Backdoor.Win32.NANOCORE.CCO
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Backdoor drops the following copies of itself into the affected system:
- %Application Data%\windate\windate.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)
It creates the following folders:
- %Application Data%\windate
- %Application Data%\{GUID}\Logs
- %Application Data%\{GUID}
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)
Autostart Technique
This Backdoor drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:
- %User Startup%\windate.vbs
(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows XP, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)
Dropping Routine
This Backdoor drops the following files:
- %Application Data%\windate\windate.exe.config
- %Application Data%\windate\aspr_keys.ini
- %Application Data%\{GUID}\run.dat
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.)
Other Details
This Backdoor connects to the following possibly malicious URL:
- http://{BLOCKED}mpa.tk
- http://tojah77.{BLOCKED}s.org