arrow_back
search
close

BKDR_JADTRE.AI

October 16, 2012
 Analysis by: Nikko Tamana
 ALIASES:

W32/Agent.JH!tr (Fortinet), W32/QQhelper.C.gen!Eldorado (FProt), Exploit.Win32.ShellCode (Ikarus), TrojanDownloader:Win32/Jadtre.B (Microsoft), a variant of Win32/Wapomi.AO virus (NOD32), Infostealer.Gampass (Norton)

 PLATFORM:

Windows 2000, Windows XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

83,968 bytes

File Type:

EXE

Initial Samples Received Date:

13 Oct 2012

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

  • %System%\{random file name}.sys

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System%\{random file name}.tmp
  • %System%\appmgmts.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other System Modifications

This backdoor deletes the following files:

  • %System%\appmgmts.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgnt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgrsx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avguard.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgwdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgwdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avmailc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avshadow.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avwebgrd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bdagent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
CCenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ccSvcHst.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dwengine.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
egui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FilMsg.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kavstart.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kissvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kmailmon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdtray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdwsc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpfw32.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpfwsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpopserver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
krnl360svc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
krnl360svc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSafeSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSafeTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ksmgui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ksmsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kswebshield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvexpert.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.kxp
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvol.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVSrvXP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvxp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwatch.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwstray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwsupd.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxedefend.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxesapp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxescore.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxeserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxetray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
livesrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcagent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcmscsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McNASvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Mcods.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McSACore.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Mcshield.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcsysmon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcvsshld.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mfefire.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MOBKbackup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MpfSrv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPMon.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC1.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC2.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
msksrver.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MsSvHost.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCAddWidget.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr_tz_Setup.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCRTP.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCUPDATE.EXE
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qutmserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavTask.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsAgent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rsmgrsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rsnetsvr.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safeboxTray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanFrm.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sched.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
seccenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SfCtlCom.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spideragent.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SpIDerMl.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spidernt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spiderui.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SuperKiller.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TMBMSRV.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TmProxy.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Twister.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UfSeAgnt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
upsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
V3PScan.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
V3SP.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vgchsvx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
VPSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vsserv.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zhudongfangyu.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ÐÞ¸´¹¤¾ß.exe
Debugger = "ntsd -d"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
Start = "3"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
Type = "1"

HKLM\SYSTEM\CurrentControlSet\
Services\{random}
ImagePath = "%System%\{random file name}.sys"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360hotfix.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rp.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safe.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safebox.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360SAFE_INSTALLER.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sd.exe
Debugge = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360se.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360SoftMgrSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360speedld.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
afwServ.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ast.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastSvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastUI.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avcenter.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avfwsvc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgcsrvx.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgemc.exe
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgnsx.exe
Debugger = "ntsd -d"

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}0.{BLOCKED}9.92.248
  • {BLOCKED}0.{BLOCKED}9.92.245
  • {BLOCKED}0.{BLOCKED}9.92.244
  • {BLOCKED}0.{BLOCKED}9.92.242
  • {BLOCKED}0.{BLOCKED}9.92.239
  • {BLOCKED}0.{BLOCKED}9.92.248
  • {BLOCKED}0.{BLOCKED}9.92.236
  • {BLOCKED}0.{BLOCKED}9.92.250
  • {BLOCKED}0.{BLOCKED}9.92.251
  • {BLOCKED}0.{BLOCKED}9.92.254
  • {BLOCKED}0.{BLOCKED}9.92.249
  • {BLOCKED}0.{BLOCKED}9.92.240
  • {BLOCKED}0.{BLOCKED}9.92.243
  • {BLOCKED}0.{BLOCKED}9.92.253
  • {BLOCKED}0.39.92.241
  • {BLOCKED}0.{BLOCKED}9.92.246
  • {BLOCKED}0.{BLOCKED}9.92.245
  • {BLOCKED}0.{BLOCKED}9.92.237
  • {BLOCKED}3.{BLOCKED}4.193.128
  • {BLOCKED}3.{BLOCKED}4.193.125
  • {BLOCKED}2.{BLOCKED}6.167.95
  • {BLOCKED}d.{BLOCKED}v.com
  • www.{BLOCKED}u.com
  • www.{BLOCKED}4.info

NOTES:

It modifies the file attributes of %System%\drivers\etc\hosts to RHS (Read-only, hidden and system file).

It deletes the original %System%\appmgmts.dll and replaces it with a copy of itself with the same filename as with the deleted file. In this way, the malware registers itself as a service to ensure its execution every startup.