The virus comes as a dll, usually under the name mouse_dll.dll or winkey.dll. It exports three functions: WorkOne, WorkOne_t and SecondWork. It is usually dropped by a virus detected as Trojan.Dropper.RRO. When the dropper is executed it creates a directory named "Update" in "%Program Files%" directory, copies the backdoor file under the name winkey.exe and winkey.dll, registers the dll as a service(so it can run on startup) and then calls the function WorkOne.
When WorkOne is called the process tries to find and inject itself into explorer.exe. If it doesn’t find explorer.exe it tries to inject into lsass.exe. From there the function WorkOne_t is called.
When WorkOne_t is called, it starts Internet Explorer , injects itself into it and calls the function SecondWork. When the function Second Work is called, a thread is created that will do the main job of the backdoor.
The thread searches for the file winkey.exe (which is the same as the dll) and decrypts some data in the overlay. First, using some simple operations it decrypts a key that is going to decrypt the url of the remote host, the port and other usefull informations.. This version of virus tries to connect to http://xsz.8[hidden].org on port 80(because the virus is injected into internet explorer, using this port will make the virus bypass the firewall).
After that it creates a mutex, named “mouse” and connects to the server. After the connection is completed the virus searches information about the system and copies them into an html style formated buffer. The buffer that the virus will send looks something like this:
<IP>Ip of computer</IP>
<OS>Windows 2000orNT / WindowsXP / Windows2003 / Windows other</OS>
<CU>Name of the user</CU>
<EP>Name of the default browser</EP>
The first two are standard, probably used by the remote host for verification, second is a unique number so the remote host can identify its victim in a unique mode, and the others are self-explanatory. The data transmitted between the server and the remote host is crypted using a simple not operation.
From now on, the server will permanently wait for command form the remote host and execute them. The commands have the following format: command_idParamter1\n\rParamter2.
Depending on the command the server may send information back to the remote host.
The following commands and ids are defined by the server:
returns type and free space of all avaible drives;
returns the date that the file was last modified and its size in the following format:
upload file to remote host
download file from remotehost
starts a process. If the process was started succesfully it returns Cmd001 to the remote host, else if the process couldn’t be created it return Cmd002, else return Cmd003.
Copies recursively directory1 to directory2
Creates a directory
Resends data to server
Renames file1 to file2;
Opens a command shell and creates a pipe between the command shell and the socket to the remote host. This is used to extend the functionality of the backdoor.
Collects information about the system in the format specified above.