BKDR_VAWTRAK.YUYJT
BackDoor-FCAF!Vawtrak (McAfee)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Dropped by other malware, Downloaded from the Internet
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It does not have any propagation routine.
It executes commands from a remote malicious user, effectively compromising the affected system.
It modifies the Internet Explorer Zone Settings.
It deletes itself after execution.
TECHNICAL DETAILS
200,704 bytes
EXE
No
02 Jun 2016
Connects to URLs/IPs, Steals information
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following files:
- %All Users Profile%\Application Data\{random filename}.dat – detected as BKDR_VAWTRAK.YZH
(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = regsvr32.exe "%All Users Profile%\Application Data\{random filename}.dat "
Other System Modifications
This backdoor adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers
DefaultLevel = "262144"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers
TransparentEnabled = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers
PolicyScope = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = "0"
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Safer\
CodeIdentifiers\0\Paths
Propagation
This backdoor does not have any propagation routine.
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Log keystrokes
- Capture Screenshots
- Open a process
- Install Updates
- List Process
- Inject code to process
- Download and execute files
- Download configuration
- Perform remote shell
It connects to the following URL(s) to send and receive commands from a remote malicious user:
- http://{BLOCKED}.{BLOCKED}.233.38/{path}?{data}
- http://{BLOCKED}.{BLOCKED}.233.80/{path}?{data}
- http://{BLOCKED}.{BLOCKED}.192.106/{path}?{data}
- http://{BLOCKED}.{BLOCKED}.192.110/{path}?{data}
- http://{BLOCKED}.{BLOCKED}.51.216/{path}?{data}
- http://{BLOCKED}.{BLOCKED}.184.239/{path}?{data}
- http://{BLOCKED}ag.com/{path}?{data}
- http://{BLOCKED}ka.com/{path}?{data}
- http://{BLOCKED}ng.com/{path}?{data}
- http://{BLOCKED}lon.com/{path}?{data}
- http://{BLOCKED}rda.com/{path}?{data}
- http://{BLOCKED}z.com/{path}?{data}
- http://{BLOCKED}on.com/{path}?{data}
- http://{BLOCKED}lpane.com/{path}?{data}
- http://{BLOCKED}ka.com/{path}?{data}
As of this writing, the said sites are inaccessible.
Web Browser Home Page and Search Page Modification
This backdoor modifies the Internet Explorer Zone Settings.
Information Theft
This backdoor attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:
- 32BitFtp
- 3D-FTP
- AceBIT
- Adobe
- BitKinex
- BulletProof FTP
- CoffeeCup Software
- Cryer Website Publisher
- Cyberduck
- DeluxeFTP
- EasyFTP
- Estsoft ALFTP
- ExpanDrive
- FTP Commander
- FTP Control
- FTP Explorer
- FTP Navigator
- FTP++
- FTPGetter
- FTPNow
- FTPRush
- FTPShell
- FTPWare COREFTP
- Far Manager
- FileZilla
- FireFTP
- FlashFXP 3
- FlashFXP 4
- FlashPeak BlazeFtp
- Fling FTP
- FreshFTP
- Frigate3
- GPSoftware Directory Opus
- Ghisler Total Commander
- Ghisler Windows Commander
- Global Downloader
- GlobalSCAPE CuteFTP
- GlobalSCAPE CuteFTP 6 Home
- GlobalSCAPE CuteFTP 6 Professional
- GlobalSCAPE CuteFTP 7 Home
- GlobalSCAPE CuteFTP 7 Professional
- GlobalSCAPE CuteFTP 8 Home
- GlobalSCAPE CuteFTP 8 Professional
- GlobalSCAPE CuteFTP Lite
- GlobalSCAPE CuteFTP Pro
- GoFTP
- INSoftware NovaFTP
- Ipswitch WS_FTP
- LeapFTP
- LeechFTP
- LinasFTP
- MAS-Soft FTPInfo
- MS IE FTP
- Martin Prikryl
- My FTP
- NCH Software ClassicFTP
- NetDrive
- NetSarang
- NexusFile
- Nico Mak Computing WinZip FTP
- NppFTP
- RhinoSoft FTPVoyager
- Robo-FTP
- SimonTatham PuTTY
- SmartFTP
- SoftX.org FTPClient
- Sota FFFTP
- South River Technologies WebDrive
- Staff-FTP
- TurboFTP
- UltraFXP
- VanDyke SecureFX
- Visicom Media
- WinFTP
- WiseFTP
It attempts to steal stored email credentials from the following:
- IncrediMail
- MS Outlook
- Poco Systems Pocomail
- RIT The Bat!
- RimArts Internet Mail
- Thunderbird
- Windows Live Mail
- Windows Mail
It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:
- Epic
- FastStone Browser
- Flock
- Internet Explorer
- K-Meleon
- Mozilla Firefox
- Mozilla SeaMonkey
Other Details
This backdoor deletes itself after execution.
