BKDR_DEXTR.C

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It logs a user's keystrokes to steal information.

Arrival Details

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following file(s)/component(s):

• {Malware Path}\SecureDll.dll - keylogger module loaded to iexplore.exe also detected as BKDR_DEXTR.C

It drops the following copies of itself into the affected system:

• %Application Data%\Java Security Plugin\javaplugin.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following processes:

• iexplore.exe

It creates the following folders:

• %Application Data%\Java Security Plugin

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It injects itself into the following processes as part of its memory residency routine:

• iexplore.exe created process

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Sun Java Security Plugin = "%Application Data%\Java Security Plugin\javaplugin.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Sun Java Security Plugin = "%Application Data%\Java Security Plugin\javaplugin.exe"

It drops the following files:

• {malware path}\strokes.log
• {malware path\tmp.log
• {malware path}\debug.log

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\HelperSolutions Software

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations

It adds the following registry entries:

HKEY_CURRENT_USER\Software\HelperSolutions Software
digit = "{GUID}"

HKEY_CURRENT_USER\Software\HelperSolutions Software
val1 = "{malware path}\strokes.log"

HKEY_CURRENT_USER\Software\HelperSolutions Software
val2 = "{malware path}\tmp.log"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = ".exe;.bat;.reg;.vbs;"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Update (update copy)
• Checkin (set the delay it sends information)
• Scanin (set the delay it checks memory for information)
• Uninstall (uninstall itself)
• Download (download and execute a file)

It connects to the following websites to send and receive information:

• hi.{BLOCKED}o.biz/fk/gateway.php
• {BLOCKED}.{BLOCKED}.115.107/ial9121988921973dsadas8dsa080dsa/gateway.php
• {BLOCKED}.{BLOCKED}.44.11/base1/gateway.php
• {BLOCKED}.{BLOCKED}.44.11/w19218317418621031041543/gateway.php
• {BLOCKED}-service.in.ua/alfa/gateway.php
• {BLOCKED}.{BLOCKED}.67.242/~microsre/9e6e2103559968f8a876156c6ff2acad/gateway.php
• {BLOCKED}.{BLOCKED}.78.24/e78826c4e629f7036312259d7a83ed05/gateway.php

Information Theft

This backdoor gathers the following data:

• {GUID}
• Username
• Hostname
• Operating System
• Processor type
• List of running processes
• Key to decrypt sent information

It logs a user's keystrokes to steal information.

NOTES:

It dumps the affected system's memory to check for sensitive information, such as payment details and/or credit card information stored in the aforementioned system.