BKDR_GETWAY.A

May 20, 2013
 Analysis by: Anthony Joe Melgarejo
 ALIASES:

Backdoor:Win32/Small.EF (Microsoft), BackDoor-COS (McAfee), Troj/Bdoor-JE (Sophos), BDS/Instable (Antivir), W32/Goatway.B (F-Prot), Trojan horse BackDoor.Small.19.AN (AVG), W32/DLOADER.CT!tr.bdr (Fortinet), Trojan-Downloader.Win32.Small (Ikarus), Win32/Small.EF trojan (ESET)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

82,290 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

23 Sep 2011

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

  • %Windows%\blah.exe
  • %Windows%\twain32_.exe
  • %System%\Sys_Run.exe
  • %System%\waol.exe
  • %Windows%\gateway.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
DllLoader = "%Windows%\blah.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
CurrentVersion\Run
DllLoader = "%Windows%\blah.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
{random value} = "%Windows%\twain32_.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
CurrentVersion\Run
{random value} = "%Windows%\twain32_.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
CreateLive = "%System%\waol.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
CurrentVersion\Run
CreateLive = "%System%\waol.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
gateway = "%Windows%\gateway.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
CurrentVersion\Run
gateway = "%Windows%\gateway.exe"

Other Details

This backdoor connects to the following possibly malicious URL:

  • http://you.{BLOCKED}ere.org
  • http://www.{BLOCKED}e.com/beep.php?OS={OS}&UserName={User Name}&ComputerName={Computer Name}&GatewayName={Gateway Name}&GatewayVersion={Gateway Version}&IP={IP address}|
  • http://www.{BLOCKED}h.com
  • http://{BLOCKED}s.{BLOCKED}p.com
  • http://{BLOCKED}l.{BLOCKED}h.cx
  • http://{BLOCKED}e.{BLOCKED}ass.org

NOTES:

This backdoor adds the following registry entries to enable its automatic execution every time Task Manager is executed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Debugger = "%System%\Sys_Run.exe -t"

This description is based on a compiled analysis of several samples detected as BKDR_GETWAY.A. Note that specific data such as file names and registry values may vary for each sample.