BKDR_RYEJET.B

This backdoor may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This backdoor may be downloaded by other malware/grayware/spyware from remote sites.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following files:

• %System%\logs.exe - also detected as BKDR_RYEJET.B

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This backdoor adds the following registry keys to install itself as a Browser Helper Object (BHO):

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{B0BEC94E-4D62-11D6-AF01-0010C6081DD0}\InprocServer32
Default = logs.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{B0BEC94E-4D62-11D6-AF01-0010C6081DD0}

NOTES:

This backdoor attempts to connect to the following C&C server:

• www.{BLOCKED}day.com

If connection is successful, it waits for any of the following commands from a remote computer:

• *CmdShell - execute shell via command line
• *DelMyself - delete backdoor
• *FileDel - delete file
• *FileGet - get file from affected computer
• *FileGive - download file
• *RunCommand - execute file
• *SysReboot - reboot affected computer

*SysInfo - this command creates the following file:

• %System%\sysinfo.txt

• file version
• hostname
• IP address
• list drives (type, free space)
• memory status
• OS
• processor
• username

The created file is then sent to the C&C server via HTTP POST.

*FileDirList - this command lists all files in a specified directory. It creates the following file:

• %System%\dirlist.txt