BKDR_YAMIYU.A

Upon execution, this backdoor opens the dropped non-malicious .DOC file to trick the users into thinking that it is a harmless Microsoft Word document while it executes in the background.

This backdoor may receive arbitrary commands from the remote user such as downloading an updated copy of itself, downloading other malware, executing CMD shell commands.

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It bears the file icons of certain applications to avoid easy detection and consequent removal.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following non-malicious files:

• %Application Data%\Help\~$link.doc

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

• %Application Data%\Help\WINCHAT.EXE

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It bears the file icons of the following applications:

• Microsoft Word

It creates the following folders:

• %Application Data%\Help

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
iexplore = %Application Data%\Help\WINCHAT.EXE

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
WINCHAT = %Application Data%\Help\WINCHAT.EXE

Backdoor Routine

This backdoor opens the following port(s) where it listens for remote commands:

• 443

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.137.28

Download Routine

This backdoor connects to the following malicious URLs:

• http://larry.{BLOCKED}a.com/AWS{random number}.jsp?{random characters}

It saves the files it downloads using the following names:

• %System Root%\RECYCLER\lssas.exe - BKDR_AGENT.ZZZ
• %System Root%\RECYCLER\conime.exe - BKDR_AGENT.ZZZ

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

NOTES:
Upon execution, this backdoor opens the dropped non-malicious .DOC file to trick the users into thinking that it is a harmless Microsoft Word document while it executes in the background.

This backdoor may receive arbitrary commands from the remote user such as downloading an updated copy of itself, downloading other malware, executing CMD shell commands.