For Consumer

Virus Profile: Generic BackDoor.u

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/5/2005
Date Added: 4/4/2005
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 7353
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases
  • Microsoft    -    PWS:Win32/Fareit
  • Symantec    -    Downloader.Ponik
  • Nod32        -    Win32/PSW.Fareit.A trojan
  • Norman     -    W32/Troj_Generic.FZZFL (trojan)

 

-- Update March 9, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://news.techworld.com/security/3214563/energizer-bunny-infects-pcs-with-backdoor-malware/

--

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

 

Indication of Infection

Presence of above mentioned files and registry keys


Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

   

Virus Characteristics


---------------Updated on 29 th may 2014----------------------------------

Aliases:

  • Avast            -             MSIL:Injector-BR [Trj]
  • ESET-NOD32        -            a variant of MSIL/Injector.BCP
  • Microsoft         -            Backdoor:MSIL/Bladabindi.F


Generic BackDoor.u” is a generic detection for a Trojan that might drop other files in to the system.

Upon Execution, the Trojan files have been added to the system

  • %userprofile%\Desktop\.tmp
  • %userprofile%\Start Menu\Programs\Startup\b01abcf8c9418a8e052bb701bdf75afa.exe
  • %userprofile%\Java.exe


Upon execution the Trojan connects to the following URL

  • Mike[Removed].org


The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
  • HKEY_LOCAL_MACHINE\S-1-5-[Varies]\Software\b01abcf8c9418a8e052bb701bdf75afa


The following registry key values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize: 0x00100000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory: "%windir%\tracing"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid: "710adbf0-ce88-40b4-a50d-231ada6593f0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames: " NAP_TRACE_BASE NAP_TRACE_NETSH"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName: "stdout"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\Guid: "b0278a28-76f1-4e15-b1df-14b209a12613"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\BitNames: " Error Unusual Info Debug"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName: "stdout"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\ControlFlags: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Java.exe: "%userprofile%\Java.exe"


The above mentioned registry key ensure that the Trojan creates a firewall wall rule in order to bypass the normal authentication.


  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b01abcf8c9418a8e052bb701bdf75afa: ""%userprofile%\Java.exe" .."
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Windows Live: "%userprofile%\Java.exe"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\b01abcf8c9418a8e052bb701bdf75afa: ""%userprofile%\Java.exe" .."


The above registry entry makes sure that the Trojan gets executed every time when the system startup

---------------------------------------------------------Updated on 18th FEB 2014----------------------------------------------------------

Aliases

  • Microsoft        -    Trojan:Win32/Nymaim
  • Kaspersky        -    Trojan.Win32.Sharik.rpw
  • Eset_Nod32        -    Win32/Kryptik.BVET


“Generic BackDoor.u” is detection for the Trojan which opens backdoor in order to send and receives commands from the remote attacker. It may also post collected data to the remote attacker.

Upon execution the Trojans drops files into the below location:
 

  • %Appdata%\aiy\wssk.hge
  • %Appdata%\hkgldt\hbrpks.uww
  • %Appdata%\wcxl\tkbbqq.exe
  • %Appdata%\xncpd\oijyptg.exe
  • %Appdata%\xqvqi\bowub.exe
  • %Appdata%\xybje\ctkv.ilg
  • %Appdata%\yjcga\hbrpks.uww
  • %Appdata%\yjcga\qtcm.cjg
  • %windir%\crfb.uwt
  • %windir%\kklhkj.ndn
  • %windir%\ngjemi.bjd
  • %windir%\uvog.meo
  • %windir%\vzudiv.exd


Upon execution the Trojan tries to connect the below IP addresses and Domains:

  • gefesos[Removed]my.org
  • 129.[Removed].109.[Removed].net
  • 197.[Removed].190.[Removed].com.ar
  • 88-117-86-184.[Removed].telekom.at
  • b3ebfbdb.[Removed].br
  • catv-37-188-86-185.[Removed].hu
  • net-2-35-44-113.[Removed].it
  • 109.[Removed].129
  • 117.[Removed].90
  • 121.[Removed].196
  • 179.[Removed].219
  • 181.[Removed].253
  • 186.[Removed].206
  • 190.[Removed].197
  • 2.[Removed].113
  • 37.[Removed].185
  • 88.[Removed].184


The following registry key values have been added to the system


  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell:%AppData%\wcxl\tkbbqq.exe,explorer.exe"


