BKDR_PANDEMIYA.A
TrojanSpy:Win32/Ursnif.gen!K, TrojanSpy:Win32/Ursnif.gen!K (Microsoft), a variant of Win32/PSW.Papras.DF trojan (Nod32), Found Win32/DH{gRKBE4EPAA81Fw} (AVG), W32/Papras.DF!tr.pws (Fortinet), Trojan.Win32.Generic!BT (Sunbelt),
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It reads its configuration file that contains commands and data to be sent to a remote server.
It modifies the Internet Explorer Zone Settings.
It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.
It sends the information it gathers to remote users via HTTP Post.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system:
- %Application Data%\{ramdom file name 1}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It drops the following component file(s):
- %System%\{random file name 2}.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- {GUID}
It stays memory-resident by creating remote threads:
- iexplorer.exe
- firefox.exe
- explorer.exe
- chrome.exe
It terminates the execution of the copy it initially executed and executes the copy it drops instead.
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name 1} = "%Application Data%\{random file name 1}.exe"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\AppCertDlls
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\AppCertDlls
{random file name 1} = "%System%\{random file name 2}.dll"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
ProxyBypass = 1
(Note: The default value data of the said registry entry is "0".)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
IntranetName = 1
(Note: The default value data of the said registry entry is "0".)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
UNCAsIntranet = 1
(Note: The default value data of the said registry entry is "0".)
Backdoor Routine
This backdoor reads its configuration file that contains commands and data to be sent to a remote server.
It connects to the following URL(s) to send and receive commands from a remote malicious user:
- {BLOCKED}.{BLOCKED}.175.134/fg/dump.php
As of this writing, the said servers are currently inaccessible.
Web Browser Home Page and Search Page Modification
This backdoor modifies the Internet Explorer Zone Settings.
Information Theft
This backdoor attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.
Drop Points
This backdoor sends the information it gathers to remote users via HTTP Post.
Other Details
Based on analysis of the codes, it has the following capabilities:
- Archive and upload file(s)
- Capture screenshot
- Clear cookies
- Download a configuration file
- Download file(s)
- Open a SOCKS proxy
- Reboot the affected system
- Steal certificates
- Steal cookies
- Update configuration file
- Upload a log file which contains stolen information
It deletes the initially executed copy of itself
NOTES:
It hooks the following WININET.DLL exported functions when the DLL component is loaded in IEXPLORE.EXE to monitor network traffic:
- InternetReadFile
- InternetReadFileExA
- InternetReadFileExW
- HttpSendRequestA
- HttpSendRequestW
- HttpQueryInfoA
- HttpQueryInfoW
- HttpAddRequestHeadersA
- HttpAddRequestHeadersW
- InternetConnectA
- InternetConnectW
- InternetQueryDataAvailable
It hooks the following NSS3.DLL exported functions when the DLL component is loaded in FIREFOX.EXE to monitor network traffic:
- PR_Read
- PR_Write
- PR_Close
It hooks the following WS2_32.DLL and KERNEL32.DLL exported functions when the DLL component is loaded in CHROME.EXE to monitor network traffic:
- WSARecv
- WSASend
- closesocket
- LoadLibraryExW
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product and note files detected as BKDR_PANDEMIYA.A
Step 3
Restart in Safe Mode
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {random file name 1} = "%Application Data%\{random file name 1}.exe"
- {random file name 1} = "%Application Data%\{random file name 1}.exe"
Step 5
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
- AppCertDlls
- AppCertDlls
- In HKEY_CURRENT_USER\Software
- AppDataLow
- AppDataLow
Step 6
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- From: ProxyBypass = "1"
To: ProxyBypass = "0"
- From: ProxyBypass = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- From: IntranetName = "1"
To: IntranetName = "0"
- From: IntranetName = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- From: UNCAsIntranet = "1"
To: UNCAsIntranet = "0"
- From: UNCAsIntranet = "1"
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_PANDEMIYA.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.