BKDR_KULUOZ.VLT

This malicious file is downloaded from a spammed email related to news about the South China's Guangzhou Railway Station.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote site(s):

• http://{BLOCKED}ofing.com/lib.php?la=w0HMRoflYGd7lbjgVe3hPH5ALSw8h2SpOT2SmBFy%2BHA%3D

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %AppDataLocal%\{random file name}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)

It adds the following processes:

• svchost.exe

It stays memory-resident by injecting codes into the following processes:

• created svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%AppDataLocal%\{random file name}.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\{random}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{random}
{random} = "{hex values}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Sleep/Idle
• Download and execute arbitrary file
• Uninstall itself
• Download module and inject to svchost.exe
• Update itself
• Check latest malware version
• Manage registry

It connects to the following websites to send and receive information:

• http://{BLOCKED}0.{BLOCKED}4.59.5:443/{encrypted data}
• http://{BLOCKED}8.{BLOCKED}.219.150:443/{encrypted data}
• http://{BLOCKED}2.{BLOCKED}2.157.126:8080/{encrypted data}
• http://{BLOCKED}9.{BLOCKED}6.55.95:8080/{encrypted data}
• http://{BLOCKED}1.{BLOCKED}1.1.189:8080/{encrypted data}
• http://{BLOCKED}5.{BLOCKED}1.29.205:8080/{encrypted data}

Information Theft

This backdoor gathers the following data:

• Malware version
• Virtualization information
• Running debugger/forensic tools
• User name
• Local IP address
• Processor type
• OS version
• Antivirus product
• Firewall product

NOTES:

This backdoor checks for running windows with the following names:

• 99929D61-1338-48B1-9433-D42A1D94F0D2
• 99929D61-1338-48B1-9433-D42A1D94F0D2-x32
• 99929D61-1338-48B1-9433-D42A1D94F0D2-x64
• APISpy32Class
• Dumper
• Dumper64
• iptools.exe
• Iris - Version 5.59
• prl_cc.exe
• prl_tools.exe
• ProcessHacker
• ProcessLasso_Notification_Class
• PROCEXPL
• PROCMON_WINDOW_CLASS
• SharedIntApp.exe
• Tfrmrpcap
• TSystemExplorerTrayForm.UnicodeClass
• VBoxService.exe
• VBoxTray.exe
• vmsrvc.exe
• vmtoolsd.exe
• vmusrvc.exe
• VMwareDragDetWndClass
• VMwareSwitchUserControlClass
• WdcWindow
• wireshark.exe

It checks Service Disk or BIOS for the following registry information if under virtualization:

• AMIBI
• PRLS
• PTLTD
• Vbox
• Virtual
• VMware

It also checks if the following registry keys exist:

• SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_040515AD&REV_00
• SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_074015AD&REV_00
• SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
• SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00
• SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00
• HARDWARE\ACPI\DSDT\PTLTD__
• HARDWARE\ACPI\DSDT\VBOX__
• HARDWARE\ACPI\DSDT\AMIBI