BKDR_ANDROM.LL
Windows
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
135,722 bytes
EXE
Yes
02 Sep 2013
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random number} = "%All Users Profile%\ms{random}.exe"
Other System Modifications
This backdoor adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
HideSCAHealth = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
TaskbarNoNotification = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer
HideSCAHealth = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer
TaskbarNoNotification = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
(Note: The default value data of the said registry entry is "1".)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"
(Note: The default value data of the said registry entry is "1".)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MpsSvc
Start = "4"
(Note: The default value data of the said registry entry is "2".)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinDefend
Start = "4"
(Note: The default value data of the said registry entry is "2".)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"
(Note: The default value data of the said registry entry is "2".)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = "4"
(Note: The default value data of the said registry entry is "2".)
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}erco.net
It deletes the initially executed copy of itself