BKDR_SRAOW.A

This backdoor modifies registry entries to disable various system services. This action prevents most of the system functions to be used.

It connects to a website to send and receive information.

Installation

This backdoor drops the following non-malicious files:

• %System%\v4vribc.log - encrypted configuration file
• %User Temp%\ka6yd1r.log - contains encrypted list of AV-related executable file names

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

• %User Temp%\hpbuj8t.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Policies\
Explorer\Run
sra0w = %User Temp%\hpbuj8t.exe

Other System Modifications

This backdoor modifies registry entries to disable the following system services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = 4

(Note: The default value data of the said registry entry is 2.)

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• http://bestkind.ru

Other Details

This backdoor does the following:

• Executes the following commands in command line in order to disable Windows Security Center and Windows Firewall:
  • net.exe stop "Security Center"
  • net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  • net1 stop "Security Center"
  • net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
  • sc config SharedAccess start= DISABLED
  • sc config wscsvc start= DISABLED
  Upon execution, it will connect to the following C&C server to download an encrypted config file:
  • hxxp://{BLOCKED}nd.ru/list.php?c={encrypted MAC address of the affected system}&v=2
  The downloaded config file, when decrypted, may contain any of the following fields:
  • [{ASCII equivalent of hex value}] - this is refered as Serial Number by the malware and contains another URL to other excutable files
  • [IFEO] - this contains a list of executable that will which it targets to prevent from running
  • [DNS] - this contains a list of entries that will be added in hosts file
  • [Block] - this contains a list of security related executables which it blocks TCP connection
  • [other] - this could contain other data from C&C server
  • Download and Execute File ({ASCII equivalent of hex value}) If this field is present, it will download and execute the URLs in the list. It saves the downloaded files as {random}.exe in %User Temp% directory. As per analysis, the downloaded configuration file contains the following list of download URLs:
    • hxxp://{BLOCKED}rdomainname.in/upload/int.exe
    • hxxp://{BLOCKED}9.{BLOCKED}6.143.133/1.exe
    • hxxp://{BLOCKED}er.com/tm/bt.exe
    • hxxp://{BLOCKED}er.com/tm/cry.exe
    It then reports to its C&C server by connecting to the following site:
    • hxxp://{BLOCKED}nd.ru/sn.php?c={encoded parameters}
    As of writing, the URLs above are inaccessible.
  • Image File Execution Options (IFEO) If this field is present, it will create the following registry for each of executable name listed:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{executable filename} debugger = %System%\svchost.exe
    *The downloaded configuration file does not contain this field during the time it was analyzed.
  • Hosts File Modification (DNS)If this field is present, it will add the entries listed in this field to the %system%\drivers\etc\hosts. *The downloaded configuration file does not contain this field during the time it was analyzed.
  • Blocking TCP Connection of AV Related Executables (Block) If this field is present, it will encode all the entries listed and write to file %temp%\ka6yd1r.log.It will then parse all the running process and when the name of the process matches one from the list, it will set the TCP state of the process to MIB_TCP_STATE_DELETE_TCB. This effectively closes the TCP connection of the process.As per analysis, the downloaded configuration file contains the following list of executable files:
    • avp.exe
    • egui.exe
    • ekrn.exe
    • ashupd.exe
    • avast.setup
    • a2service.exe
    • a2free.exe
    • avgcmgr.exe
    • avgiproxy.exe
    • avgupd.exe
    • livesrv.exe
    • drwebupw.exe
    • guardxup.exe
    • solocfg.exe
    • soloscan.exe
    • ufupdui.exe
    • tmproxy.exe
    • sfctlcom.exe
    • vsmon.exe
    • zlclient.exe
    • fpavserver.exe
    • fptrayproc.exe
    • mcupdmgr.exe
    • mcupdui.exe
    • mcupdutl.exe
    • hwupdchk.exe
    • mcujgui.exe
    • mcnasvc.exe
    • vbinsttmp.exe
    • ewido.exe
    • ccsvchst.exe
    • ccseupdt.exe
    • alupdate.exe
    • alsvc.exe
    • fortiproxy.exe
    • fortiscand.exe
    • fshdll32.exe
    • fshdll64.exe
    • fsorsp.exe
    • prevx.exe
    • avkproxy.exe
    • quickup.exe
    • mupdate2.exe
    • sbamsvc.exe
    • alive_.exe
    • niu.exe
    • avrpts.exe
    • updgui.exe
    • bullguard.exe
    • bullguardupdate.exe
    • wrconsumerservice.exe
    • ccupdate.exe
    • plasservice.exe
    • pareto_av.exe
    • pareto_update.exe
    • cdas2.exe
    • vcrupd.exe
    • avupdater.exe
    • ppinupdt.exe
    • update_tmp.exe
    • snsupd.exe
    • mks_services.exe
    • freshclam.exe
    • hupdate.exe
    • aamw_signatureupdate.exe
    • aamw_main.exe
    • tfun.exe
    • tfud.exe