BKDR_THOPER.A

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system. It executes commands from a remote malicious user, effectively compromising the affected system.

It does not have any downloading capability.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %Application Data%\{Malware File Name}.DLL

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It drops the following non-malicious file:

• %System Root%\Documents and Settings\All Users\Application Data\SSK.LOG

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Malware File Name}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Malware File Name}\Parameters
ServiceDll = %Application Data%\{Malware File Name}.DLL

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
LocalService = {Service Name}

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{Service Name}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\0001\System\
CurrentControlSet\Enum\ROOT\
LEGACY_{Service Name}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\Current\System\
CurrentControlSet\Enum\ROOT\
LEGACY_{Service Name}

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It executes the following commands from a remote malicious user:

• Sniff network traffic
• Gather system information
• Monitor online activities of the affected user

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}k.ignorelist.com:443
• pvt.{BLOCKED}c.com:80
• aicem.{BLOCKED}o.com:80
• {BLOCKED}c.com:80

Download Routine

This backdoor does not have any downloading capability.

Stolen Information

This backdoor saves the stolen information in the following file:

• %System Root%\Documents and Settings\All Users\Application Data\SSK.LOG

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

NOTES:

This Trojan is capable of logging all activities and keystrokes of an infected system.

It does not have rootkit capabilities.

It does not exploit any vulnerability.