLOCKED}246.2
• {BLOCKED}245.64
• {BLOCKED}.4.9
• {BLOCKED}.4.7
• {BLOCKED}.4.6
• {BLOCKED}.4.4
• {BLOCKED}.4.10
• {BLOCKED}.1.4
• {BLOCKED}.1.3
• {BLOCKED}.1.1
• {BLOCKED}4.190.3
• {BLOCKED}4.190.2
• {BLOCKED}4.190.0
• {BLOCKED}.168.7
• {BLOCKED}.168.6
• {BLOCKED}.168.4
• {BLOCKED}.168.3
• {BLOCKED}.168.10
• {BLOCKED}8.16.9
• {BLOCKED}8.16.8
• {BLOCKED}8.16.76
• {BLOCKED}8.16.6
• {BLOCKED}8.16.5
• {BLOCKED}8.16.3
• {BLOCKED}8.16.2
• {BLOCKED}5.34.8
• {BLOCKED}5.34.7
• {BLOCKED}5.34.69
• {BLOCKED}5.34.5
• {BLOCKED}5.34.4
• {BLOCKED}5.34.2
• {BLOCKED}5.34.1
• {BLOCKED}5.25.4
• {BLOCKED}5.25.2
• {BLOCKED}5.25.1
• {BLOCKED}2.56.7
• {BLOCKED}2.56.6
• {BLOCKED}2.56.4
• {BLOCKED}2.56.3
• {BLOCKED}2.56.10
• {BLOCKED}4.45.4
• {BLOCKED}4.45.3
• {BLOCKED}4.45.1
• {BLOCKED}4.45.0
• {BLOCKED}.31.8
• {BLOCKED}.31.7
• {BLOCKED}.31.5
• {BLOCKED}.31.4
• {BLOCKED}.31.2
• {BLOCKED}.31.10
• {BLOCKED}.0.93
• {BLOCKED}.0.8
• {BLOCKED}.0.7
• {BLOCKED}.0.4
• {BLOCKED}.0.2
• {BLOCKED}.0.1
• {BLOCKED}3.40.3
• {BLOCKED}3.40.2
• {BLOCKED}3.40.0
• {BLOCKED}6.127.9
• {BLOCKED}6.127.8
• {BLOCKED}6.127.6
• {BLOCKED}6.127.5
• {BLOCKED}6.127.3
• {BLOCKED}6.127.2
• {BLOCKED}39.8
• {BLOCKED}39.7
• {BLOCKED}39.5
• {BLOCKED}39.2
• {BLOCKED}39.10
• {BLOCKED}25.4
• {BLOCKED}25.3
• {BLOCKED}25.1
• {BLOCKED}25.0
• {BLOCKED}.235.9
• {BLOCKED}.235.8
• {BLOCKED}.235.6
• {BLOCKED}.235.5
• {BLOCKED}.235.3
• {BLOCKED}.235.2
• {BLOCKED}.220.3
• {BLOCKED}.220.2
• {BLOCKED}.220.0
• {BLOCKED}.222.155
• {BLOCKED}.210.4
• {BLOCKED}.210.2
• {BLOCKED}.210.1
• {BLOCKED}.128.8
• {BLOCKED}.128.5
• {BLOCKED}.128.4
• {BLOCKED}.128.2
• {BLOCKED}.128.10
• {BLOCKED}1.12.9
• {BLOCKED}1.12.7
• {BLOCKED}1.12.63
• {BLOCKED}1.12.4
• {BLOCKED}1.12.3
• {BLOCKED}1.12.10
• {BLOCKED}1.1.4
• {BLOCKED}1.1.3
• {BLOCKED}1.1.1
• {BLOCKED}1.1.0
• {BLOCKED}.152.9
• {BLOCKED}.152.7
• {BLOCKED}.152.6
• {BLOCKED}.152.4
• {BLOCKED}.152.3
• {BLOCKED}.152.10
• {BLOCKED}.152.2
• {BLOCKED}.152.0
• {BLOCKED}.155.3
• {BLOCKED}.155.2
• {BLOCKED}.155.0
• {BLOCKED}.218.9
• {BLOCKED}.218.8
• {BLOCKED}.218.6
• {BLOCKED}.218.5
• {BLOCKED}.218.3
• {BLOCKED}.218.2
• {BLOCKED}.218.133
• {BLOCKED}.155.1
• {BLOCKED}.112.8
• {BLOCKED}.112.7
• {BLOCKED}.112.5
• {BLOCKED}.112.4
• {BLOCKED}.112.2
• {BLOCKED}.112.114
• {BLOCKED}.112.10
• {BLOCKED}.110.4
• {BLOCKED}.110.3
• {BLOCKED}.110.1
• {BLOCKED}.110.0
