BKDR_SERVLOD.A

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %Windows%\Wmiservjuc.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
ImagePath = "%Windows%\Wmiservjuc.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
DisplayName = "Windows Web Client"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
Type = "16"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC
Description = Windows Applications to access the Inter(R) Management and Security Application using its locally-available selected network interfaces.

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WWC\Enum

Other Details

This backdoor connects to the following possibly malicious URL:

• r.{BLOCKED}s.ms