PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

This malware family of backdoors allows unauthorized access and control to the infected systems. It can perform several commands such as downloading files, performing remote shell command, managing services, processes and windows, and capturing screenshots. As such, the security of infected system is compromised.

In addition, MORIX enables to run itself every hour on a daily basis by creating a scheduled task. It also terminates certain antivirus-related processes thus making it difficult to detect on the system.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Compromises system security, Connects to URLs/IPs

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

  • %Windows%\92E2EA8E\svchsot.exe
  • %Windows%\C2F5BC5E\svchsot.exe
  • %Windows%\D9E29D95\svchsot.exe
  • %Windows%\AD310664\svchsot.exe
  • %Windows%\3BAFCB1D\svchsot.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following files:

  • %System%\3BAFCB1D.key
  • %Windows%\Task\At1.job
  • %Windows%\Task\At2.job
  • %Windows%\Task\At3.job
  • %Windows%\Task\At4.job
  • %Windows%\Task\At5.job
  • %Windows%\Task\At6.job
  • %Windows%\Task\At7.job
  • %Windows%\Task\At8.job
  • %Windows%\Task\At9.job
  • %Windows%\Task\At10.job
  • %Windows%\Task\At11.job
  • %Windows%\Task\At12.job
  • %Windows%\Task\At13.job
  • %Windows%\Task\At14.job
  • %Windows%\Task\At15.job
  • %Windows%\Task\At16.job
  • %Windows%\Task\At17.job
  • %Windows%\Task\At18.job
  • %Windows%\Task\At19.job
  • %Windows%\Task\At20.job
  • %Windows%\Task\At21.job
  • %Windows%\Task\At22.job
  • %Windows%\Task\At23.job
  • %Windows%\Task\At24.job

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
3BAFCB1D = "%Windows%\3BAFCB1D\svchsot.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "48"

It modifies the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
NextAtJobId = "19"

(Note: The default value data of the said registry entry is "1".)

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}d.{BLOCKED}n.com
  • {BLOCKED}hi2.facai2013.com
  • {BLOCKED}8v.mingren1004.com
  • {BLOCKED}ec.jiugui1919.com
  • {BLOCKED}.{BLOCKED}.126.98
  • {BLOCKED}.{BLOCKED}.126.98
  • {BLOCKED}.{BLOCKED}.151.192
  • {BLOCKED}1.{BLOCKED}mbi.com
  • {BLOCKED}2.{BLOCKED}mbi.com
  • {BLOCKED}3.{BLOCKED}mbi.com