JAVA_ADWIND.YYJW

This backdoor may arrive bundled with malware packages as a malware component. It may be hosted on a website and run when a user accesses the said website.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor may arrive bundled with malware packages as a malware component.

It may be hosted on a website and run when a user accesses the said website.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %Application Data%\SrEFGN3CJwV\PKkeYqmjrYf.txt

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %User Profile%\{random file name}.tmp

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops and executes the following files:

• %User Temp%\TaskNetworkGathor{random digits}.reg

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %Application Data%\SrEFGN3CJwV
• %Windows%\tem.txt

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• y7w00DsQPSW

Other System Modifications

This backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorAdmin = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorUser = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = "1"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• MessageBox
• Open URL
• Stop/Restart Connection
• Uninstall Itself
• Update itself
• Download and execute files
• Install plugin

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.219.70:1025

Information Theft

This backdoor s configuration file contains the following information:

• C&C server and port
• Install time
• Connection/Reconnection Time
• Extension of dropped copy
• Extension of plugins
• Folder name for the dropped copy
• Folder name for the plugins
• File name of the dropped copy
• AV-related applications

NOTES:

This malware may install plugins which can perform commands such as the following:

• Android tools - Phone Manager (SMS Manager, Capture Screen, Calls/Contacts, VNC Viewer, Whatsapp, Funny Options, etc )
• Basic options - View system information (AV-installed/Connections/Process/Services/Startup/Installed Software), Execute Scripts
• Capture webcam images
• Funny Options - Crazy Mouse, Crazy Keyboard, Manage machine (Power off/Suspend/Hibernate/Restart)
• Remote desktop options
• Remote file manager - File Manipulation supports Android, Linux, Mac, and Windows (View/Delete/Copy/Paste), Upload and Download files
• Send and execute file

It disables the following programs and antivirus-related applications by adding the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\{application}
Debugger = "svchost.exe"

The registry key value {application} can be any of the following:

• acs.exe
• AdAwareDesktop.exe
• AdAwareService.exe
• AdAwareTray.exe
• AgentSvc.exe
• AVK.exe
• AVKProxy.exe
• AVKService.exe
• AVKTray.exe
• AVKWCtlx64.exe
• avpmapp.exe
• Bav.exe
• bavhm.exe
• BavSvc.exe
• BavTray.exe
• BavUpdater.exe
• BavWebClient.exe
• BDSSVC.EXE
• BgScan.exe
• BullGuard.exe
• BullGuardBhvScanner.exe
• BullGuardUpdate.exe
• BullGuarScanner.exe
• capinfos.exe
• cavwp.exe
• cis.exe
• CisTray.exe
• clamscan.exe
• ClamTray.exe
• ClamWin.exe
• cmdagent.exe
• CONSCTLX.EXE
• coreFrameworkHost.exe
• coreServiceShell.exe
• dragon_updater.exe
• dumpcap.exe
• econceal.exe
• econser.exe
• editcap.exe
• EMLPROXY.EXE
• escanmon.exe
• escanpro.exe
• FPAVServer.exe
• FProtTray.exe
• FPWin.exe
• freshclam.exe
• freshclamwrap.exe
• fsgk32.exe
• FSHDLL64.exe
• fshoster32.exe
• FSM32.EXE
• FSMA32.EXE
• fsorsp.exe
• fssm32.exe
• GdBgInx64.exe
• GDKBFltExe32.exe
• GDSC.exe
• GDScan.exe
• guardxkickoff_x64.exe
• guardxservice.exe
• iptray.exe
• K7AVScan.exe
• K7CrvSvc.exe
• K7EmlPxy.EXE
• K7FWSrvc.exe
• K7PSSrvc.exe
• K7RTScan.exe
• K7SysMon.Exe
• K7TSecurity.exe
• K7TSMain.exe
• K7TSMngr.exe
• LittleHook.exe
• mbam.exe
• mbamscheduler.exe
• mbamservice.exe
• MCS-Uninstall.exe
• MCShieldCCC.exe
• MCShieldDS.exe
• MCShieldRTM.exe
• mergecap.exe
• MpCmdRun.exe
• MpUXSrv.exe
• MSASCui.exe
• msconfig.exe
• MsMpEng.exe
• MWAGENT.EXE
• MWASER.EXE
• nanoav.exe
• nanosvc.exe
• nbrowser.exe
• nfservice.exe
• njeeves2.exe
• nnf.exe
• nprosec.exe
• NS.exe
• nseupdatesvc.exe
• nvcod.exe
• nvcsvc.exe
• nvoy.exe
• nwscmon.exe
• ONLINENT.EXE
• op_mon.exe
• OPSSVC.EXE
• ProcessHacker.exe
• procexp.exe
• PSANHost.exe
• PSUAMain.exe
• PSUAService.exe
• PtSessionAgent.exe
• PtSvcHost.exe
• PtWatchDog.exe
• QUHLPSVC.EXE
• rawshark.exe
• SAPISSVC.EXE
• SASCore64.exe
• SASTask.exe
• SBAMSvc.exe
• SBAMTray.exe
• SBPIMSvc.exe
• SCANNER.EXE
• SCANWSCS.EXE
• scproxysrv.exe
• ScSecSvc.exe
• SDFSSvc.exe
• SDScan.exe
• SDTray.exe
• SDWelcome.exe
• SSUpdate64.exe
• SUPERAntiSpyware.exe
• SUPERDelete.exe
• Taskmgr.exe
• text2pcap.exe
• TRAYICOS.EXE
• TRAYSSER.EXE
• trigger.exe
• tshark.exe
• uiSeAgnt.exe
• uiUpdateTray.exe
• uiWatchDog.exe
• uiWinMgr.exe
• UnThreat.exe
• UserAccountControlSettings.exe
• utsvc.exe
• V3Main.exe
• V3Medic.exe
• V3Proxy.ahn
• V3SP.exe
• V3Svc.exe
• V3Up.exe
• VIEWTCP.EXE
• VIPREUI.exe
• virusutilities.exe
• WebCompanion.exe
• wireshark.exe
• Zanda.exe
• Zlh.exe
• zlhh.exe