BKDR_CHIKDOS.A

 Analysis by: Alvin John Nieto

 ALIASES:

Trojan:Win32/Farfli (Microsoft), Trojan.Win32.Swisyn.cskp (Kaspersky), Win32/TrojanDropper..Agent.QEP trojan (ESET)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

573,440 bytes

File Type:

EXE

Initial Samples Received Date:

09 Apr 2014

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following file(s)/component(s):

  • %Program Files%\DbProtectSupport\fake.cfg
  • %Program Files%\DbProtectSupport\svchost.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

  • %Program Files%\DbProtectSupport

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT
NextInstance = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
Service = "DbProtectSupport"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
ConfigFlags = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
Class = "LegacyDriver"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
DeviceDesc = "DbProtectSupport"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000\Control
*NewlyCreated* = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000\Control
ActiveService = "DbProtectSupport"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
Type = "10"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
ImagePath = "%Program Files%\DbProtectSupport\svchost.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Security
Security = "{values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Enum
0 = "Root\LEGACY\DBPROTECTSUPPORT\0000"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Enum
Count = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Enum
NextInstance = "1"

It modifies the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Enum

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://syn.{BLOCKED}x.com/