BKDR_MOUDOOR.F

 Analysis by: Jasen Sumalapao

 ALIASES:

Backdoor:Win32/Moudoor.B (Microsoft), Backdoor.Win32.Inject.ycb (Kaspersky), Trojan.Gen.2 (Symantec), Gen:Variant.Zusy.5006 (FSecure), Trojan.Win32.Generic!BT (Sunbelt), PUA.Win32.Packer.InstallerVise (Clamav), W32/Farfli.NH (Fortinet), Win32.SuspectCrc (Ikarus), a variant of Win32/Farfli.NH trojan (NOD32), Trojan W32/Troj_Generic.CVLFB (Norman)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

  TECHNICAL DETAILS

File Size:

116,736 bytes

File Type:

EXE, DLL

Initial Samples Received Date:

30 Jul 2012

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This backdoor drops the following component file(s):

  • %User Temp%\up.bak
  • %System%\KB{Random Numbers}.dat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It injects itself into the following processes running in the affected system's memory:

  • csrss.exe
  • lsass.exe

Autostart Technique

This backdoor adds the following lines or registry entries as part of its routine:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo

Backdoor Routine

This backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:

  • {BLOCKED}.{BLOCKED}.155.57