BKDR_SIREFEF.BQD
Trojan:Win32/Sirefef.P (Microsoft); Backdoor.Win32.ZAccess.emih (Kaspersky);
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following copies of itself into the affected system and executes them:
- %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters 1}\{unprintable characters 2}\{RLO Unicode}{unprintable characters 3}\{GUID}\GoogleUpdate.exe
- %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters 1}\{unprintable characters 2}\{RLO Unicode}{unprintable characters 3}\{GUID}\GoogleUpdate.exe
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It drops the following component file(s):
- %AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters 1}\{unprintable characters 2}\{RLO Unicode}{unprintable characters 3}\{GUID}\@ - configuration file
- %Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters 1}\{unprintable characters 2}\{RLO Unicode}{unprintable characters 3}\{GUID}\@ - configuration file
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Google Update = ""%AppDataLocal%\Google\Desktop\Install\{GUID}\{unprintable characters 1}\{unprintable characters 2}\{RLO Unicode}{unprintable characters 3}\{GUID}\GoogleUpdate.exe" >"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO Unicode}etadpug
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO Unicode}etadpug
Type = "10"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO Unicode}etadpug
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO Unicode}etadpug
ImagePath = "%Program Files%\Google\Desktop\Install\{GUID}\{unprintable characters 1}\{unprintable characters 2}\{RLO Unicode}{unprintable characters 3}\{GUID}\GoogleUpdate.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO Unicode}etadpug
Description = "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it."
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{RLO Unicode}etadpug
DisplayName = Google Update Service (gupdate)
Other System Modifications
This backdoor deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Other Details
This backdoor deletes the initially executed copy of itself
NOTES:
This backdoor inserts the RLO Unicode character together with unprintable unicode characters on file names of the folders it creates. It also does this on autostart registries to prevent user access on some operating systems.