BKDR_PUSHDO.MV

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

• TSPY_BEBLOH.AAACT

Installation

This backdoor drops the following copies of itself into the affected system:

• %User Profile%\femjannacafe.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• femjannacafe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
femjannacafe = %User Profile%\femjannacafe.exe

Other System Modifications

This backdoor adds the following registry keys:

HKEY_USERS\{random}

It adds the following registry entries:

HKEY_CURRENT_USER
femjannacafe = {Hex Values}

HKEY_USERS\{random}
femjannacafe = {Hex Values}

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download and execute arbitrary files
• Retrieve Spam Configuration/Content
• Get OS Version
• Get System Information
• Get Network Information

It connects to the following websites to send and receive information:

• http://{random generated domain}.kz
  Note: it does the DGA routine when initial hardcoded C&C is inaccessible
• http://www.{BLOCKED}s.com

Other Details

This backdoor does the following:

• It performs random POST Request connection to the following URLs to mask network traffic and hide the C&C communication.
  • kernsafe.com
  • ottospm.com
  • ex-olive.com
  • jroy.net
  • iamdirt.com
  • stnic.co.uk
  • depalo.com
  • sclover3.com
  • x0c.com
  • netcr.com
  • dgmna.com
  • mobilnic.net
  • pwd.org
  • cel-cpa.com
  • dayvo.com
  • medisa.info
  • koz1.net
  • vexcom.com
  • yoruksut.com
  • spanesi.com
  • jenco.co.uk
  • speelhal.net
  • valselit.com
  • t-tre.com
  • transsib.com
  • cokocoko.com
  • otena.com
  • owsports.ca
  • yocinc.org
  • tvtools.fi
  • snugpak.com
  • ora.ecnet.jp
  • nelipak.nl
  • h-f.net
  • baijaku.com
  • wkhk.net
  • pb-games.com
  • nunomira.com
  • edimart.hu
  • fcwcvt.org
  • c9dd.com
  • 2print.com
  • wifi4all.nl
  • elpro.si
  • gpthink.com
  • stajum.com
  • valdal.com
  • naoi-a.com
  • pcgrate.com
  • tc17.com
  • crcsi.org
  • maktraxx.com
  • yumgiskor.kz
  • olras.com
  • myropcb.com
  • waldi.pl
  • abart.pl
  • ftchat.com
  • pohlfood.com
  • ka-mo-me.com
  • 11tochi.net
  • rs-ag.com
  • item-pr.com
  • jacomfg.com
  • medius.si
  • photo4b.com
  • findbc.com
  • fnw.us
  • abdg.com
  • railbook.net
  • reglera.com
  • udesign.biz
  • domon.com
  • alteor.cl
  • pupi.cz
  • usadig.com
  • sjbs.org
  • petsfan.com
  • fnsds.org
  • quadlock.com
  • jchysk.com
  • fink.com
  • {BLOCKED}du.com
  • vazir.se
  • synetik.net
  • hummer.hu
  • credo.edu.pl
  • aevga.com
  • pdqhomes.com
  • wnsavoy.com
  • ora-ito.com
  • evcpa.com
  • pr-park.com
  • fe-bauer.de
  • holleman.us
  • xaicom.es
  • nqks.com
  • mqs.com.br
  • lrsuk.com
• Perform spam-bot routine based from SPAM configuration received from C&C communication
  • create svchost.exe process
  • inject code and configuration to created svchost.exe

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.