BKDR_EMDIVI.GH

This backdoor arrives as attachment to mass-mailed email messages. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It retrieves specific information from the affected system.

Arrival Details

This backdoor arrives as attachment to mass-mailed email messages.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops and executes the following files:

• %User Temp%\vmpress.exe ← detected also as BKDR_EMDIVI.GH
• %User Temp%\grp_111.pdf ← decoy file

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• d3f4cee3d0f14c4fba73cdaa0879f52f

Autostart Technique

This backdoor drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %Common Startup%\vmpress.lnk
• %User Startup%\vmpress.lnk

(Note: %Common Startup% is the system's shared Startup folder, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003, and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.. %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Enumerate files and folders
• Delete files and folders
• Download files
• Upload files
• Execute files
• Get file attributes
• Enumerate processes
• Perform remote shell
• Loads a library using LoadLibrary API
• Import functions from a library using GetProcAddress API
• Choose HTTP Authentication
• Setup Proxy auto-configuration
• Gather Firefox settings from prefs.js
• Gather proxy settings from proxy.pac
• Gather proxy settings from windows registry
• Sleep

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://www.{BLOCKED}a.com/snow/index.php
• http://jp.{BLOCKED}b.biz/{5 random numbers}?p=#

Information Theft

This backdoor retrieves the following information from the affected system:

• Host name
• Process ID of the malware
• Memory Size (RAM)
• Internet Explorer Version
• Windows OS Version
• System Language
• Location
• Time Zone Information

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• http://www.msftncsi.com/ncsi.txt
• http://www.microsoft.com/en-us/default.aspx
• http://www.yahoo.co.jp

NOTES:

It will not execute properly if the host name is similar to any of the following strings:

• wilbert-SC1508
• xp-sp3-template
• mip-xp-cht
• CWS01_03
• wilbert-SC2202
• CWS05D102

It enumerates all visible windows and compares each window's title bar text with the following strings:

• OllyDbg
• W32Dasm
• Wireshark
• SoftICE
• Process Explorer
• Process Monitor
• Process Hacker

If a window's title bar text contains any of the said strings, it will pause the execution of its malicious routine by performing a Sleep command.

It uses a Adobe Acrobat Reader icon and drops a nonmalicious file, %User Temp%\grp_111.pdf. It then opens the file %User Temp%\grp_111.pdf to deceive users that it is a normal file.