BKDR_XYLIGAN.CDS

This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %System%\WinrHelpq32.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• MediatCentera

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediatCentera
Description = "Providesf supporto for media palyerm. This service can't be stoped"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediatCentera
DisplayName = "MS Mediai Controld Centery"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediatCentera
ErrorControl = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediatCentera
ImagePath = "%System%\WinrHelpq32.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediatCentera
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediatCentera
Start = 2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediatCentera
Type = 10

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MediatCentera

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• 20000000 - Uninstall the malware service
• 20000001 - Shutdown the machine
• 20000002 - Restart the machine
• 20000003 - Log off the currently logged in user
• 20000004 - Download from a URL and execute the downloaded file

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}2.{BLOCKED}k.in:8888

As of this writing, the said sites are inaccessible.

Other Details

This backdoor deletes the initially executed copy of itself

NOTES:
It sends the following information to the remote server {BLOCKED}2.{BLOCKED}k.in:8888:

• Locale information
• Computer name
• Windows version
• Processor information
• Amount of memory present