BKDR_RARSTONE.A

The malware uses similar techniques as those of PlugX, like process injection and use of blob file. The malware directly loads the backdoor file located in its command-and-control (C&C) server. This means there are no downloaded files and file-based detection of the backdoor code is not possible.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_ARTIEF.NTZ

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %System%\ymsgr_tray.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following file(s)/component(s):

• %Application Data%\profile.dat - blob file containing malware routines

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following processes:

• iexplore.exe

It injects itself into the following processes as part of its memory residency routine:

• iexplore.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Yahoo! = ""%System%\ymsgr_tray.exe" -local"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Get computer name and name of current user
• Retrieve list of local groups where the current user belongs.
• Create autorun registry entries
• Enumerate files and directories
• Get drive information
• Upload files
• Download files
• Execute files
• Download plugin and load into memory
• Enumerate processes
• Enumerate process modules
• Get process information
• Terminate processes
• Get installer properties from Uninstall Registry Key entries
• Manage files and directories (create, delete, modify, rename, search)
• Manage registries (create, delete, modify, search, view)
• Manage services (install, modify, search, start, stop, uninstall, view)
• Get service information
• Manage windows
• Perform remote shell
• Restart system
• Remove self from system
• Update self and configuration
• Enumerate TCP and UDP connection states

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}805.{BLOCKED}y.net

NOTES:

The malware needs the following command line parameters in order to perform its intended routine:

• -{any string}cal