BKDR_QUSARRAT.A

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It creates folders where it drops its files.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following copies of itself into the affected system and executes them:

• %Application Data%\SubDir\Client.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• MUTEX_OBFbLxWIM8FvuSNev1

Autostart Technique

This Backdoor enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

• %User Startup%\scvhost.vbs -> used to execute {Malware path}\{Malware Name}.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Update Connection
• Restart Connection
• Disconnect Connection
• Uninstall itself
• View System Information
• Open File Manager
• Open Startup Manager
• Open Task Manager
• Open Remote Shell
• Open TCP Connections (IPv4 and IPv6 support)
• Reverse Proxy (SOCKS5)
• Open Registry Editor
• Elevate Client Permissions
• Computer Commands
  • Restart
  • Shutdown
  • Standby
• Remote Desktop
• Remote Webcam
• Password Recovery (Common Browsers and FTP Clients)
• Keylogger (Unicode Support)
• Download Files
• Execute Files
• Visit Website (hidden & visible)
• Show Messagebox

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.85.227:1337

Dropping Routine

This Backdoor drops the following file(s), which it uses for its keylogging routine:

• %Application Data%\Logs\MM-DD-YYYY -> {Current Date}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This Backdoor connects to the following URL(s) to get the affected system's IP address:

• http://ip-api.com/

It does the following:

• It adds the following scheduled tasks:
  • svchost
    • Executes at log on of any user
    • Executes the following command:
      • %Application Data%\SubDir\Client.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)