BKDR_CYSXL.A

This backdoor may be dropped by other malware.

It connects to a website to send and receive information.

Arrival Details

This backdoor may be dropped by the following malware:

• TROJ_ARTIEF.ZIGS

Installation

This backdoor drops the following component file(s):

• %System%\cydll.dll - also detected as BKDR_CYSXL.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

• %System Root%\Document and Settings\All users\realupdate.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Its DLL component is injected to the following process(es):

• svchost.exe

Autostart Technique

This backdoor registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CyService\parameters
ServiceDll = "%System%\cydll.dll"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CLASSES_ROOT\Sxl

Backdoor Routine

This backdoor connects to the following websites to send and receive information:

• http://{BLOCKED}t.SerVeHttp.com/{numbers}

NOTES:

It is capable of executing the following backdoor commands:

• Create directories
• Create process(es)
• Create/delete file(s)
• Execute msg.exe
• Get process ID of processes
• List drives and files
• Lock the machine
• Modify environment settings
• Shutdown the system
• Start service(s)