BKDR_KULUOZ.VA

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It retrieves specific information from the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %AppDataLocal%\{random}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)

It adds the following processes:

• svchost.exe

It injects itself into the following processes as part of its memory residency routine:

• created svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = "%AppDataLocal%\{random}.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\SOFTWARE\{random}

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\SOFTWARE\{random}
{random} = "{hex values}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• idl - sleep/idle
• run - download and execute arbitrary file
• rem - uninstall itself
• rdl - update copy of injected code in svchost and add encrypted code to registry
• upd - update copy of main malware
• red - edit registry

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}.{BLOCKED}6.181.62:8080
• http://{BLOCKED}.{BLOCKED}.19.249:8080

Information Theft

This backdoor retrieves the following information from the affected system:

• Malware Version
• Virtualization Information
• Running Debugger/Forensic Tools
• User name
• Processor type
• OS version
• Antivirus product
• Firewall product

NOTES:

It checks if there is a running window with the following name:

• wireshark.exe
• Tfrmrpcap
• iptools.exe
• Iris - Version 5.59
• ProcessLasso_Notification_Class
• TSystemExplorerTrayForm.UnicodeClass
• PROCMON_WINDOW_CLASS
• PROCEXPL
• WdcWindow
• ProcessHacker
• 99929D61-1338-48B1-9433-D42A1D94F0D2-x64
• 99929D61-1338-48B1-9433-D42A1D94F0D2-x32
• 99929D61-1338-48B1-9433-D42A1D94F0D2
• Dumper
• Dumper64
• APISpy32Class
• VMwareDragDetWndClass
• VMwareSwitchUserControlClass
• vmtoolsd.exe
• prl_cc.exe
• prl_tools.exe
• SharedIntApp.exe
• VBoxTray.exe
• VBoxService.exe
• vmusrvc.exe
• vmsrvc.exe

It checks for the following Service Disk or BIOS related registry information to check if it is running under virtualization:

• MWare
• TLTD
• irtual
• RLS
• box
• MIBI

It checks if the following registry keys exist:

SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_040515AD&REV_00
SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD&DEV_0774&SUBSYS_074015AD&REV_00
SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00
SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00
HARDWARE\ACPI\DSDT\PTLTD__
HARDWARE\ACPI\DSDT\VBOX__
HARDWARE\ACPI\DSDT\AMIBI