BKDR_OBFUSCA.DCB

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

It terminates itself if it detects it is being run in a virtual environment. It deletes itself after execution.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %User Startup%\Trend_Updater.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It drops the following files:

• %User Temp%\svchost.exe - also detected as BKDR_OBFUSCA.DCB
• %User Temp%\ctfmon.exe - also detected as BKDR_OBFUSCA.DCB

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following non-malicious files:

• %User Temp%\autoexec.bat
• {malware path}\デスクトップ\特典お客様控え\ｅチケットお客様控.doc

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• {malware path}\デスクトップ\特典お客様控え

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\MIcrosoft\
Windows\CurrentVersion\Run
Trend Updater = "{malware path and file name}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Delete the file %System Root%\ntldr
• Execute command shell
• Get system and network information by performing the following commands via command-line:
  
  • arp -a
  • dir ""%Program Files""
  • dir ""%SystemDrive%\"" /s /a
  • ipconfig/all
  • net start
  • net use
  • net user
  • net view
  • net view /domain
  • netstat -ano
  • route print
  • set
  • systeminfo
  • tasklist /m
• Get cookies for the following URLs:
  
  • http://gmail.com
  • http://hotmail.co.jp
  • http://hotmail.com
  • http://jcom.home.ne.jp
  • http://mail.yahoo.co.jp
  • http://nifty.com
• Log keystrokes
• Shut down affected system
• Terminate processes

It connects to the following websites to send and receive information:

• registrations.{BLOCKED}er.org

Dropping Routine

This backdoor drops the following file(s), which it uses for its keylogging routine:

• %User Temp%\desktop.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

Other Details

This backdoor terminates itself if it detects it is being run in a virtual environment.

It deletes itself after execution.

NOTES:

This backdoor terminates itself if it finds the process vmwareuser.exe.

Information that it gathers may be saved in the following files:

• %User Temp%\ag.tmp
• %User Temp%\agc.tmp