BKDR_GHOSTNET.S

This backdoor may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to a website to send and receive information. However, as of this writing, the said sites are inaccessible.

It gathers certain information on the affected computer. It logs a user's keystrokes to steal information.

Arrival Details

This backdoor may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following component file(s):

• %System%\360SP2.dll - also detected as BKDR_GHOSTNET.S

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It injects itself into the following processes as part of its memory residency routine:

• explorer.exe

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN
NextInstance = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN\
0000
Service = "Microsoft Madmin"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin
ImagePath = "%System%\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin
DisplayName = "Microsoft Device Manager"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Parameters
ServiceDll = "%System%\360SP2.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Security
Security = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Enum
0 = "Root\LEGACY_MICROSOFT_MADMIN\0000"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_MICROSOFT_MADMIN\
0000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Microsoft Madmin\Enum

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• {BLOCKED}.161.101:100

However, as of this writing, the said sites are inaccessible.

Information Theft

This backdoor gathers the following information on the affected computer:

• Computer name
• Processor speed (in MHz)
• Operating system version
• Number of processors
• Total amount of memory (in MB)

It logs a user's keystrokes to steal information.

Other Details

This backdoor requires the following additional components to properly run:

• %System%\flyboy.dat

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

NOTES:

This backdoor checks the following anti-malware related processes and adds them to the gathered information:

• 360sd.exe
• 360tray.exe
• ashDisp.exe
• avast
• avcenter.exe
• avguard.exe
• avira
• avp.exe
• egui.exe
• knsdtray.exe
• KvMonXP.exe
• kxetray.exe
• Mcshield.exe
• NOD32
• RavMonD.exe
• TMBMSRV.exe

It checks the following processes and adds them to the gathered information:

• dnf.exe
• dp.exe
• DragonNest.exe
• mdm365.exe
• my.exe
• QQhxgame.exe
• tw2.exe
• wow.exe
• xy2.exe
• xy3.exe