BKDR_ANDROM.YTR

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It connects to certain websites to send and receive information.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %All Users Profile%\svchost.exe (Windows XP)
• %All Users Profile%\{random}.exe (Windows Vista and higher versions)

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

It injects codes into the following process(es):

• %Windows%\explorer.exe
• %System%\svchost.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{random numbers} = "%All Users Profile%\{random}.exe" (For Windows Vista and higher versions)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%All Users Profile%\svchost.exe" (For Windows XP)

Other System Modifications

This backdoor creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware filename}.exe = "{malware path}\{malware filename}.exe:*:Enabled:{malware filename}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\svchost.exe = "%System%\svchost.exe:*:Generic Host Process"

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor opens the following port(s) where it listens for remote commands:

• 8000

It executes the following commands from a remote malicious user:

• Start a process
• Uninstall itself
• Create registry entries
• Download arbitrary files

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}s.eu/dsst.exe - detected as TROJ_GEN.R0C9H01GG13

It saves the files it downloads using the following names:

• %User Temp%\{random numbers}.exe - detected as TROJ_GEN.R0C9H01GG13

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This backdoor connects to the following website to send and receive information:

• http://{BLOCKED}r.pl
• http://{BLOCKED}y.ru
• http://{BLOCKED}ad.pl
• http://{BLOCKED}a.ru/beijing.php