BKDR_CAPHAW.EF
Trojan.Win32.Agent.acljc (Kasperksy)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware, Via physical/removable drives
This backdoor arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes commands from a remote malicious user, effectively compromising the affected system.
It lowers the security setting of Internet Explorer.
It steals certain information from the system and/or the user.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
241,664 bytes
EXE
Yes
22 Oct 2013
Compromises system security, Steals information
Arrival Details
This backdoor arrives via removable drives.
It may arrive via network shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor injects codes into the following process(es):
- explorer.exe
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random letters} = "%Application Data%\{random folder found}\{filename found in %System%}"
Other System Modifications
This backdoor adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
DisableCachingOfSSLPages = "1"
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Download and execute arbitrary files
- Upload files
- Update itself
- Modify system settings
- Terminate processes
- Downloads and loads additional plugin
- disk propagation
Web Browser Home Page and Search Page Modification
This backdoor lowers the security setting of Internet Explorer.
Information Theft
This backdoor steals the following information:
- CPU Information
- OS Version and Installation Information
- Disk Devices list, type and status
- Computer Name
- Admin Rights
- Code Page
- Web Browser Version (Internet Explorer, Firefox, Chrome)
- Anti-malware Software Installed
- Virtual Machine check
- Startup Programs
- VMWare Information
- Installed Software (found under HKEY_LOCAL_MACHINE\SOFTWARE registry subkey)
- Running Processes
- Cookies
- Network traffic
- CPUID
Other Details
This backdoor deletes the initially executed copy of itself
NOTES:
It drops a copy of itself in random legitimate folders or subfolders found in the %Application Data% folder. It uses the file name of a file found in the %System% folder (e.g., %Application Data%\Microsoft\Internet Explorer\logagent.exe).
It generates random subdomains for the following C&C servers:
- https://{pseudorandom subdomain}{BLOCKED}y.su/ping.html
- https://{pseudorandom subdomain}{BLOCKED}y.su/ping.html
- https://{pseudorandom subdomain}{BLOCKED}y.su/ping.html
- https://{pseudorandom subdomain}{BLOCKED}p.cc/ping.html
- https://{pseudorandom subdomain}{BLOCKED}ngo.cc/ping.html
- https://{pseudorandom subdomain}{BLOCKED}atinfo.cc/ping.html
- https://{pseudorandom subdomain}{BLOCKED}p.cc/ping.html
If the connection to a C&C server is successful, it may download its components/configuration that may contain information like targeted online banking sites.
It may check the following processes related to Antivirus and Security Applications:
- AAWService.exe
- AAWTray.exe
- AAWWSC.exe
- ALsvc.exe
- AVGIDSAgent.exe
- AvastSvc.exe
- BullGuard.exe
- BullGuardBhvScanner.exe
- ComcastAntiSpyService.exe
- ComcastAntispy.exe
- DefWatch.exe
- DoScan.exe
- EngineServer.exe
- FGuard.exe
- FwcAgent.exe
- FwcMgmt.exe
- Fws.exe
- Fwservice.exe
- IswSvc.exe
- MSASCui.exe
- ManagementAgentNT.exe
- McSACore.exe
- Mcshield.exe
- MsMpEng.exe
- PCCleaners.exe
- PavFnSvr.exe
- PavPrSvr.exe
- PccNTMon.exe
- RouterNT.exe
- RpsSecurityAwareR.exe
- Rtvscan.exe
- SAVAdminService.exe
- SCANMSG.exe
- SPBBCSvc.exe
- SSDMonitor.exe
- SSScheduler.exe
- SUPERAntiSpyware.exe
- SZServer.exe
- SavService.exe
- ServiceManager.exe
- ServicepointService.exe
- SmcGui.exe
- TeaTimer.exe
- UPSCHD.exe
- VsTskMgr.exe
- WRConsumerService.exe
- a2service.exe
- almon.exe
- ashDisp.exe
- ashServ.exe
- aswUpdSv.exe
- avengine.exe
- avgamsvr.exe
- avgcc.exe
- avgchsvx.exe
- avgemc.exe
- avgemcx.exe
- avgfws.exe
- avgnt.exe
- avgrsx.exe
- avguard.exe
- avgupsvc.exe
- avgw.exe
- avgwdsvc.exe
- avp.exe
- caamsvc.exe
- casc.exe
- ccApp.exe
- ccEvtMgr.exe
- ccEvtMgr.exe
- ccSetMgr.exe
- ccSvcHst.exe
- ccSvcHst.exe
- ccSvcHst.exe
- ccprovsp.exe
- ccschedulersvc.exe
- cfp.exe
- cmdagent.exe
- coreFrameworkHost.exe
- cssurf.exe
- drweb32w.exe
- dwengine.exe
- egui.exe
- ekrn.exe
- frwl_svc.exe
- fw.exe
- guard.exe
- iamapp.exe
- isafe.exe
- mbam.exe
- mbamservice.exe
- mcagent.exe
- mfeann.exe
- msseces.exe
- myAgtSvc.exe
- navapsvc.exe
- navapw32.exe
- nod32krn.exe
- nod32kui.exe
- oasrv.exe
- onlinent.exe
- op_mon.exe
- pctsGui.exe
- ppfw.exe
- prevx.exe
- pshost.exe
- psksvc.exe
- rapportmgmtservice.exe
- rapportservice.exe
- sched.exe
- swi_service.exe
- vseamps.exe
- vsedsps.exe
- vsmon.exe
- vsserv.exe
- winroute.exe
It drops a malicious shortcut file (detected as LNK_CAPHAW.SM) on the removable drive, that points to the location of the dropped copy of the malware on the removable drive.
SOLUTION
9.300
10.360.01
23 Oct 2013
10.361.00
23 Oct 2013
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove the malware/grayware file dropped/downloaded by BKDR_CAPHAW.EF
- LNK_CAPHAW.SM
Step 3
Restart in Safe Mode
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {random letters} = "%Application Data%\{random folder found}\{filename found in %System%}"
- {random letters} = "%Application Data%\{random folder found}\{filename found in %System%}"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- NoProtectedModeBanner = "1"
- NoProtectedModeBanner = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- DisableCachingOfSSLPages = "1"
- DisableCachingOfSSLPages = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 2500 = "3"
- 2500 = "3"
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_CAPHAW.EF . If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 6
Scan your computer with your Trend Micro product to delete files detected as BKDR_CAPHAW.EF . If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.