Installation
This threat makes a copy of itself in a variable location, such as the following:
- %APPDATA%\adobe\linguistics\dictionaries\adobe custom dictionary\all\
- %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng\
- %AppData%\microsoft\cryptneturlcache\metadata\
- %AppData%\microsoft\drm\
- %AppData%\microsoft\excel\xlstart\
- %AppData%\microsoft\internet explorer\
- %AppData%\microsoft\office\
- %AppData%\microsoft\word\
It can use a variable file name, such as:
- csrss.exe
- eventvwr.exe
- expand.exe
- ie4uinit.exe
- mem.exe
- mobsync.exe
- qappsrv.exe
- route.exe
- rundll32.exe
- winmine.exe
Note that legitimate files also named csrss.exe and rundll32.exe exist by default in <system folder>.
The malware creates about 20 mutexes named MTX_<random hex number> (for example, MTX_9F5977F52104E883ACC0E9DEACC0E9DE).
It changes the registry to ensure it runs at each Windows restart:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2})
With data: "<full installation path>" (for example "%AppData%\Microsoft\Excel\xlstart\winmine.exe")
It deletes itself after it has completed its malicous routine by running a BAT file that it also drops, named 7.tmp.bat.
Backdoor:Win32/Caphaw.A injects itself into the following processes to prevent syour ecurity software from removing it:
- firefox.exe
- iexplore.exe
- explorer.exe
- reader_sl.exe
Payload
Gives a malicious hacker access your PC
Backdoor:Win32/Caphaw.A tries to communicate to a malicious hacker using these servers by connecting to TCP port 443:
- web<removed>es.cc
- exte<removed>adv.cc
- no<removed>here.cc
- commonworld<removed>.cc
A malicious hacker can then do a number of actions on your PC, including:
- Control of the system desktop, which lets the attacker to see the desktop, and to gain control of the mouse and keyboard
- Access to files and folder via a internal FTP server
- Redirect Internet traffic via a proxy server
- Send ICMP packets that can be used in distributed denial-of-service (DDoS) attacks
- Log and redirect web traffic from Mozilla Firefox and Internet Explorer
- Update itself
- Shut down or restart your PC
Additional information
This threat has been observed spreading as a post on users' Facebook walls:
Analysis by Mihai Calota