BKDR_EVILOGE.SM

This malware was used in the EvilGrab campaign, which targets victims in Japan and China.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It retrieves specific information from the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %Application Data%\360\Live360.exe
• %Application Data%\temp\temp1.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following processes:

• svchost.exe

It creates the following folders:

• %Application Data%\360
• %Application Data%\temp

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It stays memory-resident by injecting codes into the following processes:

• svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
UKey = "%Application Data%\360\Live360.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\rar

HKEY_CURRENT_USER\Software\rar

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\rar
data = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\rar
s = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\rar
ActiveSettings = "{random characters}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Log keystrokes
• Download and execute file(s)
• Manipulate files
• Manipulate directories
• Steals user credentials such as user name and passwords, which are related to the following applications:
  • Internet Explorer Password-Protected sites
  • Microsoft Outlook
  • HTTP
  • IMAP
  • Protected Storage
  • POP3
  • SMTP
  • HTTPMail
  • Windows Messaging

It connects to the following websites to send and receive information:

• http://www.{BLOCKED}k.hk

Process Termination

This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• 360Safe
• 360safe.exe
• 360sd.exe
• 360tray.exe
• AVGIDSMonitor.exe
• Avast
• FProt
• FProtTray.exe
• FrzState2K.exe
• KAVsvc.exe
• KSafeTray.exe
• KVwsc.exe
• LiveUpdate360
• MPMon.exe
• Mcafee
• Mcshield.exe
• NOD32
• RavMon.exe
• RavMonD.exe
• RsTray.exe
• SfCtlCom.exe
• UfNavi.exe
• UfSeAgnt.exe
• WinMe
• ZhuDongFangYu.exe
• ashServ.exe
• avgrsx.exe
• avp.exe
• ccSvcHst.exe
• ekrn.exe
• explorer.exe
• kav.exe
• kwstray.exe
• kxetray
• nod32krn.exe
• nscsrvce.exe
• ravtask.exe
• rising.exe
• rtvscan.exe
• ESET Filter Service
• ESET5

Dropping Routine

This backdoor drops the following file(s), which it uses for its keylogging routine:

• %User Profile%\users.bin - Contains keystroke logs

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Information Theft

This backdoor retrieves the following information from the affected system:

• Local IP address
• Operating system
• Computer name
• User name
• Processor information

Other Details

This backdoor deletes the initially executed copy of itself

NOTES:

It decrypts two .DLL files in memory which it injects to its created instance of svchost.exe.

It attempts to steal all memory related to Tencent QQ, a Chinese instant messaging application. This includes conversations of the user's contacts in QQ.