- presence of the file %windir%\fxstaller.exe
- %windir%\fxstaller.exe runs in background
- presence of the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft UDP Control Center, pointing the the malware file
- unusual internet activity
Automatic: Please let BitDefender disinfect your files.
Manual: Kill the infected process, remove the startup registry key and delete any malware-related files.
Lutas Andrei Vlad, virus researcher
This backdoor comes with an icon identical to that of flash player, making unaware users more vulnerable.
When executed, the malware will first make a copy of itself under %windir%\fxstaller.exe and launch itself from the new location.
A small batch file (removeMeXXXX.bat, where each X can be a random integer value) will then be dropped and executed, that will delete the original file.
The main executable file has a size of 166912 B, it is written in Delphi, and it is not packed or encrypted. The real thread stands however inside the resource section, and it is ~30 KB long packed code section. The only purpose of the main executable is to unpack that piece of code and inject it into its own virtual-memory space, and then passing control to it. This will perform the following:
- display an error message ("Picture can not be displayed."), tricking the unaware user that he tried to open an invalid picture.
Note that this message will be displayed only if the backdoor is not already active in memory; if its already running, a second instance will simply quit.
- connect to an IRC channel
- start listening for specific commands from an attacker
Some of the actions this backdoor may take are:
- spread using MSN
- update itself via web, by donwloading newer versions
- download and execute files from the attackers computer
- edit files on the attacked computer
- retrieve various information about the attacked computer (IP address, host name, OS version, IM client used, active processes, running threads)
Under certain circumstances, in order to avoid triggering to much attention, the following messages will be sent to the attacker:
"!!!Security!!!. Lamer detected. coming back next reboot, cya"
"!!!Security!!!. Lamer detected. Comming back in 24hrs, download and update disabled."
The backdoor will keep the attacker informed regarding any action it takes, sending detailed information. For example, when attempting to spread via MSN, it will send to the attacker the total number of messages and files successfully sent.