BKDR_WMIGHOST.A
Gen:Variant.Unruy.1 (BitDefender)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Download and Upload Files
- Remote Code Execution
It connects to the following websites to send and receive information:
- owner.102.shoptupian.com/r6/all.php
Information Theft
This backdoor accesses the following site to download its configuration file:
- http://{BLOCKED}acharya.blog.com/feed
- http://{BLOCKED}p123.wordpress.com/feed
- http://{BLOCKED}din2004.blog.com/feed
It gathers the following data:
- Hostname
- MAC Address
- Operating System
- Malware Version
- Malware Owner
SOLUTION
Step 1
Scan your computer with your Trend Micro product to delete files detected as BKDR_WMIGHOST.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 2
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
NOTES:
<Deleting Malicious Script
To delete the malicious script created by this malware using WMI Command-line Tool:
- Open a WMI command-line. To do this, click Start>Run, type WMIC in the text box provided, then press Enter.
- Type the following on the command-line tool and delete the malicious event consumer:
/namespace:\\root\subscription PATH __EventConsumer delete - Press Y and Enter when prompted to delete the following, press N and enter if other values are seen:
\\{computer name}\\ROOT\subscription:ActiveScriptEventConsumer.Name="Microsoft WMI Comsumer Security Event_consumer" - Type the following on the command-line tool and delete the event filter:
/namespace:\\root\subscription PATH __EventFilter delete - Press Y and Enter when prompted to delete the following, press N and enter if other values are seen: \\{computer name}\\ROOT\subscription:__EventFilter.Name="Microsoft WMI Comsumer Security Event_filter"
- Type the following on the command-line tool and delete the event timer instruction:
/namespace:\\root\subscription PATH __TimerInstruction delete - Press Y and Enter when prompted to delete the following, press N and enter if other values are seen: \\{computer name}\\ROOT\subscription:__TimerInstruction.TimerId="Microsoft WMI Comsumer Security Event_WMITimer"
- Type the following on the command-line tool and delete the FiltertoConsumerBinding: /namespace:\\root\subscription PATH __FilterToConsumerBinding delete
- Press Y and Enter when prompted to delete the following, press N and enter if other values are seen:
- \\{computer name}\\ROOT\subscription:__FilterToConsumerBinding.Consumer="\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name="Microsoft WMI Comsumer Security Event_consumer\"",Filter="\\\\.\\root\\subscription:__EventFilter.Name="Microsoft WMI Comsumer Security Event_filter\""
- Type quit or exit to close the command-line tool
Did this description help? Tell us how we did.