BKDR_VB.JMZ

This backdoor may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It creates folders where it drops its files.

Arrival Details

This backdoor may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %System Root%\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\wiseni32.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following non-malicious files:

• %System Root%\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
• %Application Data%\Microsoft\Crypto\RSA\S-1-5-21-507921405-362288127-725345543-1003\a49e2717d3c2d358c0a8b3b1724ab6c9_72607dae-9d01-4c33-9a85-bc9ed0c92cf6

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It is injected into the following processes running in memory:

• EXPLORER.EXE

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{28ABC5C0-4FCF-11CF-ADX5-81XC1C635612}
StubPath = "%System Root%\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\wiseni32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{28ABC5C0-4FCF-11CF-ADX5-81XC1C635612}

Other Details

This backdoor does the following:

• Opens random TCP ports to connect to the server f22.{BLOCKED}o.com