  • HKEY_USERS\S-1-5-21-[Varies]-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell: "%AppData%\wcxl\tkbbqq.exe,explorer.exe"


  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell: %AppData%\wcxl\tkbbqq.exe,explorer.exe"


  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\3ok3: "%AppData%\xqvqi\bowub.exe"


  • HKEY_USERS\S-1-5-21-[Varies]-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\3ok3: " %AppData%\xqvqi\bowub.exe"


  • HKEY_USERS\S-1-5-21-[Varies]-500\Software\Microsoft\Windows\CurrentVersion\RunOnce\2y3vw53: "%AppData%\xncpd\oijyptg.exe"


  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\3ok3: "%AppData%\xqvqi\bowub.exe"


The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot

----------------------------------------------------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------Updated on 23-01-2014-----------------------------------------------------------------------------

Characteristic of file with hash 3ccdb38ea0bfc56fa856c94c67060d78 


The file with the hash 3ccdb38ea0bfc56fa856c94c67060d78 detected as Generic BackDoor.u drops and executes the following file:

mslives.exe (FC762EF29953968A243DB6B1788387AD) detected as RDN/Generic.dx!cwv


It also shows a flash animation which intends to hide its malicious behavior from the user.

Screenshot shown below:


 
Characteristic of dropped file with hash FC762EF29953968A243DB6B1788387AD:

mslives.exe (FC762EF29953968A243DB6B1788387AD) detected as RDN/Generic.dx!cwv

Upon execution it will create a copy of itself in the following location:

  • %programfiles%\Windows NT\Accessories\Microsoft\mslives.exe

It also creates the following registry entry to automatically execute at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run    msliveupdate    "C:\Program Files\Windows NT\Accessories\Microsoft\mslives.exe"

It attempts to access the following URL to download a file and execute afterwards:

  • hxxp://techshine-fast-japan.co.jp/css/common.php

(as of this writing no file was downloaded from the URL.)

It will try to write the downloaded file in the temp directory with the following format of the filename:

  • ms{8 random char}.exe

It will then terminate after a successful download and execution. If not it will sleep for 5 minutes before trying to download the file again.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------Updated on 10-01-2014-----------------------------------------------------------------------------

Aliases

  • Microsoft    -    backdoor:win32/poison.e

“Generic BackDoor.u” is detection for this Trojan that receives commands from an attacker to access the infected machine and to download other payloads

Upon execution the Trojan tries to connect to the following URLs:

  • us.[Removed].com


The following strings confirm that the Trojan tries to connect internet:

  • NeverSayDie!
  • socket
  • shutdown
  • setsockopt
  • sendto
  • send
  • select
  • recvfrom
  • recv
  • ntohs
  • ntohl
  • listen
  • ioctlsocket
  • inet_ntoa
  • inet_addr
  • htons
  • htonl
  • getsockop

 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

-----------------------------------------------------------------Updated on 07-01-2014-------------------------------------------------------------------------------------


Aliases

  • Kaspersky    -    HEUR:Trojan.Win32.Generic
  • Ikarus        -    Trojan-Dropper.RQU
  • Symantec    -    Suspicious.Cloud.5
  • Avira        -    TR/Drop.RQU.76

Characteristics –

Generic Backdoor.u” is detection for this Trojan that allows unauthorized access and control of an infected computer to the remote attacker.
This Trojan also opens a backdoor and allows the attacker to issue commands to control the compromised machines.

The following registry values has been added

  • HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\HRZR_EHACN


And the below registry values has been modified to the system

  • HKEY_LOCAL MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%windir%\userinit.exe,"
  • HKEY_LOCAL MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%windir%\userinit.exe,%userprofile%\Desktop\1298449331.exe,"
  • HKEY_USER\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\HRZR_HVFPH

Its collects the information of the compromised system and sends to the attacker.

  • Computer name
  • And other information




----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

---------------------------------------------------------------------Updated on 21th Dec 2013--------------------------------------------------------------------------------------

Aliases –

  • Avira                      - TR/Kazy.145452.26
  • Microsoft            - Backdoor:MSIL/Bladabindi
  • Eset-Nod32            - MSIL/Bladabindi.P
  • DrWeb            - BackDoor.Andromeda.22

Characteristics – 

Generic Backdoor.u” is a detection that allows backdoor access and control of your computer. It turn install a proxy and it also opens backdoor in order to send and receives commands to the remote attacker.

