My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.IRC.Snyd.A

LOW
MEDIUM
10,240 bytes
(Backdoor.Win32.Breplibot.b (Kaspersky) Troj/Stinx-E (Sophos) W32/Brepibot virus (McAfee))

Symptoms

It is virtually impossible for a normal user to detect presence of any files hidden by Sony DRM Software. See technical description below.

Prior to 10 Nov 2005 this malware was detected as BehavesLike:Win32.IRC-Backdoor proactively

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Sorin Dudea, virus researcher

Technical Description:

This is an IRC backdoor that was spammed in an e-mail withe the following body:

 

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly.

Can you check over the format and get back to us with your approval or any changes?

If the picture is not to your liking then please send a preferred one.

We have attached the photo with the article here.

Kind regards,

Jamie Andrews

Editor

www.TotalBusiness.co.uk

**********************************************

The Professional Development Institute

 

 

And the attachment: Article+Photos.exe

 

The backdoor uses the Sony DRM copy protection system in order to hide its presence in the system.

 

When executed it does the following actions:

            - It copies itself as:

            %sysdir%\ $sys$drv.exe

 

            - It should add the following registry keys:

            HKCU\Software\Microsoft\Windows\CurrentVersion\Run\$sys$drv with value

            %sysdir%\$sys$drv.exe

            and

            HKLM\Software\Microsoft\Windows\CurrentVersion\Run\$sys$drv with value

            %sysdir%\$sys$drv.exe


    but due to a bug in code, instead of
Software\Microsoft\Windows\CurrentVersion\Run\

             the registry keys are

             HKLM\kbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj\$sys$drv

             HKCU\kbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj\$sys$drv


           
- It drops and executes the following files:

            %TEMP%\xxx.bat and

            %TEMP%\yyy.bat where xxx and yyy are two random numbers.

 

            xxx.bat tryes to disable firewall checking for the $sys$drv.exe

            yyy.bat waits for the trojan to end and deletes it.

 

-         It connects to one of 5 hardcoded IRC servers on port 8080.

-         It waits for a small list of posible commands on channel #sony

 

The backdoor contains the following string: „SonyEnabled”