BKDR_PLUGX.AH

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

• %ProgramData%\SxS\bug.log
• %ProgramData%\SxSi\kl.log
• %System Root%\Users\All Users\SxS\bug.log
• %System Root%\Users\All Users\SxSi\kl.log

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following non-malicious files:

• %ProgramData%\SxSi\rc.exe
• %System Root%\Users\All Users\SxSi\rc.exe

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %ProgramData%\SxS
• %ProgramData%\SxSi
• %System Root%\Users\All Users\SxS
• %System Root%\Users\All Users\SxSi

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Type = "110"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ImagePath = "%ProgramData%\SxSi\rc.exe" 200 0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
DisplayName = "SxSi"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi
Description = "SxSi"

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\SxSi

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\FAST
CLSID = "{hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST
CLSID = "{hex values}"

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\FAST

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
FAST

Backdoor Routine

This backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}irectme.net/update?id=00107f08

Dropping Routine

This backdoor drops the following files:

• %ProgramData%\SxSi\rc.hlp
• %ProgramData%\SxSi\rcdll.dll
• %System Root%\Users\All Users\SxSi\rc.hlp
• %System Root%\Users\All Users\SxSi\rcdll.dll

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)