ALIASES:

Boltolog, Turko, Refroso

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

TURKOJAN is a botnet with remote administration and spying capability. It is commonly bundled with other downloaded applications.

Users can't easily detect its presence due to its stealth mechanism/rootkit capabilities. This is categorized as a high risk malware due to its remote access capability which can control the users machine and environment. It also invades the victims' privacy through its video, audio and chat log features. While it is most probably used for cybercrime, it can also be used to play pranks on infected victims since it is capable of controlling the moouse pointer or flipping the monitor display.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs

Installation

This backdoor drops the following copies of itself into the affected system:

  • %Windows%\microsoft.exe
  • %Windows%\mstwain32.exe
  • %Windows%\winlogon.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It adds the following possibly malicious files or file components:

  • %Windows%\cmsetac.dll
  • %Windows%\ntdtcstp.dll
  • %Windows%\KB8888239.log

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
mstwain32 = "%Windows%\mstwain32.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
microsoft = "%Windows%\microsoft.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
winlogon = "%Windows%\winlogon.exe"

Other Details

This backdoor connects to the following possibly malicious URL:

  • renan-hi.{BLOCKED}p.org:15963
  • noipminhaconta.{BLOCKED}p.biz:15963
  • sonsuzluk.{BLOCKED}p.biz:443
  • cihaderi.{BLOCKED}p.biz:15963
  • {BLOCKED}.{BLOCKED}.152.85:6886