• {BLOCKED}.93.3
• {BLOCKED}.194.9
• {BLOCKED}.194.8
• {BLOCKED}.194.7
• {BLOCKED}.194.6
• {BLOCKED}.194.5
• {BLOCKED}.194.3
• {BLOCKED}.194.2
• {BLOCKED}.131.9
• {BLOCKED}.131.8
• {BLOCKED}.131.6
• {BLOCKED}.131.5
• {BLOCKED}.131.3
• {BLOCKED}.131.182
• {BLOCKED}.168.5
• {BLOCKED}.168.237
• {BLOCKED}1.230.4
• {BLOCKED}1.230.2
• {BLOCKED}1.230.1
• {BLOCKED}8.121.5
• {BLOCKED}8.121.4
• {BLOCKED}8.121.2
• {BLOCKED}8.121.1
• {BLOCKED}3.10.3
• {BLOCKED}3.10.2
• {BLOCKED}3.10.0
• {BLOCKED}1.125.9
• {BLOCKED}1.125.7
• {BLOCKED}1.125.6
• {BLOCKED}1.125.4
• {BLOCKED}1.125.3
• {BLOCKED}1.125.10
• {BLOCKED}1.189.9
• {BLOCKED}1.189.8
• {BLOCKED}1.189.6
• {BLOCKED}1.189.5
• {BLOCKED}1.189.3
• {BLOCKED}1.189.2
• {BLOCKED}8.50.4
• {BLOCKED}8.50.2
• {BLOCKED}8.50.1
• {BLOCKED}4.189.8
• {BLOCKED}4.189.7
• {BLOCKED}4.189.5
• {BLOCKED}4.189.4
• {BLOCKED}4.189.2
• {BLOCKED}4.189.141
• {BLOCKED}.33.9
• {BLOCKED}.33.7
• {BLOCKED}.33.4
• {BLOCKED}.33.3
• {BLOCKED}.33.10
• {BLOCKED}2.85.4
• {BLOCKED}2.85.3
• {BLOCKED}2.85.1
• {BLOCKED}2.85.0
• {BLOCKED}8.35.4
• {BLOCKED}8.35.2
• {BLOCKED}8.35.1
• {BLOCKED}9.165.4
• {BLOCKED}9.165.3
• {BLOCKED}9.165.1
• {BLOCKED}9.165.0
• {BLOCKED}90.4
• {BLOCKED}90.2
• {BLOCKED}90.1
• {BLOCKED}.1.2
• {BLOCKED}.1.0
• {BLOCKED}4.25.3
• {BLOCKED}4.25.0
• {BLOCKED}.230.4
• {BLOCKED}.230.1
• {BLOCKED}.213.6
• {BLOCKED}.213.5
• {BLOCKED}.213.3
• {BLOCKED}.213.2
• {BLOCKED}.145.3
• {BLOCKED}.145.2
• {BLOCKED}.145.0
• {BLOCKED}.6.8
• {BLOCKED}.6.5
• {BLOCKED}.6.4
• {BLOCKED}0.1.4
• {BLOCKED}0.1.2
• {BLOCKED}0.58.9
• {BLOCKED}0.58.7
• {BLOCKED}0.58.4
• {BLOCKED}0.58.3
• {BLOCKED}0.58.206
• {BLOCKED}0.58.10
• {BLOCKED}7.83.95
• {BLOCKED}7.83.7
• {BLOCKED}7.83.6
• {BLOCKED}7.83.5
• {BLOCKED}7.83.3
• {BLOCKED}7.83.2
• {BLOCKED}7.83.10
• {BLOCKED}7.75.4
• {BLOCKED}2.123.9
• {BLOCKED}2.123.8
• {BLOCKED}2.123.6
• {BLOCKED}2.123.5
• {BLOCKED}2.123.4
• {BLOCKED}2.123.2
• {BLOCKED}2.123.1
• {BLOCKED}7.150.4
• {BLOCKED}7.150.3
• {BLOCKED}7.150.1
• {BLOCKED}.33.8
• {BLOCKED}.33.17
• {BLOCKED}.210.3
• {BLOCKED}.210.0
• {BLOCKED}230.4
• {BLOCKED}230.2
• {BLOCKED}230.1
• {BLOCKED}0.1.9
• {BLOCKED}0.1.7
• {BLOCKED}0.1.6
• {BLOCKED}0.1.5
• {BLOCKED}0.1.3
• {BLOCKED}0.1.10
• {BLOCKED}0.1.0
• {BLOCKED}9.252.204
• {BLOCKED}7.145.9
• {BLOCKED}7.145.8
• {BLOCKED}7.145.6
• {BLOCKED}7.145.5
• {BLOCKED}7.145.4
• {BLOCKED}7.145.2
• {BLOCKED}7.145.1
