BKDR_NIDRAN.A

May 31, 2016
 Analysis by: Francis Xavier Antazo
 ALIASES:

Trojan:Win32/Dynamer!ac (Microsoft); Win32/Agent.XWU (ESET); Trojan.Win32.Scar.lmvo (Kaspersky); Backdoor.Nidiran!g1 (Symantec);

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

62464 bytes

File Type:

DLL

Memory Resident:

Yes

Initial Samples Received Date:

17 Sep 2015

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

  • %System%\SPmsamger.dll

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This backdoor is a .DLL file that adds the following services:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger
Type = "32"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger
Start = "2"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger
ErrorControl = "0"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger
DisplayName = "Microsoft Security Accounts Manager"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger
ImagePath = "%SystemRoot%\System32\svchost.exe -k msamger"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger
Description = "Support Security Accounts Manager For Micorosft Windows. If this service is stopped, any services that depended on it will fail to start"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger\Parameters
ServiceDll = "%System%\SPmsamger.dll"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger\Parameters
ServiceMain = "DllRegisterEntry"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger\Security
Security = "(hex values)"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger\Enum
0 = "Root\LEGACY_MSAMGER\0000"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger\Enum
Count = "1"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\msamger\Enum
NextInstance = "1"