BKDR_AGENT.DZW

October 09, 2012

Analysis by: MarfelTi

ALIASES:

Symantec : Spyware.Keylogger

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes

OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

TECHNICAL DETAILS

File Size:

138,752 bytes

File Type:

EXE

Memory Resident:

Initial Samples Received Date:

25 Jul 2011

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following component file(s):

%system%\msinet.ocx
%system%\MSWINSCK.OCX

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update = {malware path and file name}

Other System Modifications

This backdoor adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InetCtls.Inet

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
InetCtls.Inet.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSWinsock.Winsock

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
MSWinsock.Winsock.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{39977C62-C383-463D-AF61-C71220634656}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{48E59293-9880-11CF-9754-00AA00C00908}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{6E5311A1-325D-4FFD-9AF4-B373F02AE458}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E2D211D5-11E4-4D9E-B6DB-1E902C851A49}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{48E59291-9880-11CF-9754-00AA00C00908}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\ActiveX Compatibility\{48E59293-9880-11CF-9754-00AA00C00908}

Other Details

This backdoor connects to the following possibly malicious URL:

http://{BLOCKED}ndns.org/xampp/ip.php

BKDR_AGENT.DZW

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

BKDR_AGENT.DZW

OVERVIEW

TECHNICAL DETAILS

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific