BKDR_BADEY.A

Trend Micro has flagged this backdoor as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, it is being downloaded by the specially crafted script, HTML_BADEY.A, which exploits a vulnerability in Internet Explorer.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This Backdoor may be downloaded from remote sites. It may also be downloaded by HTML_BADEY.A. It drops component files and injects itself into the processes running in the affected system's memory. It registers as a system service to ensure its automatic execution at every system startup by adding registry entries. It opens certain ports.

This Backdoor accesses websites to download files. It saves the files it downloads using certain file names. This backdoor downloads encrypted files, and then decrypts and reads these files, which contain backdoor commands that it executes on the system.

This backdoor may be downloaded by other malware/grayware/spyware from remote sites.

Arrival Details

This backdoor may be downloaded by the following malware/grayware/spyware from remote sites:

• HTML_BADEY.A

It may be downloaded from the following remote sites:

• http://www.{BLOCKED}lub.com/reg/linkbl.gif

Installation

This backdoor drops the following component file(s):

• %System%\msnetacsvc.dll - also detected as BKDR_BADEY.A
• %User Startup%\ctfmon.exe - also detected as BKDR_BADEY.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

It injects itself into the following processes running in the affected system's memory:

• svchost.exe

Autostart Technique

This backdoor registers as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation
DisplayName = NetWare Workstations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation
ObjectName = LocalSystem

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation
Type = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation
Start = 2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation
ErrorControl = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation
ImagePath = %SystemRoot%\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation
Description = "Provide NetWare network file and print resources visit."

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation\Parameters
ServiceDll = "%SystemRoot%\System32\msnetacsvc.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NWCWorkstation\Security
Security = {hex values}

Backdoor Routine

This backdoor opens the following ports:

• UDP port 80 (HTTP)

Download Routine

This backdoor accesses the following websites to download files:

• http://{BLOCKED}8.114.26/images/{random}.gif
• http://{BLOCKED}8.114.26/pic/{random}.gif
• http://{BLOCKED}8.114.26/image/{random}.gif
• http://{BLOCKED}8.114.26/binary/{random}.gif
• http://{BLOCKED}8.114.26/news/{random}.gif
• http://{BLOCKED}8.114.26/index/{random}.gif
• http://{BLOCKED}8.114.26/picture/{random}.gif
• http://{BLOCKED}8.114.26/bbs/{random}.gif

It saves the files it downloads using the following names:

• %User temp%\{random file name}.tmp

Other Details

This backdoor does the following:

• Downloads encrypted files, and then decrypts and reads these files, which contain backdoor commands that it executes on the system.