My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

BackDoor.Rebbew (A,B,C,D)

LOW
MEDIUM
~39K
(Trojan.Webber (KAV))

Symptoms

Removal instructions:

The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you\'ll have to manually delete the infected files located in archives and the infected messages from your mail client.

The BitDefender Antirebew-en.exe tool does the following:
  • it detects all the known BackDoor.Rebbew versions found in memory;

  • it removes the viral hooks (thus the backdoor process will be fully visible to the BitDefender tool)

  • it deletes the files infected with BackDoor.Rebbew;
  • Analyzed By

    Mihai Chiriac
    BitDefender Virus Researcher

    Technical Description:

    This backdoor it is not in the wild, but due to the new techniques that the backdoor uses (involving full process stealth under both Windows 9x/Me and Windows 2000/XP) we decided to release this advisory.

    The backdoor comes in email messages looking like this:

    From: Wells Fargo Accounting

    Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489

    To: Someone someone@domain.com

    Dear Sir,

    Thank you for your online application for a Business Account with Wells Fargo. We appreciate your
    interest in banking with us.

    In order to open a Business Account, we must receive specific credit information that is verifiable.
    Because Wells Fargo has no locations in your state, we are unable to confirm the credit information
    in your application. Consequently, we regret to say that we cannot open an account for your business
    at this time.

    Attached are your Wells Fargo Application and your Social Security File.

    Sincerely,

    Sherli Chin
    Business Resource Center Services
    Wells Fargo Bank


    When the user opens the attachement (detected by BitDefender as Trojan.Downloader.Rebbew) the program decrypts its internal strings and attempts to download from the web the main backdoor program, and then runs it. First, the backdoor tries to see if it▓s already memory resident (it does this by trying to open the Mutex ⌠Webber10_■) and if not, it installs itself in memory.

    Then it makes a copy of itself in the System32 directory, using a random generated file name; it also drops a DLL file in the System32 directory, used to run the main backdoor program.

    The backdoor alters the registry key

    HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad

    by adding there the dropped DLL; as a result, at every Windows boot the DLL gets loaded (and starts the main backdoor)

    The backdoor can be easily configured : the main executable file has extra data appended, and it uses this extra data as a configuration file, at startup. This data can be used to specify the ports the backdoor listens to, the sites where to upload the confidential data it grabbed from the computer and so on.

    The backdoor grabs passwords (both RAS and web form-based) and sends them to the attacker.

    The interesting part of this backdoor is its capability to run in stealth mode, on both Windows 9x/Me and 2000/XP systems. The backdoor process is hidden in a fairly advanced manner:
    • Under Windows 9x/Me, the backdoor hooks the Process32Next function; when a program attempts to enumerate the processes, the backdoor ⌠filters■ its own process.

    • Under Windows 2000/XP, the backdoor hooks the NtQuerySystemInformation function, and filters its own process.
    The global hooking technique used by this backdoor is interesting: it saves the first 5 bytes of the function then places there a JMP instruction. The function is stored in the memory area between the PE Header and the actual data (usually padded with zeros due to file alignment) of kernel32.dll (for 9x/Me) and ntdll.dll (for 2000/XP).

    For 9x, the method obviously works; there is only one kernel32.dll in memory, and a write to the kernel area is visible in all processes.

    Under 2000/XP the things are different as every process receives their own copy of the system library files, protected by the COW (copy-on-write) mechanism. When a process attempts a write to a system DLL, the system automatically creates a copy, writes the data to that copy, leaving the original DLLs unaltered. However, the backdoor uses a trick to write in ntdll.dll▓s memory area.