BKDR_VERNOT.B

This malware connects to a blogging service to receive and perform commands from remote malicious users. Due to this, it is able to perform actions on the affected system without user authorization, such as downloading and executing files, as well as steal certain information about the system itself. Users affected by this malware may find the security of their systems compromised.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This malware connects to livedoor to receive and perform commands from remote malicious users. Users affected by this malware may find the security of their systems compromised.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following file(s)/component(s):

• %User Temp%\NETUT.dll - Also detected as BKDR_VERNOT.B

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Its DLL component is injected to the following process(es):

• explorer.exe

Autostart Technique

This backdoor modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "{Malware path and file name}.exe"

(Note: The default value data of the said registry entry is "" .)

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download files
• Execute files
• Rename files
• Unzip archive files

Information Theft

This backdoor gathers the following data:

• Affected machine’s Registered Owner
• Affected machine’s Registered Organization
• Affected machine's OS information
• Affected machine's Time Zone
• Affected machine's User Name
• Affected machine's Computer Name

NOTES:

It connects to a legitimate site, livedoor, an Internet service provider that runs a web portal.

It does this by connecting to the following URL:

• http://www.livedoor.com/r/user_login

It logs in the following website using its user credentials:

• http://member.livedoor.com/login/?.sv=top

Once logged, it proceeds to the blog site of Livedoor:

• http://livedoor.blogcms.jp/member/

This backdoor uses the computer name as the title of the draft it creates. It then adds the text "$_$Today is a very important day for me.$" It also includes the date and time the malware is executed in the created draft.

It uses the draft it creates as a drop-off point for stolen information.