ALIASES:

Wkysol, Sykipot_gen

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

First SYKIPOT variants were spotted in 2007. These backdoors are usually dropped by other malware exploiting vulnerabilities.

SYKIPOT backdoors steal the following information, which it sends to its C&C server:

  • Active network connections

  • Adapter information

  • System information (OS, processor, bios version, time zone, memory, etc)

SYKIPOT is being implicated in targeted attacks. Its variants mask connections to its supposed C&C servers. The C&C servers are usually hacked web servers where proxies are placed.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs, Steals information

Installation

This backdoor drops the following files:

  • %User Profile%\Local Settings\gtpretty.tmp
  • %User Profile%\Local Settings\gdtpretty.tmp
  • %User Profile%\Local Settings\ptpretty.tmp
  • %User Profile%\Local Settings\pdtpretty.tmp
  • %User Profile%\Local Setiings\gthelp.tmp
  • %User Profile%\Local Setiings\gdthelp.tmp
  • %User Profile%\Local Setiings\pthelp.tmp
  • %User Profile%\Local Setiings\pdthelp.tmp

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following file(s)/component(s):

  • %User Profile%\Local Settings\WSE4EF1.TMP
  • %User Profile%\Local Settings\mshelp.tmp

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %User Profile%\Local Settings\pretty.exe
  • %User Profile%\Local Settings\help.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
office = "%User Profile%\Local Settings\pretty.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
start = "%User Profile%\Local Settings\help.exe"

Other Details

This backdoor connects to the following possibly malicious URL:

  • https://www.{BLOCKED}her.com/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name}-{ip address}-pretty20111122
  • https://help.{BLOCKED}advocator.com/asp/kys_allow_get.asp?name=getkys.kys&hostname={computer name-{ip address}-help20110908

Related Malware