Backdoor.Win32.PLUGX.DUKTA

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

• %All Users Profile%\xs\{Characters based on volume serial number} (if OS version is higher than or equal to Windows Vista)
• %All Users Profile%\DRM\xs\{Characters based on volume serial number} (if OS version is lower than or equal to Windows Server 2003 R2)

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). )

It adds the following processes:

• "%System%\rundll32.exe" "%System%\wininet.DLL",DispatchAPICall 1

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• !@)*#()!@*#)(@!*#)(@!*#()@!&%$*(@#&Y*($@YHR*(IUYH*(!Y$@&*&Y@GRH&*@!YR*@&$R(*@!&U!@!@#@!#@!#@!#@#@!#@#@*U$()!@U$Y#H*(!$Y*&@!$Y#
• Global\{Characters based on process ID}

Autostart Technique

This Backdoor creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
HelpPanes = %Windows%\HelpPanes.exe

Propagation

This Backdoor does not have any propagation routine.

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Copy, move, rename, delete files
• Create directories
• Create files
• Enumerate files
• Execute files
• Get drive information
• Get file information
• Open and modify files
• Log keystrokes and active window
• Enumerate TCP and UDP connections
• Enumerate network resources
• Set TCP connection state
• Lock workstation
• Log off user
• Restart/Reboot/Shutdown system
• Display a message box
• Perfrom port mapping
• Enumerate processes
• Get process information
• Terminate processes
• Enumerate registry keys
• Create registry keys
• Delete registry keys
• Copy registry keys
• Enumerate registry entries
• Modify registry entries
• Delete registry values
• Screen capture
• Delete services
• Enumerate services
• Get service information
• Modify services
• Start services
• Perform remote shell
• Host Telnet server
• Connect to a database server and execute SQL statement

It connects to the following websites to send and receive information:

• http://active.{BLOCKED}app.com:53/{Random characters}

As of this writing, the said sites are inaccessible.

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Other Details

This Backdoor does the following:

• It renames itself to %Windows\HelpPanes.exe.

It does not exploit any vulnerability.