BKDR_PEPI.WDA

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This backdoor does not have any propagation routine.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

• Download files
• Access files
• Create Pipe (to communicate with its components' processes)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}x.{BLOCKED}b.net

It posts the following information to its command and control (C&C) server:

• Physical Drive(s) information
• SCSI information
• CPU information (speed, vendor ID and feature flags)

However, as of this writing, the said sites are inaccessible.

NOTES:

After creating an anonymous pipe, it will perform the following routine:

1. It searches for %System%\wmiprop.exe.
2. Once found, it will execute the said file. In turn, the newly created process will now handle the data received from the created pipe.
3. If not, it will instead execute %System%\cmd.exe (Windows Command Prompt) to handle the data from the pipe. Hence, a remote shell is initialized.

It does not have rootkit capabilities.

It does not exploit any vulnerability.