Upon execution the Trojans copy itself to the below location

  • %Temp%\Winrar.exe
  • %Userprofile%\Start Menu\Programs\Startup\125d3f6ae0a53efa91122391603b15de.exe
  • %windir%system32\netsh.exe

Upon execution the Trojan tries to connect the below IPs through remote port 80.

  • 5.10[Removed]8.59

This BackDoor allows a remote attacker to perform various functions:

  • Capturing the system information
  • Spread to other computers using removable drives
  • It Restarting your computer
  • Uploading data to the attacker
  • Modify system settings

The following registry key values have been added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize: 0x00100000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory: "%windir%\tracing"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\125d3f6ae0a53efa91122391603b15de: ""%Temp%\Winrar.exe" .."
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Temp%\Winrar.exe: "C:\Documents and Settings\AVERT\Local Settings\Temp\Winrar.exe:*:Enabled:Winrar.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Temp%\Winrar.exe: "%temp%\Winrar.exe:*:Enabled:Winrar.exe"
  • HKEY_USERS\S-1-5-21-436374069-1757981266-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\125d3f6ae0a53efa91122391603b15de: ""%Temp%\Winrar.exe" .."

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • HKEY_LOCAL_MACHINE\SYSTEM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Temp%\Winrar.exe: "%temp%\Winrar.exe:*:Enabled:Winrar.exe"

The above mentioned registry key value confirms that the Trojan creates the firewall rule in order to access the Internet without being stopped by the firewall.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

---------------------------------------------------------------------Updated on 16th Dec 2013--------------------------------------------------------------------------------------

“Generic BackDoor.u” is detection for this Trojan that receives commands from an attacker to access the infected machine and to download other payloads.

Upon execution the Trojan connects to the below URL and IP address:

  • kar[Removed]ipt.com
  • 103.[Removed].24.167

The following files have been added to the system in the below location:

  • %Windir%\system32\net.exe
  • %Windir%\system32\net1.exe

The following are the registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Enum

The following are the registry key values have been added to the system:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\Control\*NewlyCreated*: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\Control\ActiveService: "Windows Debug System Management Interface"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\Service: "Windows Debug System Management Interface"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\Legacy: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\ConfigFlags: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\Class: "LegacyDriver"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000\DeviceDesc: "Windows Debug System Management Interface"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Enum\0: "Root\LEGACY_WINDOWS_DEBUG_SYSTEM_MANAGEMENT_INTERFACE\0000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Enum\Count: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Enum\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Security\Security: [Binary Data]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Type: 0x00000010
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Start: 0x00000002
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\ErrorControl: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\ImagePath: "%Userprofile%\Desktop\adcfe50aaaa0928adf2785fefe7307cc\1040880618.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\DisplayName: "Windows Debug System Management Interface"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\ObjectName: "LocalSystem"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Debug System Management Interface\Description: "Provides Interfaces for Windows Debug and Error Handle"

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

------------------------------Updated on 13th Dec 2013-------------------------------------

Generic BackDoor.u” is detection for this Trojan that receives commands from an attacker to access the infected machine and to download other payloads.

Upon execution the Trojan connects to the following URLs.


  • Ant[Removed]yes.com
  • Inp[Removed]ers.com


The following files have been added to the system.

  • %appdata%\WinRAR\WIN1B.exe
  • %appdata%\WinRAR\WIN1B.tmp


The following registry key values have been added in the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GameServer507: [Binary data]

 

------------------------------Updated on 13th Dec 2013-------------------------------------

Generic BackDoor.u” is detection for this Trojan that receives commands from an attacker to access the infected machine and to download other payloads.

Upon execution the Trojan connects to the following IP Address.

  • 220.65.[Removed].46


The following registry keys have been added in the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo

 

---------------------------------------- Updated on 18th October 2013------------------------------------

It connects to the following URL and IP address.

