Backdoor.MSIL.REMCOS.AOZ

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system.

It steals certain information from the system and/or the user. It logs a user's keystrokes to steal information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• Trojan.P97M.REMCOS.AB

Installation

This Backdoor drops the following copies of itself into the affected system and executes them:

• %AppDataLocal%\Usermodehost.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• cmd.exe /c copy "%User Temp%\dee.1exe" "%AppDataLocal%\Usermodehost.exe"

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %Application Data%\remcos

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Remcos_Mutex_Inj
• nenye-IEA1X9

Autostart Technique

This Backdoor drops the following files:

• %Application Data%\remcos\logs.dat -> log file used by the malware to store information sniffed by the keylogger

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\Usermodehost.lnk

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

Other System Modifications

This Backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\nenye-IEA1X9
licence = "{data}"

HKEY_CURRENT_USER\Software\nenye-IEA1X9
exepath = "{hex values}"

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Rename File
• Delete File
• Find File
• Download File
• Execute A File
• Upload File
• Execute a command
• Execute Downloaded File
• Terminate Process
• Close Window
• Change Window Text
• Show Window
• Enum Window
• Terminate Thread
• Change Wallpaper
• Empty Clipboard
• Get Clipboard Contents
• Set Clipboard Contents
• Shutdown Windows
• Show message box
• Modify registry
• Enumerate registry key/entries
• Get Keyboard Layout Information
• Activate Keylogger
• Turn Off Keylogger
• Connect to a server
• Close Connection
• Clear browser logins and cookies
• Get process id of window
• Hide or Show Window
• Uninstall Self
• Update Self
• Terminate Self
• Terminate Process
• List files and subfiles in directory
• Modify Service
• Play Sound
• Create Alarm
• Switch Windows
• Get DxDiag Information
• Get System Timing Information
• Open CMD
• Close Socket
• Change Keep-Alive timeout
• Capture Image Using Camera

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• anita98.{BLOCKED}s.org:3131

Information Theft

This Backdoor steals the following information:

• Operating System Version
• User Privilege (Admin or Non-Admin)
• Processor Revision No.
• Processor Level
• Processor Identifier
• Processor Architecture
• System type (32-bit or 64-bit)
• Keyboard Layout
• Keyboard Key Pressed
• Idle Time of User
• Clipboard Contents
• User Name
• Computer Name

It logs a user's keystrokes to steal information.