BKDR_WKYSOL.ED

This backdoor may be dropped by other malware.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_MDROPPR.DCD

Installation

This backdoor drops the following component file(s):

• %AppDataLocal%\pla.dll (Windows Vista and 7 only) - also detected as BKDR_WKYSOL.ED
• %AppDataLocal%\setm.ini (Windows Vista and 7 only)
• %User Profile%\Local Settings\pla.dll (versions other than Windows Vista and 7) - also detected as BKDR_WKYSOL.ED
• %User Profile%\Local Settings\setm.ini (versions other than Windows Vista and 7)
• %User Temp%\pfilede.dat

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It is injected into the following processes running in memory:

• IEXPLORE.EXE

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
start = "{malware location}\{malware filename}.exe -startup"

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download and upload arbitrary files
• Perform command shell commands
• Create/terminate process
• Create, open, and delete files
• Reboot the computer

It connects to the following websites to send and receive information:

• http://{BLOCKED}7s.{BLOCKED}.net

NOTES:

This backdoor gets its settings from the configuration file setm.ini. This configuration file contains the following:

• Sleep time of the malware
• URL it connects to
• File names of the component files
• Bot ID

It connects to the following remote site to download a possible configuration or component file that contains its intended routines and send back information such as host name and IP address:

• http://{BLOCKED}7s.{BLOCKED}p.net/kys_allow_get.asp?name=getkys.jpg&hostname={hostname}-{IP Address}{Bot ID}
• http://{BLOCKED}s.{BLOCKED}p.net/kys_allow_put.asp?type=put.jpg&hostname={hostname}-{IP Address}{Bot ID}

This backdoor is also capable of deleting the registry entries it adds when the parameter -removekys is passed on to it by its component file.

It does not have rootkit capabilities.

It does not exploit any vulnerability.