BKDR_SVNLOOC.A

This backdoor may be dropped by other malware.

It connects to a website to send and receive information.

It logs a user's keystrokes to steal information.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_MDROP.SMCM

Installation

This backdoor drops and executes the following files:

• %System%\Msdirects.sys - detected as RTKT_SVNLOOC.A
• %System%\KernelExec.sys - detected as RTKT_SVNLOOC.A
• %System%\Msdirects.dll - also detected as BKDR_SVNLOOC.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following non-malicious file:

• %System%\Config.ini - configuration file

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Backdoor Routine

This backdoor opens the following port(s) where it listens for remote commands:

• port 389

It connects to the following websites to send and receive information:

• {BLOCKED}5.{BLOCKED}3.189.147

Information Theft

This backdoor logs a user's keystrokes to steal information.

Stolen Information

This backdoor saves the stolen information in the following file:

• %System%\Syslog.sys

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

NOTES:

It injects its dropped DLL, %System%\Msdirects.sys, to running process in the memory in order to stay memory resident.

It uses the following rootkit components to achieve the above-mentioned routine and to hide its component files and registries:

• %System%\KernelExec.sys
• %System%\Msdirects.dll

It is capable of executing the following backdoor commands:

• Query and view open windows
• View, get, or query host
• Start, stop, or change its own service
• Enumerate or query services
• Query or view processes
• Uninstall itself
• Query, view, delete, or check the size of its log file where it saves the stolen information
• Start and stop keylogging
• Download a file
• Delete a file
• Execute a file
• Create a new folder
• Open command shell
• Upload a file
• Query or browse directories
• Query or check for existing drives
• Set or get user identity
• Monitor USB drives and check the existing folders in it
• Open an FTP connection
• Open an HTTP connection
• Shutdown the system
• Check operating system version
• Get processor information and number of processors