BKDR_ZACCESS.NTW

This backdoor may be downloaded by other malware/grayware from remote sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This backdoor may be downloaded by the following malware/grayware from remote sites:

• JAVA_EXPLOYT.NTW

Installation

This backdoor drops the following component file(s):

• %User Temp%\msimg32.dll - detected as BKDR_ZACESS.SMQQ

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following non-malicious file:

• %User Temp%\InstallFlashPlayer.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Its DLL component is injected to the following process(es):

• explorer.exe
• svchost.exe

It creates the following folders:

• %Application Data%\{GUID}\L
• %Application Data%\{GUID}\U
• %Windows%\Installer\{GUID}\L
• %Windows%\Installer\{GUID}\U

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

Other System Modifications

This backdoor deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\BITS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\iphlpsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\MpsSvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SharedAccess

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\WinDefend

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\wscsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\wuauserv

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run\
Windows Defender

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download and execute arbitrary files
• Get drive information

It connects to the following websites to send and receive information:

• http://j.{BLOCKED}d.com/app/geoip.js

Process Termination

This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• wscntfy.exe
• MSASCui.exe
• MpCmdRun.exe
• NisSrv.exe
• msseces.exe
• SharedAccess
• windefend
• MsMpSvc
• iphlpsvc
• wscsvc
• mpssvc

NOTES:

It patches %System%\services.exe and saves the original copy in %System%\Winsxs\Backup\services.exe.

• Patched 64-bit %System%\services.exe - detected as PTCH64_ZACCESS.A
• Patched Win7 32-bit %System%\services.exe - detected as PTCH_ZACCESS.A

It connects to the following website to simulate clicking on pay-per-install links:

• www.{BLOCKED}reecounters.com/5699002-2F6F334BF9ACF1B2401D3874A5B0C048/counter.img?theme={Random Value}&digits=10&siteId={Site ID}