BKDR_ANDROM.WPAD

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It does not have any information-stealing capability.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• {All Users' Profile}\{random file name}.exe
• {All Users' Profile}\svchost.exe

It executes then deletes itself afterward.

It injects threads into the following normal process(es):

• svchost.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "{All Users' Profile}\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random number} = "{All Users' Profile}\{random file name}.exe"

Other System Modifications

This backdoor adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\svchost.exe = "%System%\svchost.exe:*:Generic Host Process"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\msiexec.exe = "%System%\msiexec.exe:*:Generic Host Process"

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download a file from C&C server and save it as %User Temp%\{random number}.exe
• Download a file from C&C server and save it as %System Root%\Documents and Settings\All Users\ms{random number}.dat and loads it
• Start a process
• Uninstall itself
• Remote command prompt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It connects to the following websites to send and receive information:

• http://{BLOCKED}t.ru/new/gate.php
• http://{BLOCKED}mcam.ru/new/gate.php
• http://{BLOCKED}mus.com/new/gate.php

Information Theft

This backdoor does not have any information-stealing capability.

NOTES:

It checks if it is being run in a VMWare environment or emulation software. If it is being run in a VMWare environment or Emulation software, it performs another routine where in it will open Port 8000 and listen for a backdoor command for performing remote shell execution.

It also checks if there is a running network monitoring software in the affected machine. If found, it also performs its other routine.

It connects to the following websites to send and receive the commands. But it is not related to information theft:

• http://{BLOCKED}t.ru/new/gate.php
• http://{BLOCKED}mcam.ru/new/gate.php
• http://{BLOCKED}mus.com/new/gate.php

It does not have rootkit capabilities.

It does not exploit any vulnerability.