BKDR_SIREFEF.WE
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes then deletes itself afterward.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following files:
- %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\GoogleUpdate.exe
- %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\@
- %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\GoogleUpdate.exe
- %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\@
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It creates the following folders:
- %AppDataLocal%\Google\Desktop
- %AppDataLocal%\Google\Desktop\Install
- %AppDataLocal%\Google\Desktop\Install\{GUID}
- %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}
- %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}
- %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\U
- %AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\L
- %Program Files%\Google\Desktop
- %Program Files%\Google\Desktop\Install
- %Program Files%\Google\Desktop\Install\{GUID}
- %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}
- %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}
- %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\U
- %Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path}\{GUID}\L
(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It executes then deletes itself afterward.
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug\Parameters
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Google Update = "%AppDataLocal%\Google\Desktop\Install\{GUID}\{incomprehensible path 1}\{GUID}\GoogleUpdate.exe<"
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
Description = "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it."
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
DisplayName = "Google Update Service (gupdate)"
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
ImagePath = ""%Program Files%\Google\Desktop\Install\{GUID}\{incomprehensible path 1}\{GUID}\GoogleUpdate.exe" <"
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug
Type = "16"
HKEY_LOCAL_MACHINE\SYSTEM\{CurrentControlSet}\
Services\{box character}etadpug\Parameters
Parameters = "176"
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}187.87:16464