PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Canal de infección Downloaded from the Internet

NETBOT is a family of Trojans known for its downloading routines. When executed, it registers itself as a service for automatic execution. It also connects to certain URLs to download files on systems. This routine further infects the computer with other malicious files.

  TECHNICAL DETAILS

Carga útil Downloads files

Installation

This backdoor drops the following files:

  • %System%\R{random characters}C.dll
  • %System%\W{random}.dll
  • %System%\Prcmxnq.src

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_BITS\
0000\Control
ActiveService = "BITS"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MEDIACENTER\
0000
Service = "MediaCenter"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediaCenter
ImagePath = "%System%\svchost.exe -k krnlsrvc"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediaCenter
DisplayName = "MS Media Control Center"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediaCenter\Parameters
ServiceDll = "%System%\Prcmxnq.src"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediaCenter\Parameters
ServiceDll = "%System%\W{random}.dll"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
UserFaultCheck = "%System Root%\system32\dumprep 0 -u"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_BITS\
0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MEDIACENTER

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediaCenter

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
krnlsrvc = "MediaCenter"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS
Start = "2"

(Note: The default value data of the said registry entry is "3".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS\Parameters
ServiceDll = "%System%\R{random characters}C.dll"

(Note: The default value data of the said registry entry is "%System%\qmgr.dll".)