  • hxxp://wxw.k[removed].co.kr/mprsvc/info.php
  • 222.[Removed].158.125

The following files have been added to the system

  • %WINDIR%\system32\mprsvc.exe
  • %WINDIR%\system32\mprtool.dll


Mprtool.dll gets injected to running process which can be seen from the below strings

InstallHook
mprtool.dll
UWM_HOOKTOOL_DLL_LOADED - {68D9B79A-09E0-4e20-9273-767C8813CA1F}
UWM_HOOKTOOL_DLL_UNLOADED - {68D9B79A-09E0-4e20-9273-767C8813CA1F}
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
POST
WEBPOST AGENT
*/*
HTTP/1.1
CMainFrame
mprsvc
{05CA3573-B449-4e0b-83F5-7FD612E378E9}
software\{BD0472ED-5669-49c9-8182-912F5D3FEDA0}\
.ini
http://
no execute
.exe
Downloads
D8AA172F71F3057267B85F64BDB01A20DCD84C249AEEB1CDDF82582FFDDDB870
|update end|
|update start|
8564A92A74D3DF04087DBF34A7E46B2A
Data not multiple of Block Size
Incorrect block length
Incorrect key length
Empty key
{BFF86665-4798-465d-A0CB-E0734CB60C7C}
A507D40392E920C991F050522405FC33
8733374D5A0EF78CC2F439ED9882D04B
754EBF5F685A2B6703FE88BB196FACE7D6A30E18FEF0CCD31B2BE1E244CB937E
bootdate

The following registry keys have been added to the system

  • HKEY_LOCAL_MACHINE\SYSTEM \CurrentContrlset\Services\mprhp
  • HKEY_LOCAL_MACHINE\SYSTEM \CurrentContrlset\Services\mprsvr

The above registry ensures that the Trojan creates its own services

--------------------------------------------------Updated on 01 October  2013 ------------------------------------------------------------------------------------------------

Upon Execution, the Trojan drops file into the following location:

  •    %AllUsersProfile%\svchost.exe

The following are the registry key values have been added to the system

  •     HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Userprofile%\Desktop\MMS_09__13.exe: "%Userprofile%\Desktop\MMS_09__13.exe:*:Enabled:MMS_09__13"
  •    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Userprofile%\Desktop\MMS_09__13.exe: "%Userprofile%\Desktop\MMS_09__13.exe:*:Enabled:MMS_09__13"

The above registry ensures that the Trojan creates a firewall rule to bypass the normal authentication and it may allow the remote attacker to issue commands to control the compromised machines without user knowledge.


The following are the registry key values have been added to the system

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: "%AllUsersProfile%\svchost.exe"

The above registry key value confirms that the Trojan registry with the compromised machine and to execute itself upon every system boot.



----------------------------------------------Updated on 08 August  2013 ------------------------------------------------------------------------------------------------

Aliases

  • Ahnlab        -    Trojan/Win32.Tepfer
  • Symantec    -    Suspicious.Cloud.5
  • Nod32        -    Win32/Kryptik.BHMA

Generic Backdoor.u” is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker. It also downloads other payloads like PWS variants.

Generic Backdoor.u” is detection for this Trojan that receives commands from an attacker that to access the infect machine and to downloads other malicious files.
 
 “Generic Backdoor.u” steals information from stored passwords, cache and cookies from the following applications:

 

  • E-mail client
  • Browser
  • FTP client

Generic Backdoor.u” may send a spam email to random email addresses. 

Once it copied then the Trojan tries to delete itself from the current location by dropping a bat file with the following code.

  • del "%s"
  • if exist "%s" goto d
  • @echo off
  • del /F "%s"

Upon Execution, the Trojan drops file into the following location:

  • %APPDATA%\Microsoft\Address Book\Administrator.wab
  • %APPDATA%\Ixmuok\icriop.exe
  • %TEMP%\4834343.exe
  • %TEMP%\4809609.exe
  • %TEMP%\4825734.exe
  • %TEMP%\WNLDE7F
  • %Temp%\4839156.bat

The following are the folders created by the Trojan

  • %AppData%\Microsoft\Address Book
  • %APPDATA%\Ixmuok

Upon execution the Trojan tries to injects itself into explorer.exe and connect the below URLs through remote port 4882/http/5086

  • hxxp://50.[Removed].17/fzKU1Y.exe
  • hxxp://198.[Removed].93/MM75.exe
  • hxxp://174.[Removed].195/nhdx.exe
  • hxxp://50.[Removed].1/nLiZVHtr.exe
  • hxxp://74.[Removed].127/?gws_rd=cr
  • hxxp://74.[Removed].127/?gws_rd=cr
  • hxxp://74.[Removed].127/?gws_rd=cr
  • hxxp://74.[Removed].127/?gws_rd=cr
  • hxxp://74.[Removed].127/?gws_rd=cr
  • ww[Removed]rki.com
  • ft[Removed]iniaturesby
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95