BKDR_BOTIME.A
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit), Windows 7 (32-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes then deletes itself afterward.
It does not have any propagation routine.
It executes commands from a remote malicious user, effectively compromising the affected system.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following component file(s):
- %system%\MSCTFIMEEXT.IME - detected as PTCH_REDUS.A
It executes then deletes itself afterward.
It injects codes into the following process(es):
- svchost.exe
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\
Boot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Keyboard Layouts\E6861806
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC
ie = "{malware's location}\{malware name}"
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC
id2 = "{16 alphanumeric characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC
it2 = it2 = "{binary data}"
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\
Boot
Runner1 = "{encrypted chunk of codes}"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Internet Explorer\Main
Start Page = "about:blank"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
PrivacyAdvanced = "0"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
EnableHttp1_1 = "1"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
CertificateRevocation = "1"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings
DisableCachingOfSSLPages = "1"
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Policies\Explorer
NoFavoritesMenu = "1"
It modifies the following registry entries:
HKEY_USERS\.DEFAULT\Keyboard Layout\
Preload
1 = "E6861806"
(Note: The default value data of the said registry entry is 00000409.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
CurrentLevel = "0"
(Note: The default value data of the said registry entry is 69632.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
1001 = "3"
(Note: The default value data of the said registry entry is 1.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
1201 = "0"
(Note: The default value data of the said registry entry is 3.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
1601 = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Internet Settings\Zones\3
1C00 = "0"
(Note: The default value data of the said registry entry is 65536.)
Propagation
This backdoor does not have any propagation routine.
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Download and execute arbitrary files.
- Shut down the computer.
- Steal system information.
- List security-related processes.
It connects to the following URL(s) to send and receive commands from a remote malicious user:
- http://ip.{BLOCKED}n.net
- http://tp.{BLOCKED}n.net
NOTES:
This backdoor copies the file %system%\MSCTFIME.IME and save it as %system%\MSCTFIMEEXT.IME.
It modifies the copied file's export function "ImeInquire" and it will serve as it's autostart component.
It will then add the following registry entries to ensure its automatic execution whenever the keyboard is used:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E6861806
IME File = "MSCTFIMEEXT.IME"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E6861806
Layout File = "KBDUS.DLL"
It inject codes in svchost.exe's memory where it will decrypt and execute the chunk of codes in the following created registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Boot
Runner1 = "{encrypted chunk of codes}"
It does not have rootkit capabilities.
It does not exploit any vulnerability.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove malware/grayware files dropped/downloaded by BKDR_BOTIME.A
- PTCH_REDUS.A
Step 3
Restart in Safe Mode
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\Boot
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E6861806
Step 5
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\ODBC
- ie = "{malware's location}\{malware name}"
- ie = "{malware's location}\{malware name}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\ODBC
- id2 = "{16 alphanumeric characters}"
- id2 = "{16 alphanumeric characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\ODBC
- it2 = "{binary data}"
- it2 = "{binary data}"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
- Start Page = "about:blank"
- Start Page = "about:blank"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- PrivacyAdvanced = "0"
- PrivacyAdvanced = "0"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- EnableHttp1_1 = "1"
- EnableHttp1_1 = "1"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- CertificateRevocation = "1"
- CertificateRevocation = "1"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- DisableCachingOfSSLPages = "1"
- DisableCachingOfSSLPages = "1"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoFavoritesMenu = "1"
- NoFavoritesMenu = "1"
Step 6
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
- From: 1 = "E6861806"
To: 1 = "00000409"
- From: 1 = "E6861806"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- From: CurrentLevel = "0"
To: CurrentLevel = "69632"
- From: CurrentLevel = "0"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- From: 1001 = "3"
To: 1001 = "1"
- From: 1001 = "3"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- From: 1201 = "0"
To: 1201 = "3"
- From: 1201 = "0"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- From: 1601 = "0"
To: 1601 = "1"
- From: 1601 = "0"
- In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- From: 1C00 = "0"
To: 1C00 = "65536"
- From: 1C00 = "0"
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_BOTIME.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.