BKDR_NEUREVT.DCM

This malware is downloaded by W97M_SHELLHIDE.B, which is related to the attack leveraging a macro-enabled word document as a malicious spam attachment.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system.

It modifies the Internet Explorer Zone Settings.

It retrieves specific information from the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• W97M_SHELLHIDE.B

It may be downloaded from the following remote sites:

• http://{BLOCKED}u.com/istek/sb01ff.exe

Installation

This backdoor drops the following copies of itself into the affected system:

• %All Users Profile\Application Data\Dynasoft\{random filename}.exe
• %Program Files%\Common Files\Dynasoft\{random filename}.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

• %All Users Profile\Application Data\Dynasoft
• %Program Files%\Common Files\Dynasoft

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Dynamic Software Inc = "%Program Files%\Common Files\Dynasoft\{random filename}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Dynamic Software Inc = "%Program Files%\Common Files\Dynasoft\{random filename}.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Dynamic Software Inc = "%All Users Profile\Application Data\Dynasoft\{random filename}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Dynamic Software Inc = "%All Users Profile\Application Data\Dynasoft\{random filename}.exe"

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
TaskbarNoNotification = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Win7zip
Uuid = "{random values}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download and execute files
• Perform Slowloris flooding
• Execute shell commands
• Copy itself in removable drives
• Access a URL
• Uninstall / Update itself

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}deme.ru/img/order.php

Web Browser Home Page and Search Page Modification

This backdoor modifies the Internet Explorer Zone Settings.

Information Theft

This backdoor retrieves the following information from the affected system:

• Hardware Information
• Installed FTP Softwares (CoreFTP,FileZilla,FlashFXP,FTP Commander,PuTTy,SmartFTP,WinSCP)
• Java Version
• Installed Messenger (Skype)
• Installed AV Products
• Installed Browser
• Operating system version

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• microsoft.com

NOTES:

It queries the following registry key to get Microsoft Net Framework Version:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework setup\NDP

It queries the following registry key to get the processor information:

• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor

It disables the following antivirus-related applications by adding the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\{application} Debugger = "{random characters}.exe"

where {application} are as follows:

• a2guard.exe
• a2service.exe
• a2start.exe
• adaware.exe
• ALUpdate.exe
• arcaclean.exe
• avastsvc.exe
• avastui.exe
• avcenter.exe
• AVENGINE.exe
• avgcfgex.exe
• avgdiagex.exe
• avgidsagent.exe
• avgmfapx.exe
• avgnt.exe
• avguard.exe
• avgui.exe
• avgupd.exe
• avgwdsvc.exe
• AVK.exe
• AVKTray.exe
• avshadow.exe
• BgScan.exe
• BullGuard.exe
• BullGuardBhvScanner.exe
• BullGuardScanner.exe
• BullGuardUpdate.exe
• BullGuardUpdate2.exe
• ccsvchst.exe
• ccupdate.exe
• CLPSLA.exe
• coreFrameworkHost.exe
• coreServiceShell.exe
• egui.exe
• ekrn.exe
• epavjobs.exe
• ForceField.exe
• FProtTray.exe
• FPWin.exe
• fshoster32.exe
• GDFirewallTray.exe
• GDSC.exe
• K7TSUpdT.exe
• mbam.exe
• mbamgui.exe
• mcagent.exe
• McPvTray.exe
• mcshell.exe
• mcshield.exe
• McSvHost.exe
• McUICnt.exe
• mcupdate.exe
• mcupdmgr.exe
• MSASCui.exe
• MsMpEng.exe
• msseces.exe
• niu.exe
• op_mon.exe
• pctsAuxs.exe
• pctsGui.exe
• pctsSvc.exe
• PSANHost.exe
• PSUAService.exe
• PSUNMain.exe
• RavMonD.exe
• rcfp.exe
• rsmain.exe
• RsMgrSvc.exe
• RsTray.exe
• SBAMTray.exe
• sbamui.exe
• sguardxup.exe
• starter_avp.exe
• symerr.exe
• uiSeAgnt.exe
• uiWatchDog.exe
• Update.exe
• update_tmp.exe
• updater.exe
• Upgrader.exe
• usrreq.exe
• uWinMgr.exe
• WRSA.exe
• zatray.exe