Unusual internet activity
Presence of the file: %APPDATA%\Update\svchost.exe
Presence of HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost both pointing to %APPDATA%\Update\svchost.exe.
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This backdoor is written in Visual Basic .NET, and it is ~100 KB in size. What makes it relatively special regarding other malware is the fact that it is written in VB .NET; the generated code is not native to a certain CPU or architecture, it is an intermediate language (IL) code that can be ran by any machine that has .NET Framework installed (this also means that any user without .NET framework can't fall a victim to this trojan). The code is in fact interpreted by a virtual machine (much like the JAVA bytecode is interpreted by a JVM - JAVA Virtual Machine).
Once executed, the trojan will create a copy of itself as %APPDATA%\Update\svchost.exe
(%APPDATA% directory usually points to x:\documents and settings\[user-name]\Application Data, where x: is the system drive). The following registry keys will be added or modified, to insure the backdoors' execution after each reboot:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
Will both point to %APPDATA%\Update\svchost.exe.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit will be modified by appending the trojans path to it (%APPDATA%\Update\svchost.exe).
UAC (User Account Control) will be disabled, by setting the following registry key to 0:
Among the "standard" backdoor capabilities (which allows it to receive commands from a remote attacker), it has several other capabilities:
Once executed, it will make sure that it is nor running under a virtual machine/sandboxie; the following validations will be made:
- check if the following processes are running: "MSASCui" and "msmpeng"
- check if it is not running under Virtual PC, by checking if there is any process named "vpcmapvmsrvc";
- check if it is not running under a SandBoxie, by checking if it's own form title is "#"
- check if it is not running under VMWare, by checking if a window with "VMDragDetectWndClass" class-name exists;
- check against ThreatExpert, by comparing it's own module name with "sample";
- check if the user-name equals any of: "UserName", "User", "honey", "sandbox", "currentuser";
- check if the computer name equals any of: "ComputerName", COMPUTERNAME", "DELL-D3E62F7E26", "DELL-D3E62F7E26", "MICHAEL-F156CF7"
If any of the conditions described above occurs, the trojan will simply quit.
The malware will check for the presence of the following security products, and will try the kill their processes:
Security product - Processes killed
AntiGen - antigen
A-Squared - a2servic
Avast - ashWebSv
AVG - avgemc
BullGuard - BullGuard
ClamAV - clamauto
Comodo - cpf
Nod32 - nod32.exe, nod32krn.exe, ekrn.exe
Ewido - ewido
F-Prot - FPAVServer
Kaspersky - kavsvc
Mcafee - mcagentmcuimgr
Norton - ccapp
OfficeScan - tmlisten
OutPost - acs.exe
PCCillin - pccntmon
ServerProtect - earthagent
Spy Sweeper - spysweeper
Zone-Alarm - VSMON
o Avoiding detection
Upon execution, the following measures will be taken by the trojan in order to avoid triggering users attention:
- modify it's own windows' opacity, setting it to 0 (making it completely transparent - invisible)
- will not display it's icon in the title bar of the main window
- will not show itself in the taskbar
Although the trojan takes the measures described above, simply hitting "Alt+Tab" will display the trojans icon, with the possibility to switch to his invisible window; After switching to the trojans (invisible) window, one can simply hit "Alt+F4" to close it.
Several threads will be created, that will constantly check for the following:
- Task-manager; every 2 seconds, it will check if any process named "taskmgr" is executing; if it does, it will kill it
- Regedit; every 2 seconds, it will check if the registry editor has been executed (if a process "regedit" exists); if it finds it, it will kill it.
- CCleaner; every 2 seconds it will check if CCleaner has been executed; if so, it will terminate its execution.
- Registry keys; will contantly write (every 0.8 seconds) the registry key pointing to the malware file
Also, another copy of the malware will be created inside "c:\Documents and Settings\[user-name]\Start Menu\Programs\Startup\" as "taskmgr.exe";
The backdoor can initiate HTTP or UDP flood attacks to any remote address designated by an attacker.
o Backdoor component
This is the main functionality of this piece of malware. After execution, the malware will first attempt to contact a remote host, on port 3074. The remote attacker can send one of the following commands (each command has the following layout:
• CONNECT - will cause the computers victim to connect to a host designated by the attacker
• FF - will steal information about FF profiles; to acomplish this, the malware will basically load and use several libraries belonging to Mozilla Firefox itself.
• KEY - will retrieve product key and the product name of the victims' OS; the malware is able to get detailed information regarding the version of Windows it is running on.
• UNINSTALL - will uninstall the trojan
• UDP - initiate a UDP flood; if a UDP flood is already running, the host will reply "UDP_WORKING|"; if a fresh UDP flood has began, the host will reply UDP_ENABLED|".
• HTTP - initiate a HTTP flood; if a HTTP flood is already running, the host will reply "HTTP_WORKING|", else will notify the attcker that a new flood was started: "HTTP_ENABLED|"
• BEEP - will generate a sound on the victims computer
• STOPALL - stops UDP and HTTP flood.
• UPDATE - will download a new version of the backdoor; the backdoor will be contained within the message, base64-encoded
• DESKTOP - will start a new thread, that will constantly send a screen-shot (much like a "Print-screen"); the screen-shot will be sent to the attacker base64-encoded
• STOPSENDESKTOP - stops the thread responsabile for sending screen-shots of the users desktop
• MESSAGE - post a message in the invisible chat window
• CHAT - will make the chat window visible
• CLOSECHAT - closes the chat "session"
• GETPROCESSES - gets a list of all active processes within the system
The trojan also has the capability of initiating a server, in order to accept incoming connections; the server may run on port 8080 (default), and a maximum number of connections is handled by the backdoor. Also, the trojan is able to retrieve the computers public IP address, by visiting http://checkip.dyndns.org/.