BKDR_GENOME

GENOME malware are typically Trojan downloaders that are dropped by other malware. They may also arrive as files downloaded unknowingly by users when visiting malicious sites.

They connect to various sites to download. Though most are classified as Trojans, there have been GENOME malware which display propagation or backdoor routines. Variants that display backdoor capabilities may execute commands from a remote malicious user.

Installation

This backdoor drops the following files:

• %System Root%\confl.log

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This backdoor adds the following registry entries to install itself as a Browser Helper Object (BHO):

HKEY_CLASSES_ROOT\CLSID\{2EB1DE5D-91E6-4AD7-9C69-91243E190EB1}
@ = "Abn"

HKEY_CLASSES_ROOT\CLSID\{2EB1DE5D-91E6-4AD7-9C69-91243E190EB1}\
InProcServer32
@ = "%System Root%\Abn.dll" = ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{2EB1DE5D-91E6-4AD7-9C69-91243E190EB1}

Propagation

This backdoor drops the following copy(ies) of itself in all removable drives:

• %System Root%\Arquivos de programas\Internet Explorer\PLUGINS\iewd.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Download Routine

This backdoor saves the files it downloads using the following names:

• %Windows%\a0x1.exe
• %System%\Eguis.exe
• %System%\isssas.cpl

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other Details

This backdoor connects to the following possibly malicious URL:

• http://{BLOCKED}0.{BLOCKED}4.72.61/RealMedia/ads/Creatives/OasDefault/ASACSA_TC-08.06.09/des.jpg
• http://{BLOCKED}8.{BLOCKED}4.15.228/l.php?aff_id=1&wm_id=0&u=a8fbbde7-2725-43dd-974b-4d36acf41a1d&log_id=1
• http://{BLOCKED}8.{BLOCKED}4.15.228/l.php?aff_id=1&wm_id=0&u=a8fbbde7-2725-43dd-974b-4d36acf41a1d&log_id=3
• http://{BLOCKED}8.{BLOCKED}4.15.228/l.php?aff_id=8654&wm_id=03010&u=411f3a52-26ed-4872-9a07-8c966acba234&log_id=1
• http://{BLOCKED}8.{BLOCKED}4.15.228/l.php?aff_id=8654&wm_id=03010&u=411f3a52-26ed-4872-9a07-8c966acba234&log_id=3
• http://{BLOCKED}8.{BLOCKED}4.15.228/l.php?aff_id=8654&wm_id=03010&u=a8fbbde7-2725-43dd-974b-4d36acf41a1d&log_id=1
• http://{BLOCKED}8.{BLOCKED}4.15.228/l.php?aff_id=8654&wm_id=03010&u=a8fbbde7-2725-43dd-974b-4d36acf41a1d&log_id=3
• http://{BLOCKED}8.{BLOCKED}4.15.228/sw/1/0/0/a8fbbde7-2725-43dd-974b-4d36acf41a1d/0/x.dat
• http://{BLOCKED}8.{BLOCKED}4.15.228/sw/8654/03010/0/411f3a52-26ed-4872-9a07-8c966acba234/0/x.dat
• http://{BLOCKED}8.{BLOCKED}4.15.228/sw/8654/03010/0/a8fbbde7-2725-43dd-974b-4d36acf41a1d/0/x.dat
• http://{BLOCKED}s.{BLOCKED}a.com.br/RealMedia/ads/creatives/OasDefault/090101_Seven_Sky_ROS/Eguis.jpg
• http://{BLOCKED}s.{BLOCKED}a.com.br/RealMedia/ads/creatives/OasDefault/090101_Seven_Sky_ROS/p.cpl
• http://{BLOCKED}n.{BLOCKED}e.com/down/uupdate.exe
• http://{BLOCKED}m.{BLOCKED}lmarkets.com/member.php?u=7586
• http://{BLOCKED}m.{BLOCKED}ice.com/member.php?u=7586
• http://www.{BLOCKED}rum.com/member.php?u=29387
• http://www.{BLOCKED}hardware.net/comunidade/member.php?u=764481
• http://www.{BLOCKED}eriedemouna.com/images/imag2.gif
• http://www.{BLOCKED}ho.cc/imagens/0001.gif
• http://www.{BLOCKED}ho.cc/imagens/0002.gif
• http://www.{BLOCKED}g.or.kr/sarangbi_bgm/img/update.txt
• http://www.{BLOCKED}a.net/member.php?u=21040
• http://{BLOCKED}8.{BLOCKED}4.15.228/l.php?aff_id=1&wm_id=0&u=a8fbbde7-2725-43dd-974b-4d36acf41a1d&log_id=3