BackDoor.Rebbew (A,B,C,D)( Trojan.Webber (KAV) )
SYMPTOMS: TECHNICAL DESCRIPTION: This backdoor it is not in the wild, but due to the new techniques that the backdoor uses (involving full process stealth under both Windows 9x/Me and Windows 2000/XP) we decided to release this advisory.The backdoor comes in email messages looking like this: From: Wells Fargo Accounting Subject: Re: Wells Fargo Bank New Business Account Application - ID# 4489 To: Someone someone@domain.com Dear Sir, Thank you for your online application for a Business Account with Wells Fargo. We appreciate your interest in banking with us. In order to open a Business Account, we must receive specific credit information that is verifiable. Because Wells Fargo has no locations in your state, we are unable to confirm the credit information in your application. Consequently, we regret to say that we cannot open an account for your business at this time. Attached are your Wells Fargo Application and your Social Security File. Sincerely, Sherli Chin Business Resource Center Services Wells Fargo Bank When the user opens the attachement (detected by BitDefender as Trojan.Downloader.Rebbew) the program decrypts its internal strings and attempts to download from the web the main backdoor program, and then runs it. First, the backdoor tries to see if it’s already memory resident (it does this by trying to open the Mutex “Webber10_”) and if not, it installs itself in memory. Then it makes a copy of itself in the System32 directory, using a random generated file name; it also drops a DLL file in the System32 directory, used to run the main backdoor program. The backdoor alters the registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad by adding there the dropped DLL; as a result, at every Windows boot the DLL gets loaded (and starts the main backdoor) The backdoor can be easily configured : the main executable file has extra data appended, and it uses this extra data as a configuration file, at startup. This data can be used to specify the ports the backdoor listens to, the sites where to upload the confidential data it grabbed from the computer and so on. The backdoor grabs passwords (both RAS and web form-based) and sends them to the attacker. The interesting part of this backdoor is its capability to run in stealth mode, on both Windows 9x/Me and 2000/XP systems. The backdoor process is hidden in a fairly advanced manner:
For 9x, the method obviously works; there is only one kernel32.dll in memory, and a write to the kernel area is visible in all processes. Under 2000/XP the things are different as every process receives their own copy of the system library files, protected by the COW (copy-on-write) mechanism. When a process attempts a write to a system DLL, the system automatically creates a copy, writes the data to that copy, leaving the original DLLs unaltered. However, the backdoor uses a trick to write in ntdll.dll’s memory area. Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you\'ll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender Antirebew-en.exe tool does the following: ANALYZED BY: Mihai ChiriacBitDefender Virus Researcher |
