BKDR_CHIKDOS.A
Trojan:Win32/Farfli (Microsoft), Trojan.Win32.Swisyn.cskp (Kaspersky), Win32/TrojanDropper..Agent.QEP trojan (ESET)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following file(s)/component(s):
- %Program Files%\DbProtectSupport\fake.cfg
- %Program Files%\DbProtectSupport\svchost.exe
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It creates the following folders:
- %Program Files%\DbProtectSupport
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Other System Modifications
This backdoor adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT
NextInstance = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
Service = "DbProtectSupport"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
ConfigFlags = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
Class = "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
DeviceDesc = "DbProtectSupport"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000\Control
*NewlyCreated* = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000\Control
ActiveService = "DbProtectSupport"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
Type = "10"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
ErrorControl = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
ImagePath = "%Program Files%\DbProtectSupport\svchost.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Security
Security = "{values}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Enum
0 = "Root\LEGACY\DBPROTECTSUPPORT\0000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Enum
Count = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Enum
NextInstance = "1"
It modifies the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_DBPROTECTSUPPORT\
0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\DbProtectSupport\Enum
Other Details
This backdoor connects to the following possibly malicious URL:
- http://syn.{BLOCKED}x.com/