BKDR_PLUGX.MMC

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %Windows%\WPDShexplayProxy.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following non-malicious files:

• %All Users Profile%\DRM\xs\{random characters}

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

It adds the following processes:

• iexplore.exe

It creates the following folders:

• %All Users Profile%\DRM\xs

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{random}

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WPDShexplayProxy = "%Windows%\WPDShexplayProxy.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
User Agent

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
User Agent\Post Platform

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
5.0\User Agent

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
5.0\User Agent\Post Platform

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Copy, move, rename, delete files
• Create directories
• Create files
• Enumerate files
• Execute files
• Get drive information
• Get file information
• Open and modify files
• Log keystrokes and active window
• Enumerate TCP and UDP connections
• Enumerate network resources
• Set TCP connection state
• Lock workstation
• Log off user
• Restart/Reboot/Shutdown system
• Display a message box
• Perfrom port mapping
• Enumerate processes
• Get process information
• Terminate processes
• Enumerate registry keys
• Create registry keys
• Delete registry keys
• Copy registry keys
• Enumerate registry entries
• Modify registry entries
• Delete registry values
• Screen capture
• Delete services
• Enumerate services
• Get service information
• Modify services
• Start services
• Perform remote shell
• Host Telnet server
• Connect to a database server and execute SQL statement

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}a.{BLOCKED}app.com/{random generated value}

However, as of this writing, the said sites are inaccessible.

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.