BKDR_ANDROM.JB

December 06, 2012
 Analysis by: Jaime Benigno Reyes
 Modified by: Christopher Daniel So
 ALIASES:

Worm:Win32/Gamarue.I (Microsoft), PWS-Zbot.gen.arj (McAfee), Backdoor.Trojan (Symantec)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Spammed via email

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It executes commands from a remote malicious user, effectively compromising the affected system.

It executes a remote command prompt. It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size:

52,224 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

29 Nov 2012

Payload:

Compromises system security

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This backdoor drops the following copies of itself into the affected system:

  • {All Users' profile}\svchost.exe
  • {All Users' profile}\Local Settings\Temp\ms{random characters}.{extension name} (if running as administrator)
  • %User Profile%\Local Settings\Temp\ms{random characters}.{extension name} (if not running as administrator)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "{All Users' profile}\svchost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "{All Users' profile}\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{volume serial number of drive C:} = "{All Users' profile}\Local Settings\Temp\ms{random characters}.{extension name}" (if running as administrator)

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
Load = "%User Profile%\Local Settings\Temp\ms{random characters}.{extension name}" (if not running as administrator)

Backdoor Routine

This backdoor opens the following ports:

  • TCP port 8000

It executes the following commands from a remote malicious user:

  • Download an .EXE file from a URL and save it as %User Temp%\{random number}.exe, then execute the file
  • Download a file from a URL and save it in the following registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
      {file name} = "{contents of the file}" (if running as administrator)
    • HKEY_CURRENT_USER\Software\Microsoft
      {file name} = "{contents of the file}" (if not running as administrator)
  • Save the contents of the following registry entries as %User Temp%\{random file name}.exe and execute the file:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
      {random number} = "{contents of the file}" (if running as administrator)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
      {random number} = "{contents of the file}" (if not running as administrator)
  • Download a .DLL file from the C&C server and save it as {All Users' profile}\ms{random characters}.{extension name}. Create the following registry entry:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
      {All Users' profile}\ms{random characters}.{extension name} = "{exported function of the downloaded .DLL file}" (if running as administrator)
    • HKEY_CURRENT_USER\Software\Microsoft
      {All Users' profile}\ms{random characters}.{extension name} = "{exported function of the downloaded .DLL file}" (if not running as administrator)
  • Remove all malware entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft or HKEY_CURRENT_USER\Software\Microsoft and deletes the malware files they are pointing to
  • Remove all malware entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft or HKEY_CURRENT_USER\Software\Microsoft and reexecute itself
  • Uninstall self

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://{BLOCKED}t.pl/image.php
  • http://{BLOCKED}d.pl/image.php
  • http://{BLOCKED}e.ru/image.php
  • http://{BLOCKED}m.ru/image.php
  • http://{BLOCKED}ve.com/image.php
  • http://{BLOCKED}t.pl/image.php

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

  • www.update.microsoft.com:20480

It executes a remote command prompt.

It deletes the initially executed copy of itself

NOTES:

{extension name} is randomly chosen from any of the following:

  • BAT
  • CMD
  • COM
  • EXE
  • PIF
  • SCR

Upon execution, it executes the files pointed to by registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft if running as administrator, or HKEY_CURRENT_USER\Software\Microsoft if not running as administrator.

  SOLUTION

Minimum Scan Engine:

9.300

VSAPI OPR PATTERN File:

9.559.00

VSAPI OPR PATTERN Date:

29 Nov 2012

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product and note files detected as BKDR_ANDROM.JB

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • SunJavaUpdateSched = "{All Users' profile}\svchost.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • SunJavaUpdateSched = "{All Users' profile}\svchost.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • {serial number of drive C:} = "{All Users' profile}\Local Settings\Temp\ms{random characters}.{extension name}"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    • Load = "%User Profile%\Local Settings\Temp\ms{random characters}.{extension name}"

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_ANDROM.JB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.