BKDR_DINGU.A

This backdoor gathers certain system information. It connects to C&C servers to send and receive information. It downloads and executes other files from certain URLs.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor s DLL component is injected to the following process(es):

• explorer.exe

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ialmu
Type = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ialmu
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ialmu
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ialmu
ImagePath = "%System%\drivers\ialmu.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ialmu
DisplayName = "ialmu"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ialmu\Security
Security = "{hex values}"

It creates the following service using its DLL component:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialmu

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• www.google.com

NOTES:

It gathers the following system information:

• Host name
• IP address
• Proxy server

It connects to the following C&C servers to send and receive information:

• {BLOCKED}y.{BLOCKED}eesite.us:443
• {BLOCKED}3.{BLOCKED}6.251.141:443
• {BLOCKED}y.{BLOCKED}eesite.us
• {BLOCKED}3.{BLOCKED}6.251.141

It downloads and executes other files from the following URLs:

• {C&C server}/htgindex.htm
• {C&C server}/directget{random characters}.gif
• {C&C server}/proxyget{random characters}.gif

It saves the files it download as the following:

• %User Temp%\pre{random characters}.tmp

It sleeps if the following file exists:

• %System%\n3quit.dat

It continues with its routines once the above-mentioned file is not present anymore.

The malware component files may exist in the affected system as the following. These are detected as BKDR_DINGU.A

• %System%\ialmu.dll
• %System%\drivers\ialmu.sys
• %User Temp%\pre{random characters}.tmp
• %Windows%\Temp\Perflib_Perfdata_{random characters}.dat
• %Windows%\Temp\Perflib_Perfdata_{random characters}.exe

This backdoor has the following capabilities:

• Enumerate drives
• Enumerate files
• Delete files
• Create files
• Read files
• Copy files
• Move files
• Execute cmd shell commands and pipe the output into %Windows%\msl{random characters}.tmp, %User Temp%\msextlog.tmp, or %User Temp%\msextlog.dll
• Create a process
• Get malware version
• Get system root directory
• List running processes
• Terminate processes

It posts reports if a command is succesful and sends data to the following URL:

• {C&C server}/repindex.php