Installation
This threat makes a copy of itself in a variable location, such as the following:
-
%APPDATA%
\adobe\linguistics\dictionaries\adobe custom dictionary\all\
-
%AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng\
-
%AppData%\microsoft\cryptneturlcache\metadata\
-
%AppData%\microsoft\drm\
-
%AppData%\microsoft\excel\xlstart\
-
%AppData%\microsoft\internet explorer\
-
%AppData%\microsoft\office\
-
%AppData%\microsoft\word\
It can use a variable file name, such as:
-
csrss.exe
-
eventvwr.exe
-
expand.exe
-
ie4uinit.exe
-
mem.exe
-
mobsync.exe
-
qappsrv.exe
-
route.exe
-
rundll32.exe
-
winmine.exe
Note that legitimate files also named csrss.exe and rundll32.exe exist by default in <system folder>.
The malware creates about 20 mutexes named MTX_<random hex number> (for example, MTX_9F5977F52104E883ACC0E9DEACC0E9DE).
It changes the registry to ensure it runs at each Windows restart:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2})
With data: "<full installation path>" (for example "%AppData%\Microsoft\Excel\xlstart\winmine.exe")
It deletes itself after it has completed its malicous routine by running a BAT file that it also drops, named 7.tmp.bat.
Backdoor:Win32/Caphaw.A injects itself into the following processes to prevent syour ecurity software from removing it:
-
firefox.exe
-
iexplore.exe
-
explorer.exe
-
reader_sl.exe
Payload
Gives a malicious hacker access your PC
Backdoor:Win32/Caphaw.A tries to communicate to a malicious hacker using these servers by connecting to TCP port 443:
-
web<removed>es.cc
-
exte<removed>adv.cc
-
no<removed>here.cc
-
commonworld<removed>.cc
A malicious hacker can then do a number of actions on your PC, including:
- Control of the system desktop, which lets the attacker to see the desktop, and to gain control of the mouse and keyboard
- Access to files and folder via a internal FTP server
- Redirect Internet traffic via a proxy server
- Send ICMP packets that can be used in distributed denial-of-service (DDoS) attacks
- Log and redirect web traffic from Mozilla Firefox and Internet Explorer
- Update itself
- Shut down or restart your PC
Additional information
This threat has been observed spreading as a post on users' Facebook walls:
Analysis by Mihai Calota