BKDR_FYNLOSKI.C
Backdoor:Win32/Fynloski.A (Microsoft); PAK:PE_Patch.Enigma (Kaspersky)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
However, as of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
3,865,600 bytes
EXE
No
01 Aug 2011
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system:
- %User Profile%\Application Data\bootsys\boot.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %User Profile%\Application Data\bootsys
(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
syslds = "%User Profile%\Application Data\bootsys\boot.exe"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%User Profile%\Application Data\bootsys\boot.exe"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
Other System Modifications
This backdoor adds the following registry keys:
HKEY_CURRENT_USER\Software\DC3_FEXEC
HKEY_CURRENT_USER\Software\Enigma Protector
HKEY_CURRENT_USER\Software\sang sinsang
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\International\CpMRU
It modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DisableNotifications = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"
(Note: The default value data of the said registry entry is 2.)
It also creates the following registry entry(ies) as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\International
W2KLpk = "1"
Other Details
This backdoor connects to the following possibly malicious URL:
- http://cafe.{BLOCKED}r.com/csobluedragon03
- {BLOCKED}86.codns.com
However, as of this writing, the said sites are inaccessible.