BKDR_ANDROM.VBV

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes itself after execution.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %All Users Profile%\svchost.exe (Virtual Machine - Below Vista)
• %ProgramData%\svchost.exe (Virtual Machine - Windows Vista and above)
• %All Users Profile%\{random}.exe (Admin Account)
• %User Profile%\{random}.exe (Non-Admin Account)

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following processes:

• msiexec.exe
• svchost.exe

It injects codes into the following process(es):

• msiexec.exe
• svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random digit} = "%All Users Profile%\{random}.exe" (Admin Account)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%All Users Profile%\svchost.exe" (Virtual Machine - Below Vista)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%ProgramData%\svchost.exe" (Virtual Machine - Windows Vista and above)

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Profile%\{random}.exe" (Guest Account)

Other System Modifications

This backdoor creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\msiexec.exe = "%System%\msiexec.exe:*:Generic Host Process"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\svchost.exe = "%System%\svchost.exe:*:Generic Host Process"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download a file from C&C server and save it as %User Temp%\{random number}.exe
• Download a file from C&C server and save it as %System Root%\Documents and Settings\All Users\ms{random number}.dat and loads it
• Start a process
• Uninstall itself
• Remote command prompt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}lse.com/login.php
• http://{BLOCKED}o.su/alter.php
• http://{BLOCKED}c.su/billing.php
• http://{BLOCKED}es.net/filling.php

Other Details

This backdoor deletes itself after execution.

NOTES:

It checks if it is being run in a VMWare environment. If it is being run in a VMWare environment, it performs another routine wherein it will open Port 8000 and listen for a backdoor command for performing remote shell execution.