BKDR_CYCBOT.BGK
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor may be unknowingly downloaded by a user while visiting malicious websites.
TECHNICAL DETAILS
286,720 bytes
EXE
Yes
04 Nov 2011
Arrival Details
This backdoor may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This backdoor drops the following copies of itself into the affected system:
- %Program Files%\LP\7CCA\C29.exe
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)
It creates the following folders:
- %Program Files%\LP\7CCA
- %Program Files%\LP
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
C29.exe = %Program Files%\LP\7CCA\C29.exe
Other System Modifications
This backdoor modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_CURRENT_CONFIG\Software\Microsoft\
windows\CurrentVersion\Internet Settings
ProxyEnable = 1
(Note: The default value data of the said registry entry is 0.)
Other Details
This backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}dlegion.com/16354.png?pr={values}
- http://{BLOCKED}transferhere.com/logo.png?tq={values}
- http://{BLOCKED}pidstore.com/logo.png?tq={values}
- http://{BLOCKED}onicstheory.com/pics/sun.png?pr={values}
NOTES:
It may download other files and save them in the following location:
- %Application Data%\{random}\
It then executes the downloaded files, thus the routines of the file are also exhibited on the system.