BKDR_CARETO.A
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Dropped by other malware, Spammed via email, Downloaded from the Internet
One of the Windows malware related to the Careto attack known for encoding its configuration data and encrypting its network traffic thus making analysis difficult.
To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.
This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It steals system information.
It deletes itself after execution.
TECHNICAL DETAILS
Varies
EXE, DLL
Yes
07 Feb 2014
Collects system information, Compromises system security
Arrival Details
This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following file(s)/component(s):
- %System%\awcodc32.dll - detected as BKDR_CARETO.A
- %System%\awdcxc32.dll - detected as BKDR_CARETO.A
- %System%\drivers\scsimap.sys - detected as BKDR_CARETO.A
- %System%\jpeg1x32.dll - detected as BKDR_CARETO.A
- %System%\mfcn30.dll - detected as BKDR_CARETO.A
- %System%\vchw9x.dll - detected as BKDR_CARETO.A
- %User Temp%\___{random number}.tmp - detected as BKDR_CARETO.A
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It drops the following non-malicious file:
- %System%\bootfont.bin
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- 36A900E5-0AE5-4ca6-84B4-45A05B42E705}_262144_124160
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\
scsimap
ImagePath = "%System%\DRIVERS\scsimap.sys"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\
scsimap
Backdoor Routine
This backdoor posts the following information to its command and control (C&C) server:
- http://www.{BLOCKED}nt.com/server/ssl.htm
- https://{BLOCKED}t.{BLOCKED}et.nu/cgi-bin/index.cgi
- https://{BLOCKED}.{BLOCKED}.233.15/cgi-bin/index.cgi
As of this writing, the said servers are currently inaccessible.
Information Theft
This backdoor steals system information.
Other Details
This backdoor deletes itself after execution.
NOTES:
This backdoor has the following malicious components:
- %System%\awcodc32.dll
- %System%\awdcxc32.dll
- %System%\drivers\scsimap.sys
- %System%\jpeg1x32.dll
- %System%\mfcn30.dll
- %System%\vchw9x.dll
- %User Temp%\___{random number}.tmp
The file awdcxc32.dll communicates with the modified scsimap.sys and loaded by vchw9x.dll.
The file scsimap.sys loads the malware components.
The file jpeg1x32.dll uninstalls the malware.
The file mfcn30.dll contains information where the malware can download an updated copy of itself.
The files awcodc32.dll and vchw9x.dll are used to communicate to the C&C server.
The file ___{random number}.tmp deletes the dropper that executes it.
It uses pipe \\.\pipe\{807BF02B-3F5F-4570-970A-8AADBAA55AC1}.
"36A900E5-0AE5-4ca6-84B4-45A05B42E705}_262144_124160" is decrypted from code section.It uses "Caguen1aMar" as encryption key for communications with the C&C server.
It uses the following URL query parameters:
- Data
- Exec
- Ack
- Cmd
- Raw
- Id
- Inst
SOLUTION
9.700
10.600.08
07 Feb 2014
10.601.00
08 Feb 2014
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\CurrentControlSet\Services\scsimap
- ImagePath = "%System%\DRIVERS\scsimap.sys"
- ImagePath = "%System%\DRIVERS\scsimap.sys"
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
- In HKEY_LOCAL_MACHINE\CurrentControlSet\Services
- scsimap = ""
- scsimap = ""
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_CARETO.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.