PHP_WEBSHELL.VTJ

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.

It does not have any file infection routine.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system.

It gathers certain information on the affected computer.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be hosted on a website and run when a user accesses the said website.

Infection Points

This backdoor does not have any file infection routine.

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Execute remote commands
• Upload file
• Create copy of itself in {PHP Server Document Root}\plugins\user\explorer.php

Information Theft

This backdoor gathers the following information on the affected computer:

• Current user name
• User ID of the current script
• Information about the operating system PHP is running on
• PHP Server address
• PHP Remote address

Drop Points

This backdoor sends the information it gathers to the following email addresses:

• {BLOCKED}plosion2013@gmail.com
• {BLOCKED}_p@yahoo.com
• {BLOCKED}ark@live.com

NOTES:

This malware runs on PHP web server. It sends out the following messages to specific email address:

Subject: Target ditemukan {HTTP_HOST}/{REQUEST_URI}
Body: Hasil Bajakan http://{HTTP_HOST}/{REQUEST_URI} SAFE_MODE = {on|off} IP Server = {HTTP_HOST} IP Injector= {REQUEST_URI}

The uploaded file is saved on {PHP Server Document Root}\{File Name}, where the file name is configured by a malicious remote user.