BKDR_AFCORE.NYN

This backdoor may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It opens random ports. It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes itself after execution.

Arrival Details

This backdoor may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following component file(s):

• %System%\{random_name 1}.ocx - also detected as BKDR_AFCORE.NYN

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following non-malicious files:

• %System%\{random_name 1}.dat
• %System%\{random_name 2}.dat
• %System%\{random_name 3}.dat
• %System%\{random_name 4}.dat
• %System%\{random_name 5}.dat

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Its DLL component is injected to the following process(es):

• explorer.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• GLOBAL/{Random Characters}

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CLASSES_ROOT\CLSID\{random CLSID}\
InprocServer32
@ = %System%\{random_name 1}.ocx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
ShellIconOverlayIdentifiers\{random_name 1}
@ = {random CLSID}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{random CLSID}\InprocServer32
@ = %System%\{random_name 1}.ocx

Backdoor Routine

This backdoor opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It executes the following commands from a remote malicious user:

• ADDTO
• DELCOOKIES
• DELFROM
• DISKFLOOD
• DISKUNFLOOD
• EXPORT
• IPHLP
• LISTCOOKIES
• LSTWND
• MULTICAST
• PERFRM
• RESOLVE
• RESPAWN
• RESTART
• RMOLD
• RUNDLL
• SETCOOKIE
• SETRADIUS
• SETRANGE
• SETSP
• SETSTR
• SETWND
• SHUTDOWN
• SPACE
• STATS
• UNFREEZE
• UNIFORG
• UNINSTALL

Other Details

This backdoor does the following:

• Checks if the following registry key is present upon installation. If not found, it extis from its code and not perform its routines. HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay
• Performs the following action after connection is established:
  Shut down the machine
  Terminate processes
  Get IPC, log, and hook timeouts
  Open, create and delete files
  Initiate distributed denial of service (DDoS) flood attacks
  Get system time
  Scan logical drives
  Shutdown, Restart or Respawn itself
• Attempts to resolve the hostname taxfree.{BLOCKED}tplus.net. However, as of this writing, the malware failed to resolve the said hostname.
• Monitors applications(mostly web browsers) such as:
  iexplore.exe
  firefox.exe
  opera.exe
  skype.exe
• Gathers login information entered in websites with the following strings:
  answer
  challenge
  clave
  codigo
  cross-border
  firma
  foreign
  identifica
  memorable
  parol
  passphras
  password
  remittance
  s.w.i.f.t
  secret
  secur
  segur
  swift
  telegraphic

It deletes itself after execution.