Analysis by: Erika Bianca Mendoza
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

It bears the file icons of certain applications to avoid easy detection and consequent removal.

It opens a hidden Internet Explorer window.

  TECHNICAL DETAILS

File Size: 153,026 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 11 May 2011
Payload: Opens Internet Explorer window

Arrival Details

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following files:

  • %Windows%\adobeupdate.exe
  • %Windows%\java\classes\ose.cer
  • %User Temp%\ie.exe
  • %User Temp%\loo.txt
  • %User Temp%\winword.doc
  • %Program Files%\Common Files\ODBC\Data Sources\Odbc.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It bears the file icons of the following applications:

  • Microsoft Word

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{8E12AADC-A55E-3FBE-4C6E-6B6EAC7CAFB5}
StubPath = %Windows%\adobeupdate.exe

Backdoor Routine

This backdoor opens a hidden Internet Explorer window.