BKDR_WINNTI.JK

 Analysis by: Roland Marco Dela Paz

 ALIASES:

Backdoor.Winnti (Symantec)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This backdoor may be dropped by other malware.

It connects to a website to send and receive information.

  TECHNICAL DETAILS

File Size:

268,240 bytes

File Type:

DLL

Initial Samples Received Date:

28 Feb 2012

Arrival Details

This backdoor may be dropped by other malware.

Installation

This backdoor drops the following copies of itself into the affected system:

  • %Windows%\winmm.dll

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Other System Modifications

This backdoor also creates the following registry entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
HTMLHelp
data = TKVFP-XVYSZ-MNFWH-RBJHK-ELYZR

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

  • kr.{BLOCKED}oft.com