BKDR_INJECT.ICA

This backdoor queries the default web browser by accessing a registry entry. It then launches a hidden Web browser process (e.g. iexplore.exe) where this malware injects its code for its backdoor routines.

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It connects to a website to send and receive information.

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This backdoor adds the following mutexes to ensure that only one of its copies runs at any one time:

• K^DJA^#FE

It stays memory-resident by injecting codes into the following processes:

• Explorer.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{0082ABF9-9309-614B-C2DD-C00CC33A8073}
StubPath = "%System%:mssendfull.exe"

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• tw.{BLOCKED}earleft.com

NOTES:

It queries the default web browser by accessing the following registry entry:

HKEY_CLASSES_ROOT\http\shell\open\command

It then launches a hidden Web browser process (e.g. iexplore.exe) where this malware injects its code for its backdoor routines.

This backdoor has the following capabilities:

• Capture screen shots, webcam, audio
• Delete, search, and upload files
• Download and inject remote codes to legitimate processes
• Log keystrokes and active window
• Manage processes and services
• Modify and search the registry entries
• Perform a shell command
• Send system information (IP address, computer name, user name, operating system)
• Update/Uninstall the malware
• View and terminate active windows and ports