BKDR_NELOWEG.DD

This malware is a backdoor with the primary purpose of stealing information from online transactions. The list of the monitored URLs can also be dynamically updated by a cybercriminal. It also has features to enable it to run on Windows Vista and Windows 7.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_NELOWEG.DD

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• !storage! – retrieves the stored passwords of the browser where this malware is running, and sends it to the C&C server
• !block! – set the registry entry HKEY_CURRENT_USER\UDP !block!
• !screen! – set the registry entry HKEY_CURRENT_USER\UDP !screen!
• !filter! – set the registry entry HKEY_CURRENT_USER\UDP !filter!
• !alt! – set the registry entry HKEY_CURRENT_USER\UDP !alt! which contains the alternate C&C servers
• !tickit! – set the registry entry HKEY_CURRENT_USER\UDP !tickit!
• !content! – create the registry key HKEY_CURRENT_USER\UDP\c and set registry entries in it
• !reder! – create the registry key HKEY_CURRENT_USER\UDP\r and set registry entries in it
• !cmd! – download a file and execute it
• !kill! – delete the files C:\boot.ini, %System%\dllcache\userinit.exe, and %System%\userinit.exe and forcefully restarts the system

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

NOTES:

This malware is installed as a Winsock namespace provider, which loads this malware every time the Winsock library is loaded.

It checks if it is running under the following:

• Avant
• Firefox
• Internet Explorer
• Maxthon
• MyIE
• Windows Live Toolbar

If it is running under Firefox, it does the following:

• Deletes the file %Program Files%\Java\jre6\lib\deploy\jqs\ff\chrome\content\overlay.js
• Drops the following files:
  • %Program Files%\Mozilla Firefox\components\nsILego.xpt
  • %Program Files%\Mozilla Firefox\components\nsLego.js
  • %Program Files%\Mozilla Firefox\error.jar
  • %Program Files%\Mozilla Firefox\error.manifest

The file error.JAR contains JavaScript files detected by Trend Micro as JS_NELOWEG.DD.

If it is not running under Firefox, it adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1406 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1607 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1406 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1607 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1609 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1406 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1607 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1406 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1607 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1406 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1607 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609 = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NoProtectedModeBanner = "1"

It gets the C&C server from the following registry entries:

HKEY_CURRENT_USER\UDP
g = "{obfuscated C&C server URL}"

HKEY_CURRENT_USER\UDP
!alt! = "{obfuscated C&C server URL}"

When the browser loads a web page, it checks if the URL is defined in HKEY_CURRENT_USER\UDP\c. If the URL is defined, it injects HTML with JavaScript codes to the loading web page.

It checks if the URL is defined in the following registry entry:

HKEY_CURRENT_USER\UDP
!block! = "{list of URLs to block}"

If it is found in !block!, the URL is blocked, and redirected to another URL defined in the following registry entry:

HKEY_CURRENT_USER\UDP
!reder! = "{list of URLs to redirect to}"

It hooks to submit, click, and keypress events. When a form is submitted, it sends the target URL with all the form data to the C&C server. When a button or link is clicked, the target URL is sent to the C&C server. When a keypress event is detected and the pressed key is Enter, the target URL together with all the form data (if the Enter key is used to submit a form) is sent to the C&C server.