BKDR_CHOSZ.C

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It logs a user's keystrokes to steal information.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %System Root%\Documents and Settings\All Users\Application Data\Connection.DLL

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection
Description = "network connect"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection
DisplayName = "Connection"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection
ImagePath = "%SystemRoot%\system32\svchost.exe -k LocalService"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection
Type = "10"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection\Parameters
ServiceDll = "%System Root%\Documents and Settings\All Users\Application Data\Connection.DLL"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection\Parameters
ServiceMain = "VlCo"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection\Enum

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Connection\Security

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SS\PROXY

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
LocalService = "{Default values} Connection"

(Note: The default value data of the said registry entry is {Default values}.)

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Connect to a database server and execute a SQL statement
• Display a message box
• Download files
• Enumerate TCP connections
• Enumerate network shared folders and devices
• Enumerate/create/delete/modify files and folders
• Enumerate/create/delete/modify registry keys and entries
• Enumerate/create/delete/modify/start services
• Enumerate/create/terminate processes
• Get drive information
• Get file information
• Get process information
• Get service information
• Get system information
• Lock windows
• Log keystrokes and active window
• Log off user
• Manage application windows
• Perform remote desktop
• Perform remote shell
• Restart/shutdown system
• Take screenshots of the system

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}m.{BLOCKED}e.com

Information Theft

This backdoor logs a user's keystrokes to steal information.

Stolen Information

The stolen information is saved in the following file:

• %System Root%\Documents and Settings\All Users\Application Data\SSK.LOG

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Other Details

This backdoor deletes the initially executed copy of itself