BKDR_NFLOG.ER

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following file(s)/component(s):

• %Temp%\YahooCache.ini
• %Temp%\$NtUninstallKB942388$ - Contains stolen information
• %User Temp%\iexpl001.tmp - also detected as BKDR_NFLOG.ER
• %Temp%\NfIpv6.ocx - also detected as BKDR_NFLOG.ER

(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following non-malicious file:

• %User Temp%\iexpl001.tmpcmd.exe - copy of cmd.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It injects codes into the following process(es):

• svchost.exe

Autostart Technique

This backdoor registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPRIP
ImagePath = "%System%\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPRIP
DisplayName = "IPv6 Stack Local Support"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPRIP
Description = "Net address translation for IPv6 Protocol"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPRIP\Parameters
ServiceDll = "%Temp%\NfIpv6.ocx"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPRIP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPRIP\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPRIP\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPRIP\Enum

Other System Modifications

This backdoor adds the following registry keys:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\P3P

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\P3P\History

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Connections

It adds the following registry entries:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Clock
HID = "{hex values}"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths
Directory = "NetworkService's %Temporary Internet Files%\Content.IE5"

(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path1
CachePath = "NetworkService's %Temporary Internet Files%\Content.IE5\Cache1"

(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path2
CachePath = "NetworkService's %Temporary Internet Files%\Content.IE5\Cache2"

(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path3
CachePath = "NetworkService's %Temporary Internet Files%\Content.IE5\Cache3"

(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache3.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path4
CachePath = "NetworkService's %Temporary Internet Files%\Content.IE5\Cache4"

(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache4.)

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download files
• Perform remote shell
• Retrieve system information
• Update self

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• www.{BLOCKED}elev.com/norton/NfStart.asp
• www.{BLOCKED}elev.com/norton/NfHostInfo.asp
• www.{BLOCKED}elev.com/norton/TTip.asp
• www.{BLOCKED}elev.com/norton/NfCommand.asp
• www.{BLOCKED}elev.com/norton/Nfpredown.asp

It posts the following information to its command and control (C&C) server:

• IP configuration
• Network statistics
• Running processes
• Running services
• System information

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

• www.{BLOCKED}elev.com/norton/Nfile.asp

It saves the files it downloads using the following names:

• %Temp%\MSMAPI.OCX - also detected as BKDR_NFLOG.ER

(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

NOTES:

This backdoor sends IP address and infection time to report system infection. It sends this information to the following URL via HTTP post:

• www.{BLOCKED}elev.com/norton/NfStart.asp