BKDR_VAWTRAK.B

This backdoor may be downloaded by other malware/grayware from remote sites. It may be dropped by other malware. It arrives as a component bundled with malware/grayware packages.

It is injected into all running processes to remain memory resident.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor may be downloaded by the following malware/grayware from remote sites:

• TROJ_DLOADR.AAJ

It may be dropped by other malware.

It arrives as a component bundled with malware/grayware packages.

Installation

This backdoor is injected into all running processes to remain memory resident.

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware filename} = "regsvr32.exe /s "{malware path}\{malware filename}.dll""

Other System Modifications

This backdoor adds the following registry keys:

ADDED REGISTRY HKEY_CURRENT_USER\Software\AppDataLow

HKEY_CURRENT_USER\Software\AppDataLow\
{random key 1}

HKEY_CURRENT_USER\Software\AppDataLow\
{random key 2}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModebanner = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = "3"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Keylog
• Capture screenshots
• Start process (iexplore.exe, firefox.exe, outlook.exe, explorer.exe, cmd.exe, taskmgr.exe)
• Inject to process
• Perform remote shell
• Update Itself
• List processes
• Download and execute files

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}.188.50/post.aspx?forumID={random digit}
• http://{BLOCKED}.188.50/forumdisplay.php?fid={random digit}
• http://{BLOCKED}.56.247
• http://{BLOCKED}n.com.tw
• http://{BLOCKED}g.com.tw

Information Theft

This backdoor attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• 3D-FTP
• AceBIT
• AceFTP
• ALFTP
• BitKinex
• BlazeFtp
• BulletProof FTP
• ClassicFTP
• CoffeeCup Software
• Cyberduck
• DeluxeFTP
• Directory Opus
• EasyFTP
• ExpanDrive
• FarManager
• FFFTP
• FileZilla
• FlashFXP
• Fling FTP
• FreshFTP
• FTP Commander
• FTP Explorer
• FTP Navigator
• FTPGetter
• FTPNow
• FTPRush
• FTPShell
• FTPVoyager
• FTPWare
• GlobalSCAPE CuteFTP 6 Home
• GlobalSCAPE CuteFTP 7 Home
• GlobalSCAPE CuteFTP 8 Home
• GlobalSCAPE CuteFTP
• GlobalSCAPE CuteFTP 8 Professional
• GlobalSCAPE CuteFTP 6 Professional
• GlobalSCAPE CuteFTP 7 Professional
• GlobalSCAPE CuteFTP Lite
• GlobalSCAPE CuteFTP Pro
• GoFTP
• LeapFTP
• LeechFTP
• LinasFTP
• My FTP
• NetDrive
• NetSarang
• NexusFile
• NovaFTP
• PuTTY
• RhinoSoft
• Robo-FTP
• SecureFX
• SmartFTP
• SoftX FTP
• Staff-FTP
• Titan FTP
• Total Commander
• TurboFTP
• UltraFXP
• WinFTP
• WinSCP
• WS_FTP

It attempts to steal stored email credentials from the following:

• IncrediMail
• Outlook
• PocoMail
• The Bat!
• Thunderbird
• Windows Live Mail
• Windows Mail

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Epic Browser
• Flock
• K-Meleon
• Mozilla Firefox
• SeaMonkey

NOTES:
This backdoor can only perform its intended routine once it is injected in the following processes:

• chrome.exe
• explorer.exe
• firefox.exe
• iexplore.exe