BKDR_POISON.WPRY

This backdoor queries the default web browser by accessing a registry entry. It has certain capabilities.

This backdoor may be dropped by other malware.

It connects to a website to send and receive information.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_DROPR.BPO

Installation

This backdoor adds the following mutexes to ensure that only one of its copies runs at any one time:

• DKD&SHJ#A

It stays memory-resident by injecting codes into the following processes:

• Explorer.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{DEEB6634-94F3-CBE5-CBD2-66E02119AFC4}
StubPath = "%System%:csentomder.exe"

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• {BLOCKED}sa.{BLOCKED}-Game.org

Stolen Information

This backdoor saves the stolen information in the following file:

• %System%\csentomder

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

NOTES:

It queries the default web browser by accessing the following registry entry:

HKEY_CLASSES_ROOT\http\shell\open\command

It then launches a hidden Web browser process (e.g. iexplore.exe) where this malware injects its code for its backdoor routines.

This backdoor has the following capabilities:

• Capture screen shots, webcam, audio
• Delete, search, and upload files
• Download and inject remote codes to legitimate processes
• Log keystrokes and active window
• Manage processes and services
• Modify and search the registry entries
• Perform a shell command
• Send system information (IP address, computer name, user name, operating system)
• Update/Uninstall the malware
• View and terminate active windows and ports