BKDR_ANDROM.NTW

This backdoor may be downloaded from remote sites by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor may be downloaded from remote site(s) by the following malware:

• JAVA_DLOADER.NTW

It may be downloaded from the following remote sites:

• http://{BLOCKED}lcurrencyreport.com/cybercrime-suspect-arrested/up1.exe

Installation

This backdoor drops the following copies of itself into the affected system:

• %System Root%\Documents and Settings\All Users\svchost.exe - if running in virtual machine
• %System Root%\Documents and Settings\All Users\Local Settings\Temp\ms{random characters}.{extension name} - if running in admin account
• %User Temp%\ms{random characters}.{extension name} - if not running in admin account

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Decimal form of the Volume Serial Number of %System Root%}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It stays memory-resident by injecting codes into the following processes:

• \system32\wuauclt.exe
• \syswow64\svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%System Root%\Documents and Settings\All Users\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random number} = "%System Root%\Documents and Settings\All Users\Local Settings\Temp\ms{random characters}.{extension name}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
Load = "%User Temp%\ms{random}.{extension name}"

Other System Modifications

This backdoor creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:{malware name}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download a file from C&C server and save it as %User Temp%\{random number}.exe
• Download a file from C&C server and save it in the folder %System Root%\Documents and Settings\All Users\ms{random number}.dat and loads it
• Start a process
• Uninstall itself
• Remote command prompt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}st.com/image.php

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• www.update.microsoft.com

NOTES:

The {extension name} of the dropped copy is any of the following:

• BAT
• CMD
• COM
• EXE
• PIF
• SCR