BKDR_RESDRO.AG
Trojan:Win32/Dynamer!dtc (Microsoft])
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following component file(s):
- %System%\wsynolib.exe - also detected as BKDR_RESDRO.AG
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WsynoSvc
ImagePath = "%System%\wsynolib.exe"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecFilter{1e6963ff-bfe3-4498-a94d-c0e5982071d7}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecFilter{4de0233b-3368-4763-aba8-6b9002734dc9}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecFilter{e788aac0-0854-464d-b3fe-e99614eaa5c8}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecISAKMPPolicy{d12ee85a-e3c4-468e-aadf-fbb0ad46d83b}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecNegotiationPolicy{667693ee-9ca9-4bf2-9d10-1b9b7c45057f}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecNegotiationPolicy{b40c384e-0a44-4b46-b14b-c194fa0e5e8f}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecNegotiationPolicy{e63e091a-cef1-4508-9e43-613f41485229}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecNFA{27339a81-2984-4141-82aa-bc8c14fc0844}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecNFA{4fb58661-b6d2-47d3-bc0b-42b4b9cddbde}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecNFA{724bfd81-4eda-44b5-99fb-ee1b7c6dcf7a}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecNFA{74f6ef6c-5bcd-426b-8e42-ca194feeac0f}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local\ipsecPolicy{6344fe9c-c79b-444d-a90f-b589162416d5}
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\IPSec\
Policy\Local
ActivePolicy = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{6344fe9c-c79b-444d-a90f-b589162416d5}"
Backdoor Routine
This backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:
- {BLOCKED}o.{BLOCKED}a.com
- {BLOCKED}t.{BLOCKED}ca.com
- {BLOCKED}w.{BLOCKED}network.com
- {BLOCKED}cetohell.org