• {BLOCKED}2.185.4
• {BLOCKED}2.185.2
• {BLOCKED}2.185.0
• {BLOCKED}.15.8
• {BLOCKED}.15.7
• {BLOCKED}.15.4
• {BLOCKED}.15.3
• {BLOCKED}.15.166
• {BLOCKED}.15.10
• {BLOCKED}.238.194
• {BLOCKED}.220.4
• {BLOCKED}.220.1
• {BLOCKED}.51.9
• {BLOCKED}.51.8
• {BLOCKED}.51.6
• {BLOCKED}.51.5
• {BLOCKED}.51.4
• {BLOCKED}.51.2
• {BLOCKED}.51.1
• {BLOCKED}5.166.9
• {BLOCKED}5.166.7
• {BLOCKED}5.166.6
• {BLOCKED}5.166.5
• {BLOCKED}5.166.3
• {BLOCKED}5.166.2
• {BLOCKED}5.166.10
• {BLOCKED}5.145.4
• {BLOCKED}5.145.2
• {BLOCKED}5.145.1
• {BLOCKED}.231.8
• {BLOCKED}.231.7
• {BLOCKED}.231.4
• {BLOCKED}.231.3
• {BLOCKED}.231.10
• {BLOCKED}3.17.9
• {BLOCKED}3.17.7
• {BLOCKED}3.17.6
• {BLOCKED}3.17.5
• {BLOCKED}3.17.3
• {BLOCKED}3.17.2
• {BLOCKED}3.17.179
• {BLOCKED}3.17.10
• {BLOCKED}6.90.4
• {BLOCKED}6.90.3
• {BLOCKED}6.90.1
• {BLOCKED}6.100.9
• {BLOCKED}6.100.8
• {BLOCKED}6.100.6
• {BLOCKED}6.100.5
• {BLOCKED}6.100.4
• {BLOCKED}6.100.2
• {BLOCKED}6.100.1
• {BLOCKED}1.140.3
• {BLOCKED}1.140.2
• {BLOCKED}1.140.0
• {BLOCKED}0.180.4
• {BLOCKED}0.180.2
• {BLOCKED}0.180.1
• {BLOCKED}9.70.4
• {BLOCKED}9.70.3
• {BLOCKED}9.70.1
• {BLOCKED}3.128.8
• {BLOCKED}3.128.7
• {BLOCKED}3.128.4
• {BLOCKED}3.128.3
• {BLOCKED}3.128.10
• {BLOCKED}.203.9
• {BLOCKED}.203.7
• {BLOCKED}.203.6
• {BLOCKED}.203.5
• {BLOCKED}.203.3
• {BLOCKED}.203.2
• {BLOCKED}.203.10
• {BLOCKED}.184.9
• {BLOCKED}.184.6
• {BLOCKED}.184.5
• {BLOCKED}.184.4
• {BLOCKED}.184.2
• {BLOCKED}.184.1
• {BLOCKED}6.85.3
• {BLOCKED}6.85.2
• {BLOCKED}6.85.0
• {BLOCKED}.211.4
• {BLOCKED}.211.3
• {BLOCKED}.211.1
• {BLOCKED}.211.0
• {BLOCKED}.180.4
• {BLOCKED}.180.2
• {BLOCKED}.180.1
• {BLOCKED}.130.4
• {BLOCKED}.130.3
• {BLOCKED}.130.1
• {BLOCKED}.130.0
• {BLOCKED}1.40.3
• {BLOCKED}1.40.2
• {BLOCKED}1.40.0
• {BLOCKED}2.80.4
• {BLOCKED}2.80.3
• {BLOCKED}2.80.1
• {BLOCKED}2.80.0
• {BLOCKED}6.210.4
• {BLOCKED}6.210.2
• {BLOCKED}6.210.1
• {BLOCKED}.139.8
• {BLOCKED}.139.7
• {BLOCKED}.139.4
• {BLOCKED}.139.3
• {BLOCKED}.139.10
• {BLOCKED}.137.9
• {BLOCKED}.137.7
• {BLOCKED}.137.6
• {BLOCKED}.137.5
• {BLOCKED}.137.3
• {BLOCKED}.137.2
• {BLOCKED}.137.178
• {BLOCKED}.137.10
• {BLOCKED}.120.4
• {BLOCKED}.120.2
• {BLOCKED}.120.1
• {BLOCKED}248.9
• {BLOCKED}248.7
• {BLOCKED}248.6
• {BLOCKED}248.4
• {BLOCKED}248.27
• {BLOCKED}248.10

This report is generated via an automated analysis system.