BKDR_FYNLOS.RUI

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

• %User Temp%\azerty.exe - also detected as BKDR_FYNLOS.RUI

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops and executes the following files:

• %User Temp%\svchost.exe - non-malicious file used by this backdoor for code injection

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• DC_MUTEX-JDDR2RQ

It injects codes into the following process(es):

• svchost.exe - dropped file

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Microsoft\Windows\CurrentVersion\
Run
#nume# = "%Application Data%\#rundll32.exe#"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\DC3_FEXEC

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Lessen system security level
• List disk drives
• List webcams and monitor/capture video
• Change MSN Messenger status & modify contact list
• Shutdown, Restart, Log off or Lock computer
• Empty Recycle Bin
• Visit arbitrary C&C servers
• List active windows
• Remote shell command
• Download and execute files
• Download updated copy of itself
• Upload files
• Log keystrokes
• Refresh or delete logs
• Modify system's host file
• Record and play sounds
• Open and close CD-ROM drive door
• Steal passwords
• Get torrent files
• Refresh Wifi
• Uninstall programs
• Start and control chat sessions
• Monitor activity by Remote Desktop Protocol
• DDOS Flooding
• Manipulate the following:
• • Browser
• • Clipboard
• • Desktop
• • Dialog Box
• • Files
• • Folders
• • Mouse clicks
• • Processes
• • Registries
• • Services
• • Shutdown button options
• • Start button
• • System clock
• • System tray
• • Taskbar

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• skto.{BLOCKED}p.org

Dropping Routine

This backdoor drops the following file(s), which it uses for its keylogging routine:

• %Application Data%\dclogs\{Current Date}-{number}.dc

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Information Theft

This backdoor gathers the following data:

• Admin rights
• Computer/User name
• Language/Country
• Operating System information
• Network configuration
• Screen Resolution

Other Details

This backdoor deletes the initially executed copy of itself