BKDR_ANDROM.ME

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

It retrieves specific information from the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %All Users Profile%\svchost.exe (Windows XP)
• %ProgramData%\{random}.exe (Windows 7)
• %All Users Profile%\{random}.exe (Windows 7)

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).)

It injects codes into the following process(es):

• msiexec.exe
• svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%All Users Profile%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = "%ProgramData%\{random}.exe"

Other System Modifications

This backdoor creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\System\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\authourizedapplications\
list
%System%\msiexec.exe = "%System%\msiexec.exe:*:Generic Host Process"

HKEY_LOCAL_MACHINE\System\ControlSet001\
services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\authourizedapplications\
list
%System%\svchost.exe = "%System%\svchost.exe:*:Generic Host Process"

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor opens the following port(s) where it listens for remote commands:

• 8000

It executes the following commands from a remote malicious user:

• Download arbitrary files
• Remote command prompt
• Starts a process
• Uninstall itself

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}o.su/alter.php
• http://{BLOCKED}es.net/filling.php

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}now.com/gamgam.exe - detected as Mal_DLDER

It saves the files it downloads using the following names:

• %User Temp%\{random}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Information Theft

This backdoor retrieves the following information from the affected system:

• OS Version
• Volume Information

Other Details

This backdoor deletes the initially executed copy of itself

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.