BKDR_ANDROM.AS

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This backdoor drops the following copies of itself into the affected system:

• %System Root%\Documents and Settings\All Users\svchost.exe
• %System Root%\Documents and Settings\All Users\Local Settings\Temp\ms{random characters}.{extension name}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Decimal form of the Volume Serial Number of %System Root%}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It stays memory-resident by injecting codes into the following processes:

• \system32\wuauclt.exe
• \syswow64\svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%System Root%\Documents and Settings\All Users\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random number} = "%System Root%\Documents and Settings\All Users\Local Settings\Temp\ms{random characters}.{extension name}"

Other System Modifications

This backdoor creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:{malware name}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download a file from C&C server and save it as %User Temp%\{random number}.exe
• Download a file from C&C server and save it in the folder %System Root%\Documents and Settings\All Users\ms{random number}.dat and loads it
• Start a process
• Uninstall itself
• Remote command prompt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}ecost.com/ff/image.php
• http://{BLOCKED}agdpp43gn56.com/ff/image.php
• http://{BLOCKED}uianowj12.com/ff/image.php
• http://{BLOCKED}329sbgn56.com/ff/image.php

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• www.update.microsoft.com

NOTES:

The {extension name} of the dropped copy is any of the following:

• bat
• cmd
• com
• exe
• pif
• scr