Analysis by: Sabrina Lei Sioting
 Modified by: kathleenno

ALIASES:

Trojan-Dropper.Win32.TDSS.anzf (Kaspersky); Trojan horse Cryptic.CWA (AVG)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

It monitors the browsing habits of the user and sends the information to certain URLs when certain strings are found in the Web address. It can also modify the search results returned by search engines to trick users into clicking malicious links, and/or displaying advertisements.

It modifies the Master Boot Record (MBR) of the affected system to enable itself to load before the Operating System boots up.

It writes files at the end of the hard disk to hide its component files.

This backdoor may be downloaded by other malware/grayware from remote sites.

It deletes registry entries, causing some applications and programs to not function properly.

It connects to a website to send and receive information.

It connects to certain websites to send and receive information.

  TECHNICAL DETAILS

File Size: 147,968 bytes
File Type: EXE
Initial Samples Received Date: 26 May 2011
Payload: Modifies files, Connects to URLs/IPs

Arrival Details

This backdoor may be downloaded by the following malware/grayware from remote sites:

  • WORM_OTORUN.ASH

It may be downloaded from the following remote site(s):

  • http://{BLOCKED}.162.20/service/scripts/files/aff_50045.dll
  • http://{BLOCKED}123.34/service/scripts/files/aff_50045.dll
  • http://{BLOCKED}9.88.7/X

Installation

This backdoor adds the following mutexes to ensure that only one of its copies runs at any one time:

  • Creates the mutex Global\9e6af8f3-75f3-4b67-877a-c80125d7bc08 if the path of the executable file does not contain any of the following strings
    • explo
    • firefox
    • opera
    • safari
    • netsc
    • avant
    • browser
    • mozill
    • wuauclt
  • Global\3006345f-6baf-4669-a7e1-aaa310564be9
  • Global\9e6af8f3-75f3-4b67-877a-c80125d7bc08
  • Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7
  • Global\cc51461b-e32a-4883-8e97-e0706dc65415
  • Global\452fefe0-a06e-400f-8d6b-6a12a0a09d4b

Other System Modifications

This backdoor deletes the following files:

  • %System%\drivers\etc\hosts

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
67:UDP = "67:UDP:EnabledHCP Server"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\main\FeatureControl\
FEATURE_BROWSER_EMULATION
{executable name} = "{hex value}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
maxhttpredirects = "{hex value}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
enablehttp1_1 = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
zones\3
1601 = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
zones\3
1400 = "0"

(Note: The default value data of the said registry entry is 0.)

HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\International
acceptlanguage = "{local}"

(Note: The default value data of the said registry entry is {user defined}.)

It deletes the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpNameServer = "{Preferred DNS}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpDomain = "localdomain"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpNameServer = "{Preferred DNS}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpDefaultGateway = "{Default Gateway}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpDomain = "localdomain"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpSubnetMaskOpt = "{Subnet Mask}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Adapter ID}\Parameters\
Tcpip
DhcpDefaultGateway = "{Default Gateway}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Adapter ID}\Parameters\
Tcpip
DhcpSubnetMaskOpt = "{Subnet Mask}"

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

  • http://{BLOCKED}update.com
  • http://{BLOCKED}9.88.8/spr.dll - detected as WORM_OTORUN.ASH

Other Details

This backdoor connects to the following website to send and receive information:

  • http://{BLOCKED}.{BLOCKED}.193.171/
  • http://{BLOCKED}i813ck.com/
  • http://{BLOCKED}yt0.com/
  • http://{BLOCKED}ckl1i1i.com/
  • http://{BLOCKED}uke.com/
  • http://{BLOCKED}cho.com/
  • http://{BLOCKED}o81.com/
  • http://{BLOCKED}o81.com/
  • https://{BLOCKED}b6.com/
  • https://{BLOCKED}im1.com/
  • https://{BLOCKED}i71.com/
  • https://{BLOCKED}ka.in/
  • https://{BLOCKED}anno.com/

NOTES:

It monitors the browsing habits of the user and sends the information to the mentioned URLs when the following strings are found in the Web address. It can also modify the search results returned by search engines to trick users into clicking malicious links, and/or displaying advertisements:

  • .aol.
  • .com.com
  • .lycos.
  • .search.com
  • .tqn.com
  • 2mdn.net
  • 66.235.120.66
  • 66.235.120.67
  • abmr.net
  • about.com
  • adbureau.net
  • adcertising.com
  • adrevolver.com
  • alexa.com
  • alexametrics.com
  • alltheinternet.com
  • alltheweb.com
  • altavista.com
  • aolcdn.com
  • ask.com
  • atdmt.com
  • atwola.com
  • bing.
  • blinkx.com
  • compete.com
  • conduit.com
  • cuil.com
  • dogpile.com
  • doubleclick.net
  • doubleverify.com
  • edgesuite.net
  • entireweb.com
  • everesttech.net
  • exalead.com
  • excite.com
  • fimservecdn.com
  • firmserve.com
  • flickr.com
  • gigablast.com
  • google
  • gstatic.com
  • infospace.com
  • ivwbox.
  • iwon.com
  • live.com
  • lygo.com
  • mamma.com
  • meedea.com
  • metacrawler.com
  • msn.com
  • myspacecdn.com
  • mytalkingbuddy.com
  • oneriot.com
  • openx.org
  • othersonline.com
  • picsearch.com
  • powerset.net
  • scorecardresearch.com
  • searchvideo.com
  • superpages.com
  • tacoda.net
  • tribalfusion.com
  • truveo.com
  • twimg.com
  • virtualearth.net
  • wazizu.com
  • webcrawler.com
  • worthathousandwords.com
  • yahoo
  • yieldmanager.com
  • yimg.com
  • ytimg.com

It modifies the Master Boot Record (MBR) of the affected system to enable itself to load before the Operating System boots up.

It writes the following files at the end of the hard disk to hide its component files:

  • \\?\globalroot\{random}\cfg.ini - Contains the configuration for the BOT functionality of the malware.
  • \\?\globalroot\{random}\bckfg.tmp - backup copy of the configuration file.
  • \\?\globalroot\{random}\mbr - this is the code written in the Master Boot Record and executes ldr16.
  • \\?\globalroot\{random}\ldr16 - component loaded by the malware during OS boot-up. This is resposible for executing ldr32 or ldr64 depending on the Operating System.
  • \\?\globalroot\{random}\ldr32 - TROJ_TDSS.ALJ, Used by the malware to let the OS continue to boot without crashing by replicating the system library kdcom.dll.
  • \\?\globalroot\{random}\ldr64 - TROJ_TDSS.ALJ, Used by the malware to let the OS continue boot without crashing by replicating the system library kdcom.dll.
  • \\?\globalroot\{random}\cmd.dll - detected as BKDR_TDSS.KARU
  • \\?\globalroot\{random}\cmd64.dll - also detected as BKDR_TDSS.KARU

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 8.182.06
FIRST VSAPI PATTERN DATE: 26 May 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by BKDR_TDSS.ASH

Step 3

Restore your system’s Master Boot Record (MBR)

To restore your system's Master Boot Record (MBR):

  1. Insert your Windows Installation CD into your CD-ROM drive or the USB flash drive then restart your computer.
  2. Press the restart button of your computer.
  3. When prompted, press any key to boot from the CD.
  4. When prompted on the Main Menu, type r to enter the Recovery Console.
    (For Windows 2000 users: After pressing r, type c to choose the Recovery Console on the repair options screen.)
  5. When prompted, type your administrator password to log in.
  6. Once logged in, type the drive that contains Windows in the command prompt that appears, and then press Enter.
  7. Type the following then press Enter:
    fixmbr {affected drive}
    (Note: The affected drive is the bootable drive that this malware/grayware has affected. If no device is specified, the MBR will be written in the primary boot drive.)
  8. Type exit to restart the system.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
    • 67:UDP = 67:UDP:EnabledHCP Server
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main\FeatureControl\FEATURE_BROWSER_EMULATION
    • {executable name} = {hex value}
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • maxhttpredirects = {hex value}
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • enablehttp1_1 = 1

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zones\3
    • From: 1601 = 0
      To: 1601 = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zones\3
    • From: 1400 = 0
      To: 1400 = 0
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International
    • From: acceptlanguage = {local}
      To: acceptlanguage = {user defined}

Step 6

Scan your computer with your Trend Micro product to delete files detected as BKDR_TDSS.ASH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 7

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %System%\drivers\etc\hosts

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpNameServer = {Preferred DNS}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
DhcpDomain = localdomain

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpNameServer = {Preferred DNS}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpDefaultGateway = {Default Gateway}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpDomain = localdomain

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters\
Interfaces\{Adapter ID}
DhcpSubnetMaskOpt = {Subnet Mask}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Adapter ID}\Parameters\
Tcpip
DhcpDefaultGateway = {Default Gateway}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Adapter ID}\Parameters\
Tcpip
DhcpSubnetMaskOpt = {Subnet Mask}


Did this description help? Tell us how we did.

Related Malware