BKDR_BLOHI.B

This backdoor monitors and captures screenshots of specific Korean games. It is also capable of displaying fake blue screen of death screens.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It retrieves specific information from the affected system. It sends the information it gathers to remote sites.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{random string} = "{Malware Path and File Name}"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
{random string} = "{Malware Path and File Name}"

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{Malware Path and File Name} = "{Malware Path and File Name}:*:Enabled:Microsoft (R) Internetal IExplore"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download and execute arbitrary files
• Display Fake BSOD
• Capture screenshots of certain games
• Log Keystrokes
• Disable Mouse
• Shutdown computer

Download Routine

This backdoor accesses the following websites to download files:

• http://{BLOCKED}update.{BLOCKED}y.com/attachment/cfile7.uf@197407484F516F1829F7A5.ocx
• http://{BLOCKED}7.uf.{BLOCKED}y.com/attach/197407484F516F1829F7A5

Information Theft

This backdoor retrieves the following information from the affected system:

• Installed AntiVirus Products (CompanyName, DisplayName, Version Number)
• System Information (Computer Name, Processor Information, Physical Memory)

It sends the information it gathers to remote sites.

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• http://{BLOCKED}g.{BLOCKED}r.com/PostView.nhn?blogId=windowupdate&logNo={number}&parentCategoryNo=1&viewDate=¤tPage=1&listtype=0&userTopListOpen=false&userTopListCount=5&userTopListManageOpen=false&userTopListCurrentPage=undefined

However, as of this writing, the said sites are inaccessible.

NOTES:

It monitors the following games:

• Baduki
• DuelPoker
• Highlow2
• HOOLA3
• LASPOKER
• Poker7

It checks if it is running under a virtual environment by querying the following registry key:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum

It checks for the presence of the following strings on the aforementioned registry:

• VBOX
• Virtual
• VMware

It queries the following registry key to get the processor information:

• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz