BKDR_POISON.BVH
VirTool:Win32/Obfuscator.XZ(Microsoft)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This backdoor modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,,{malware path and file name}"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.11.42:80/en-us/default.aspx
- {BLOCKED}.{BLOCKED}.231.189:80
- {BLOCKED}.{BLOCKED}.115.105:80/main/map/news/index.php
- {BLOCKED}.{BLOCKED}.115.105:80/main/map/news/xmlrpc.php