BKDR_INVICM.A

This backdoor may be dropped by other malware.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It retrieves specific information from the affected system.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_MDROPPR.CE

Installation

This backdoor drops the following copies of itself into the affected system:

• %User Profile%\Application Data\360\Live360.exe
• %User Profile%\Application Data\temp\temp1.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It adds the following processes:

• winlogon.exe

It creates the following folders:

• %User Profile%\Application Data\360
• %User Profile%\Application Data\temp

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
UKey = %User Profile%\Application Data\360\Live360.exe

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\rar

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Log keystrokes
• Download and execute file(s)
• Manipulate files
• Manipulate directories
• Steals user credentials such as user name and passwords, which are related to the following applications:
  
  -Internet Explorer Password-Protected sites
  -Microsoft Outlook
  -HTTP
  -IMAP
  -Protected Storage
  -POP3
  -SMTP
  -HTTPMail
  -Windows Messaging

It connects to the following websites to send and receive information:

• minny1.{BLOCKED}p.net

Process Termination

This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• 360Safe
• 360safe.exe
• 360sd.exe
• 360tray.exe
• AVGIDSMonitor.exe
• Avast
• FProt
• FProtTray.exe
• FrzState2K.exe
• KAVsvc.exe
• KSafeTray.exe
• KVwsc.exe
• LiveUpdate360
• MPMon.exe
• Mcafee
• Mcshield.exe
• NOD32
• RavMon.exe
• RavMonD.exe
• RsTray.exe
• SfCtlCom.exe
• UfNavi.exe
• UfSeAgnt.exe
• WinMe
• ZhuDongFangYu.exe
• ashServ.exe
• avgrsx.exe
• avp.exe
• ccSvcHst.exe
• ekrn.exe
• explorer.exe
• kav.exe
• kwstray.exe
• kxetray
• nod32krn.exe
• nscsrvce.exe
• ravtask.exe
• rising.exe
• rtvscan.exe
• ESET Filter Service
• ESET5

Information Theft

This backdoor retrieves the following information from the affected system:

• Local IP address
• Operating system
• Computer name
• User name
• Processor information

Stolen Information

This backdoor saves the stolen information in the following file:

• %User Profile%\user.bin

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

NOTES:

This backdoor injects its code to the created process WINLOGON.EXE.