BKDR_CHALCOL.BC

This backdoor may be dropped by other malware.

It connects to a website to send and receive information.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_PIDIEF.DRP

Installation

This backdoor drops the following files:

• %Windows%\tasks\fxsst.dll - backdoor component also detected as BKDR_CHALCOL.BC
• %User Startup%\AcroRd32.exe - autostart component also detected as BKDR_CHALCOL.BC

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It injects itself into the following processes as part of its memory residency routine:

• explorer.exe

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• http://{BLOCKED}.{BLOCKED}.202.198/jp/log2.asp

NOTES:

It reports successful infection to its C&C server by sending the following information via HTTP GET:

• Host name
• IP address
• Malware Flag
• Operating system
• Proxy information
• Virtual Machine

It is capable of executing the following commands:

• Download and execute file(s)
• Open an instance of cmd.exe process
• Update itself