BKDR_VAWTRAK.YUYAMY

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = "regsvr32.exe "%Program Data%\{random}\{random}.{3 random character}"

Other System Modifications

This Backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = 0

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = 1

HKEY_CURRENT_USER\Software\{CLSID}
{random value} = "{hex values}"

Backdoor Routine

This Backdoor executes the following command(s) from a remote malicious user:

• Log keystrokes
• Capture Screenshots
• Open a process
• Install Updates
• List Process
• Inject code to process
• Download and execute files
• Download configuration
• Perform remote shell
• Start VNC

NOTES:

This backdoor has the capability to setup a virtual network computing (VNC) server to take control of the compromised computer.

It injects code to the all running processes except the following:

• csrss.exe
• Dbgview.exe
• lsass.exe
• lsm.exe
• services.exe
• smss.exe
• svchost.exe
• taskhost.exe
• wininit.exe
• winlogon.exe

This backdoor only performs its intended routine once it is injected in the following processes:

• chrome.exe
• explorer.exe
• firefox.exe
• iexplore.exe