BKDR_JADTRE.AI
W32/Agent.JH!tr (Fortinet), W32/QQhelper.C.gen!Eldorado (FProt), Exploit.Win32.ShellCode (Ikarus), TrojanDownloader:Win32/Jadtre.B (Microsoft), a variant of Win32/Wapomi.AO virus (NOD32), Infostealer.Gampass (Norton)
Windows 2000, Windows XP, Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following files:
- %System%\{random file name}.sys
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %System%\{random file name}.tmp
- %System%\appmgmts.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Other System Modifications
This backdoor deletes the following files:
- %System%\appmgmts.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgnt.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgrsx.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgtray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avguard.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgwdsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgwdsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avmailc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avshadow.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avwebgrd.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bdagent.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
CCenter.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ccSvcHst.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dwengine.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
egui.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FilMsg.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kavstart.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kissvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kmailmon.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsd.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdtray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdwsc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpfw32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpfwsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kpopserver.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
krnl360svc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
krnl360svc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSafeSvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSafeTray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ksmgui.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ksmsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kswebshield.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvexpert.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvol.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVSrvXP.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvxp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwatch.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwstray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwsupd.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxedefend.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxesapp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxescore.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxeserv.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kxetray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
livesrv.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcagent.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcmscsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McNASvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Mcods.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McProxy.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
McSACore.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Mcshield.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcsysmon.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcvsshld.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mfefire.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MOBKbackup.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MpfSrv.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPMon.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC1.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MPSVC2.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
msksrver.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MsSvHost.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCAddWidget.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr_tz_Setup.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCRTP.EXE
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCTray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCUPDATE.EXE
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qutmserv.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavTask.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsAgent.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rsmgrsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rsnetsvr.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsTray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safeboxTray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanFrm.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sched.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
seccenter.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SfCtlCom.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spideragent.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SpIDerMl.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spidernt.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
spiderui.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SuperKiller.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TMBMSRV.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TmProxy.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Twister.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UfSeAgnt.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
upsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
V3PScan.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
V3SP.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vgchsvx.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
VPSvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vsserv.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zhudongfangyu.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ÐÞ¸´¹¤¾ß.exe
Debugger = "ntsd -d"
HKLM\SYSTEM\CurrentControlSet\
Services\{random}
Start = "3"
HKLM\SYSTEM\CurrentControlSet\
Services\{random}
Type = "1"
HKLM\SYSTEM\CurrentControlSet\
Services\{random}
ImagePath = "%System%\{random file name}.sys"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360hotfix.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safe.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safebox.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360SAFE_INSTALLER.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sd.exe
Debugge = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360se.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360SoftMgrSvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360speedld.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
afwServ.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ast.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastSvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastUI.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avcenter.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avfwsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgcsrvx.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgemc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgnsx.exe
Debugger = "ntsd -d"
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}0.{BLOCKED}9.92.248
- {BLOCKED}0.{BLOCKED}9.92.245
- {BLOCKED}0.{BLOCKED}9.92.244
- {BLOCKED}0.{BLOCKED}9.92.242
- {BLOCKED}0.{BLOCKED}9.92.239
- {BLOCKED}0.{BLOCKED}9.92.248
- {BLOCKED}0.{BLOCKED}9.92.236
- {BLOCKED}0.{BLOCKED}9.92.250
- {BLOCKED}0.{BLOCKED}9.92.251
- {BLOCKED}0.{BLOCKED}9.92.254
- {BLOCKED}0.{BLOCKED}9.92.249
- {BLOCKED}0.{BLOCKED}9.92.240
- {BLOCKED}0.{BLOCKED}9.92.243
- {BLOCKED}0.{BLOCKED}9.92.253
- {BLOCKED}0.39.92.241
- {BLOCKED}0.{BLOCKED}9.92.246
- {BLOCKED}0.{BLOCKED}9.92.245
- {BLOCKED}0.{BLOCKED}9.92.237
- {BLOCKED}3.{BLOCKED}4.193.128
- {BLOCKED}3.{BLOCKED}4.193.125
- {BLOCKED}2.{BLOCKED}6.167.95
- {BLOCKED}d.{BLOCKED}v.com
- www.{BLOCKED}u.com
- www.{BLOCKED}4.info
NOTES:
It modifies the file attributes of %System%\drivers\etc\hosts to RHS (Read-only, hidden and system file).
It deletes the original %System%\appmgmts.dll and replaces it with a copy of itself with the same filename as with the deleted file. In this way, the malware registers itself as a service to ensure its execution every startup.