BKDR_ANDROM.MJSY

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It deletes itself after execution.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %ProgramData%\explorer.exe (Windows Vista and 7 only)
• %All Users Profile%\explorer.exe
• %All Users Profile%\{random}.exe

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This is usually C:\ProgramData in Windows Vista and 7, or C:\Program Files on Windows 2000, XP (32-bit), and Server 2003, or C:\Program Files (x86) on Windows XP (64-bit).. %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

It stays resident in memory by creating the following process(es):

• msiexec.exe

It injects codes into the following process(es):

• msiexec.exe

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Start WingMan Profiler = "%All Users Profile%\explorer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
540 = "%All Users Profile%\{random}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Start WingMan Profiler = "%ProgramData%\explorer.exe" (Windows Vista and 7 only and if Java update is disabled in startup)

Other System Modifications

This backdoor creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:Enabled:{malware file name}"

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download a file from C&C server and save it as %User Temp%\{random number}.exe
• Download a file from C&C server and save it as %System Root%\Documents and Settings\All Users\ms{random number}.dat and loads it
• Start a process
• Uninstall itself
• Remote command prompt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It connects to the following websites to send and receive information:

• http://{BLOCKED}ons.ru/new2/gate.php
• http://{BLOCKED}or.su/new2/gate.php
• http://{BLOCKED}ors.ru/new2/gate.php
• http://{BLOCKED}all.ru/new2/gate.php
• http://{BLOCKED}gin.su/new2/gate.php
• http://{BLOCKED}sdietz.ru/new2/gate.php
• http://{BLOCKED}s.su/new2/gate.php
• http://{BLOCKED}su.su/new2/gate.php
• http://{BLOCKED}k.su/new2/gate.php
• http://{BLOCKED}not.ru/new2/gate.php
• http://{BLOCKED}versen.ru/new2/gate.php
• http://{BLOCKED}g.ru/new2/gate.php
• http://{BLOCKED}ncodes.ru/new2/gate.php

Other Details

This backdoor deletes itself after execution.

NOTES:

This backdoor checks if it is being run in VMWare environment or Emulation software. If it is being run in a VMWare environment or Emulation software, it performs another routine where in it will open Port 3232 and listen for a backdoor command to perform remote shell execution.