NOTES:
The variable {path} can be any of the following:
- viewforum.php
- posting.php
It is capable of setting up a VNC (virtual network computing) server to take control of the compromised computer.
It injects its code in all running processes except the following:
- csrss.exe
- lsass.exe
- lsm.exe
- services.exe
- smss.exe
- svchost.exe
- taskhost.exe
- wininit.exe
- winlogon.exe
It only performs its intended routine once it is injected in the following processes:
- chrome.exe
- explorer.exe
- firefox.exe
- iexplore.exe
It checks for the presence of the following security-related folders:
- %System Root%\Documents and Settings\NetworkService\Local Settings\Application Data\F-SecureF-Secure Internet Security
- {file path}\AVAST Software
- {file path}\AVG
- {file path}\Agnitum
- {file path}\Alwil Software
- {file path}\AnVir Task Manager
- {file path}\ArcaBit
- {file path}\Avira
- {file path}\Avira GmbH
- {file path}\BitDefender
- {file path}\BlockPost
- {file path}\Common Files\Doctor Web
- {file path}\Common Files\G DATA
- {file path}\Common Files\P Tools
- {file path}\Common Files\Symantec Shared
- {file path}\DefenseWall
- {file path}\DefenseWall HIPS
- {file path}\Doctor Web
- {file path}\DrWeb
- {file path}\ESET
- {file path}\FRISK Software
- {file path}\G DATA
- {file path}\K7 omputing
- {file path}\Kaspersky Lab
- {file path}\Kaspersky Lab Setup Files
- {file path}\Lavasoft
- {file path}\Malwarebytes
- {file path}\Malwarebytes' Anti-Malware
- {file path}\McAfee
- {file path}\McAfee.com
- {file path}\Microsoft Security Essentials
- {file path}\Microsoft\Microsoft Antimalware
- {file path}\Norton AntiVirus
- {file path}\Microsoft Security Client
- {file path}\Online Solutions
- {file path}\P Tools
- {file path}\P Tools Internet Security
- {file path}\Panda Security
- {file path}\Positive Technologies
- {file path}\Sandboxie
- {file path}\Security Task Manager
- {file path}\Spyware Terminator
- {file path}\Sunbelt Software
- {file path}\Symantec
- {file path}\Trend Micro
- {file path}\UAenter
- {file path}\Vba32
- {file path}\Xore
- {file path}\Zillya Antivirus
- {file path}\a-squared Anti-Malware
- {file path}\a-squared HiJackFree
- {file path}\avg8
- {file path}\f-secure
The variable {file path} can be any of the following:
- %Program Files%
- %Program Files% (x86)
- %All Users Profile%\Application Data
Once it finds any of the above folders, it creates the a registry entry to force these applications to run under restricted privileges:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{random generated GUID}
ItemData = "{blacklisted software path}"
SaferFlags = "0"
It accesses the following registries to get a list of installed programs and their uninstall paths:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UninstallString
It steal passwords from Internet Explorer, Windows Protected Storage and all Autocomplete entries stored by Internet Explorer within the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
It does not have rootkit capabilities.
It does not exploit any vulnerability.
SOLUTION
9.8
12.538.05
20 May 2016
12.539.00
21 May 2016
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {random filename} = regsvr32.exe "%All Users Profile%\Application Data\{random filename}.dat"
- {random filename} = regsvr32.exe "%All Users Profile%\Application Data\{random filename}.dat"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\paths\{random generated GUID}
- ItemData = "{blacklisted software path}
- ItemData = "{blacklisted software path}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\paths\{random generated GUID}
- SaferFlags = 0
- SaferFlags = 0
Step 5
Restore this deleted registry key/value from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {random filename} = regsvr32.exe "%All Users Profile%\Application Data\{random filename}.dat"
- {random filename} = regsvr32.exe "%All Users Profile%\Application Data\{random filename}.dat"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
- DefaultLevel = "262144"
- DefaultLevel = "262144"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
- TransparentEnabled = "1"
- TransparentEnabled = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
- PolicyScope = "0"
- PolicyScope = "0"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- NoProtectedModeBanner = "1"
- NoProtectedModeBanner = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- TabProcGrowth = "0"
- TabProcGrowth = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{random generated GUID}
- ItemData = {blacklisted software path}
- ItemData = {blacklisted software path}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{random generated GUID}
- SaferFlags = 0
- SaferFlags = 0
Step 6
Remove malware/grayware files dropped/downloaded by BKDR_VAWTRAK.YUYJT. (Note: Please skip this step if the threats listed below have already been removed.)
- BKDR_VAWTRAK.YZH
Step 7
Reset Internet security settings
Step 8
Reset Internet privacy settings
Step 9
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_VAWTRAK.YUYJT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 10
Scan your computer with your Trend Micro product to delete files detected as BKDR_VAWTRAK.YUYJT. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.