BKDR_FAKETM.AE
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
65,915 bytes
EXE
Yes
11 Oct 2012
Arrival Details
This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Installation
This backdoor drops the following copies of itself into the affected system:
- %System%:MCPUPlayer.exe (With Admin Rights Privilege)
- %User Profile%\Application Data\MCPUPlayer.exe (Without Admin Rights Privilege)
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AdobeCro CPUPlayer = "%System%:MCPUPlayer.exe" (With Admin Rights Privilege)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AdobeCro CPUPlayer = “%User Profile%\Application Data\MCPUPlayer.exe" (Without Admin Rights Privilege)
Other Details
This backdoor connects to the following possibly malicious URL:
- sendmsg.{BLOCKED}crab.com
It deletes the initially executed copy of itself