BKDR_BIZOME.VRX

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\IPZ
ImagePath = "{malware path and filename}" --service

Other System Modifications

This backdoor adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and filename} = {malware path and filename}:*:Enabled:ipz

Backdoor Routine

This backdoor opens the following port(s) where it listens for remote commands:

• 310

Dropping Routine

This backdoor drops the following files:

• %Current%\ipz-db.bin
• %Current%\log.txt

Other Details

This backdoor displays the following images:

It does the following:

• May be executed using command-line and may have the following parameters:
  /i - install itself as service
  /s - start service
  /r - remove service
  /l - log activities of the malware
• Sends ICMP PING requests to a series of IP addresses and scans for port 4899 to check if those IP addresses have RADMIN service running. Once successful, it may use the following hard-coded list of usernames and passwords to gain access to the system:
  0987654321
  111111
  11111111
  121212
  12121212
  123123
  12341234
  123456
  12345678
  123456789
  1234567890
  1q2w3e
  1q2w3e4r
  1q2w3e4r5t
  654321
  87654321
  Admin
  Administrator
  aaaaaa
  aaaaaaaa
  admin
  administrator
  aerial
  aerodynamics
  aeroplane
  alien
  altera
  altitude
  america
  american
  anchorite
  annihilation
  archer
  asdfghjk
  asdfghjkl
  atmel
  atmosphere
  atomic
  backward
  battle
  bender
  billgates
  boeing
  brentcorrigan
  brutal
  bullshit
  burning
  callofduty
  cannon
  cdrom
  children
  computer
  coolface
  copyleft
  copyright
  creative
  creator
  darthvader
  deathcore
  deathstar
  debian
  deltaplane
  destroy
  disable
  display
  domination
  doomsday
  elephant
  elimination
  emoboy
  emokid
  emperor
  enable
  enigma
  europe
  evangellion
  fallout
  fighter
  folder
  forward
  freedom
  fuckyou
  godzilla
  google
  gothic
  grinder
  guitar
  happiness
  happy
  hardcore
  harddisk
  helicopter
  hippie
  hitler
  horishima
  horizon
  ignore
  imageboard
  income
  incoming
  insane
  internet
  israel
  jesus
  jetpack
  kamikaze
  keyboard
  kremlin
  latitude
  lineage2
  login
  longtitude
  lucifer
  lurkmore
  machine
  memory
  metall
  microchip
  microsoft
  minigun
  missile
  monkey
  motorbike
  mouse
  mozilla
  music
  negative
  nekoboy
  nigger
  nuclear
  oracle
  overmind
  password
  people
  pilotage
  police
  positive
  predator
  pretty
  processor
  propeller
  prototype
  qazwsx
  qazwsxedc
  qqqqqq
  qqqqqqqq
  qweasd
  qweasdzxc
  qwerty
  qwertyui
  qwertyuiop
  radmin
  rastaman
  reactor
  receiver
  revolution
  rocketman
  router
  samael
  satan
  sattelite
  scientology
  secret
  secure
  shadow
  shcool
  skynet
  skywalker
  smoking
  solder
  speaker
  stalin
  starcraft
  stinger
  sunlight
  superman
  supply
  suxxxx
  terminator
  thieft
  thread
  thunderbird
  tolerance
  topsecret
  tranciever
  transmitter
  trollface
  ubuntu
  unknown
  username
  utorrent
  warcraft
  warhammer
  washington
  whitehouse
  windows
  wireless
  xlinx
  youandme
  youtube
  zeitgeist
• Installs itself on the machine. It uses port 310 to communicate between machines infected with this backdoor.
• Logs the following activities of the malware in the file log.txt:
  (peer_broadcast_link) broadcasting link to {IP}
  (peer_link_to_self) buddy {IP} kicked due to synchronization error
  (peer_link_to_self) synchronized link to {IP}
  (peer_new_buddy) {IP} - added new buddy
  (peer_new_buddy) {IP} - buddy already in list
  (peer_new_buddy) {IP} - connection closed
  (peer_new_buddy) {IP} - trying to connect
  (peer_process_link_message) linked to new buddy {IP}
  (peer_process_link_message) synchronized link with {IP}
  (peer_process_message) new message
  (peer_process_message) new message accepted
  (peer_process_poll_message) message delivered to {IP}
  (peer_process_poll_message) no messages to deliver to {IP}
  (peer_process_poll_message) {IP} polled his mailbox
  [{Date and Time}] {ID} (ACT) connected to {IP}
  [{Date and Time}] {ID} (ACT) disconnected from {IP}
  [{Date and Time}] {ID} (ACT) failed to connect to {IP}
  [{Date and Time}] {ID} (ACT) message delivered to {IP}
  [{Date and Time}] {ID} (ACT) message received from {IP}
  [{Date and Time}] {ID} (ACT) no messages on {IP}
  [{Date and Time}] {ID} (ACT) polling mailbox on {IP}
  [{Date and Time}] {ID} (ACT) sending messages to {IP}
  [{Date and Time}] {ID} (ACT) trying to connect to {IP}
  [{Date and Time}] {ID} (PASS) LINK from {IP}
  [{Date and Time}] {ID} (PASS) POLL from {IP}
  [{Date and Time}] {ID} (PASS) connection from {IP} closed
  [{Date and Time}] {ID} (PASS) message from {IP}
  [{Date and Time}] {ID} (PASS) received connection from {IP}
• This malware is infected with PE_VIRUX.Q.