BKDR_VAWTRAK.YUYAMY
Backdoor:Win32/Vawtrak.A (Microsoft), Backdoor.Win32.Papras.zhm (Kaspersky)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.
TECHNICAL DETAILS
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This Backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = "regsvr32.exe "%Program Data%\{random}\{random}.{3 random character}"
Other System Modifications
This Backdoor adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
TabProcGrowth = 0
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = 1
HKEY_CURRENT_USER\Software\{CLSID}
{random value} = "{hex values}"
Backdoor Routine
This Backdoor executes the following command(s) from a remote malicious user:
- Log keystrokes
- Capture Screenshots
- Open a process
- Install Updates
- List Process
- Inject code to process
- Download and execute files
- Download configuration
- Perform remote shell
- Start VNC
NOTES:
This backdoor has the capability to setup a virtual network computing (VNC) server to take control of the compromised computer.
It injects code to the all running processes except the following:
- csrss.exe
- Dbgview.exe
- lsass.exe
- lsm.exe
- services.exe
- smss.exe
- svchost.exe
- taskhost.exe
- wininit.exe
- winlogon.exe
This backdoor only performs its intended routine once it is injected in the following processes:
- chrome.exe
- explorer.exe
- firefox.exe
- iexplore.exe