BKDR_PANDEMIYA.A

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It reads its configuration file that contains commands and data to be sent to a remote server.

It modifies the Internet Explorer Zone Settings.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It sends the information it gathers to remote users via HTTP Post.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %Application Data%\{ramdom file name 1}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following component file(s):

• %System%\{random file name 2}.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {GUID}

It stays memory-resident by creating remote threads:

• iexplorer.exe
• firefox.exe
• explorer.exe
• chrome.exe

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name 1} = "%Application Data%\{random file name 1}.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\AppCertDlls

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\AppCertDlls
{random file name 1} = "%System%\{random file name 2}.dll"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
ProxyBypass = 1

(Note: The default value data of the said registry entry is "0".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
IntranetName = 1

(Note: The default value data of the said registry entry is "0".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
UNCAsIntranet = 1

(Note: The default value data of the said registry entry is "0".)

Backdoor Routine

This backdoor reads its configuration file that contains commands and data to be sent to a remote server.

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}.{BLOCKED}.175.134/fg/dump.php

As of this writing, the said servers are currently inaccessible.

Web Browser Home Page and Search Page Modification

This backdoor modifies the Internet Explorer Zone Settings.

Information Theft

This backdoor attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Drop Points

This backdoor sends the information it gathers to remote users via HTTP Post.

Other Details

Based on analysis of the codes, it has the following capabilities:

• Archive and upload file(s)
• Capture screenshot
• Clear cookies
• Download a configuration file
• Download file(s)
• Open a SOCKS proxy
• Reboot the affected system
• Steal certificates
• Steal cookies
• Update configuration file
• Upload a log file which contains stolen information

It deletes the initially executed copy of itself

NOTES:

It hooks the following WININET.DLL exported functions when the DLL component is loaded in IEXPLORE.EXE to monitor network traffic:

• InternetReadFile
• InternetReadFileExA
• InternetReadFileExW
• HttpSendRequestA
• HttpSendRequestW
• HttpQueryInfoA
• HttpQueryInfoW
• HttpAddRequestHeadersA
• HttpAddRequestHeadersW
• InternetConnectA
• InternetConnectW
• InternetQueryDataAvailable

It hooks the following NSS3.DLL exported functions when the DLL component is loaded in FIREFOX.EXE to monitor network traffic:

• PR_Read
• PR_Write
• PR_Close

It hooks the following WS2_32.DLL and KERNEL32.DLL exported functions when the DLL component is loaded in CHROME.EXE to monitor network traffic:

• WSARecv
• WSASend
• closesocket
• LoadLibraryExW