BKDR_ANDROM.EG

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information. However, as of this writing, the said sites are inaccessible.

It does not have any information-stealing capability.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %All Users Profile%\{random file name}.exe
• %All Users Profile%\svchost.exe

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

It executes then deletes itself afterward.

It injects threads into the following normal process(es):

• svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%All Users Profile%\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random number} = "%All Users Profile%\{random file name}.exe"

Other System Modifications

This backdoor adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\svchost.exe = "%System%\svchost.exe:*:Generic Host Process"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\msiexec.exe = "%System%\msiexec.exe:*:Generic Host Process"

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download a file from C&C server and save it as %User Temp%\{random number}.exe
• Download a file from C&C server and save it as %All Users Profile%\ms{random number}.dat and loads it
• Start a process
• Uninstall itself
• Remote command prompt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

It connects to the following websites to send and receive information:

• http://{BLOCKED}y.pl/moonlight.php
• http://{BLOCKED}a.ru/webvpn.php
• http://{BLOCKED}d.pl/oliver.php
• http://{BLOCKED}e.ru/lockout.php

However, as of this writing, the said sites are inaccessible.

Information Theft

This backdoor does not have any information-stealing capability.

NOTES:

It checks if it is being run in a VMWare environment or Emulation software. If it is being run in a VMWare environment or Emulation software, it performs another routine where in it will open Port 8000 and listen for a backdoor command for performing remote shell execution.

It also checks if there is a running network monitoring software in the affected machine. If found, it also performs its other routine.