BKDR_EMDIVI.TRL

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

It retrieves specific information from the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops and executes the following files:

• %User Temp%\unsecess.exe ← detected also as BKDR_EMDIVI.TRL
• %User Temp%\committees.docx ← decoy document

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 9f34d652669b9f3b4fd79e9e83501732

Autostart Technique

This backdoor drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

• %Common Startup%\unsecess.lnk
• %User Startup%\unsecess.lnk

(Note: %Common Startup% is the system's shared Startup folder, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003, and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.. %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Enumerate files and folders
• Delete files and folders
• Download files
• Upload files
• Execute files
• Get file attributes
• Enumerate processes
• Perform remote shell
• Loads a library using LoadLibrary API
• Import functions from a library using GetProcAddress API
• Choose HTTP Authentication
• Setup Proxy auto-configuration
• Gather Firefox settings from prefs.js
• Gather proxy settings from proxy.pac
• Gather proxy settings from windows registry
• Clear Security Event Logs
• Sleep

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://www.{BLOCKED}l.{BLOCKED}c.to/{4digits}?pid=#
• http://jp.{BLOCKED}b.biz/{5digits}.html

Information Theft

This backdoor retrieves the following information from the affected system:

• Host name
• Process ID of the malware
• Memory Size (RAM)
• Internet Explorer Version
• Windows OS Version
• System Language
• Location
• Time Zone Information

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• http://www.msftncsi.com/ncsi.txt
• http://www.microsoft.com/en-us/default.aspx
• http://www.yahoo.co.jp

NOTES:

It enumerates all visible windows and compares each window's title bar text with the following strings:

• OllyDbg
• W32Dasm
• Wireshark
• SoftICE
• Process Explorer
• Process Monitor
• Process Hacker

If a window's title bar text contains any of the said strings, it will pause the execution of its malicious routine by performing a Sleep command.

It will not execute properly if the host name is similar to the following strings:

• wilbert-SC1508
• xp-sp3-template
• mip-xp-cht
• CWS01_03
• wilbert-SC2202
• CWS05D102

It uses a document icon and then drops and opens a non-malicious file %User Temp%\committees.docx to trick users into thinking it is a normal file.