BKDR_SIREFEF.WE

 Analysis by: Adrian Cofreros

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

  TECHNICAL DETAILS

File Size:

208,896 bytes

File Type:

EXE

Initial Samples Received Date:

23 Feb 2013

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\GoogleUpdate.exe
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\@
  • %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\GoogleUpdate.exe
  • %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\@

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It creates the following folders:

  • %AppDataLocal%\Google\Desktop
  • %AppDataLocal%\Google\Desktop\Install
  • %AppDataLocal%\Google\Desktop\Install\{GUID}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\U
  • %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\L
  • %Program Files%\Google\Desktop
  • %Program Files%\Google\Desktop\Install
  • %Program Files%\Google\Desktop\Install\{GUID}
  • %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}
  • %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}
  • %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\U
  • %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\L

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It executes then deletes itself afterward.

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug\Parameters

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Google Update = "%AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path 1}\{GUID}\GoogleUpdate.exe<"

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
Description = "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it."

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
DisplayName = "Google Update Service (gupdate)"

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
ImagePath = ""%Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path 1}\{GUID}\GoogleUpdate.exe" <"

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
Type = "16"

HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug\Parameters
Parameters = "176"

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}187.87:16464