Symptoms

Removal instructions:

Analyzed By

Technical Description:

When present on the affected computer and executed, it drops 2 files :

• %system32%\cabpck.dll  

• %system32%\krnlcab.sys

After that, it runs cabpck.dll  and deletes the file initialy executed, which is packed with a custom packer posing as UPX.

"krnlcab.sys" driver runs as a service and has a protective role for the other malware components, hiding its files and registry keys.
It runs as a service by creating this registry key :
 * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab
 * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\DisplayName    [data: Cabinet Kernel Packer]
 * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\ErrorControl    [data: dword:00000000]
 * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\ImagePath    [data: system32\krnlcab.sys.)]
 * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\Start    [data: dword:00000001]
 * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\Type    [data: dword:00000001]
 * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\Security\(Default)    [data: (value not set)]
 * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\Security\Security    [data: %hex numbers%]


It also creates these keys so the driver starts in safe mode.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\krnlcab.sys    (Default)    Driver    
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\krnlcab.sys    (Default)    Driver    


The dynamic-link library (cabpck.dll) is ran at startup by creating these keys:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck    Asynchronous    dword:00000001    
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck    DllName    hex(2):%hex numbers% (cabpck.dll)
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck    Impersonate    dword:00000001    
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck    MaxWait    dword:00000001    
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck    Startup    cabpck    
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck    a950    [712AEDAB17C74BC73]

It adds an exception to the firewall by creating this value %system32%\rundll32.exe in the following key: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" . This is done in order for the dll to be executed trough legitimate rundll.exe without any pop-ups from the firewall.

It tries to steal passwords by accessing the following registry keys SOFTWARE\Microsoft\Internet Account Manager\Accounts, HKEY_CURRENT_USER\Software\RIT\The Bat! which holds encrypted private data of the user.

Usually, it has a "command center" of the following form: http://[malware_website].(biz|ru). The website might be different, but the actions are similar.

The communication with the server is done trough a script on the website. It can run multiple jobs for an infected system. It can download and execute a file (example a XP Antivirus rogue clone), update windows host file ( %system32%\drivers\etc\hosts ) and other administrative commands for the malware on the infected computer.