BKDR_FAKETM.AE

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This backdoor drops the following copies of itself into the affected system:

• %System%:MCPUPlayer.exe (With Admin Rights Privilege)
• %User Profile%\Application Data\MCPUPlayer.exe (Without Admin Rights Privilege)

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AdobeCro CPUPlayer = "%System%:MCPUPlayer.exe" (With Admin Rights Privilege)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AdobeCro CPUPlayer = “%User Profile%\Application Data\MCPUPlayer.exe" (Without Admin Rights Privilege)

Other Details

This backdoor connects to the following possibly malicious URL:

• sendmsg.{BLOCKED}crab.com

It deletes the initially executed copy of itself