Installation
When run, this threat drops aDLL component in %ALLUSERPROFILE%\AppData using a random file name with a DAT extension. Some of the file names it has been known to use are:
- degwbxm.dat
- dqxcovwm.dat
- ejrtzpaz.dat
- fvvifvwz.dat
- iopwark.dat
- uvfuvwog.dat
- wthejcy.dat
- xausgo.dat
- zlbgqk.dat
The DLL file is then injected into a running process, for example, any of the following:
- chrome.exe
- explorer.exe
- firefox.exe
- iexplore.exe
This threat creates the following registry entry so that its DLL component automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<DLL file name>"
With data: "regsvr32.exe /s "%ALLUSERSPROFILE%\AppData\<DLL file name>.dat""
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "bqbclrtr"
With data: "regsvr32.exe /s "C:\Documents and Settings\All Users\Application Data\bqbclrtr.dat""
Payload
Changes Internet Explorer settings
This threat changes the following Internet Explorer settings:
- Disables the home page warning message when Internet Explorer is opened for the first time:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "dword:00000001"
- Sets tabs and frames to run within the same process in IE:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "TabProcGrowth"
With data: "dword:00000000"
- Lowers Internet zone security settings:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "dword:00000003"
Lets a malicious hacker access your PC
This backdoor threat contacts a malicious hacker by connecting to a certain server. Some of the servers it has been known to connect to are:
- 188.190.126.87
- 188.190.127.87
- 195.137.188.50
- 195.191.56.247
- 195.210.47.173
- afg.com.tw
- countdown.com.tw
- miison.com.tw
Once connected, the malicious hacker can do any of the following:
- Log your keystrokes
- Take screenshots of your desktop
- Open a remote command shell
- Download and run files
- Find out what processes are running in your PC
- Get a list of your visited websites
- Delete your browser cache
- Delete files
- Steal digital certificates saved in your PC
- Steal IE and Firefox cookies
- Start or stop processes like IE, Firefox, Outlook, Windows Explorer, Command prompt, and Task Manager
- Change Firefox settings
Steal information
This backdoor threat can steal information such as your user names and passwords for certain websites. We have observed this threat to steal this information if you visit any of these websites:
- caixaebanking.cgd.pt
- chaseonline.chase.com
Note that the monitored websites can vary.
This threat also tries to steal cached passwords and keywords from Internet Explorer.
It also tries to steal stored user name and password information from these programs, which are mostly file transfer and email programs:
- 32BitFtp
- 3D-FTP
- ALFTP
- AceBIT
- BitKinex
- BlazeFtp
- Bullet Proof FTP
- COREFTP
- CUTEFTP
- ClassicFTP
- CoffeeCup Software
- Cryer
- Cyberduck
- DeluxeFTP
- Directory Opus
- EasyFTP
- ExpanDrive
- FFFTP
- FTP CONTROL
- FTP Commander
- FTP Explorer
- FTP Navigator
- FTP++.Link
- FTPGetter
- FTPInfo
- FTPNow
- FTPRush
- FTPShell
- FTPVoyager
- Far FTP Plugin
- FastStone Browser
- FileZilla
- FlashFXP
- Fling
- FreshFTP
- Frigate3
- Global Downloader
- GoFTP
- Leapftp
- LeechFTP
- LinasFTP
- Martin Prikryl
- Mozilla Thunderbird
- My FTP
- NetDrive
- NetSarang
- NexusFile
- Notepad++
- NovaFTP
- Odin
- Pocomail
- PuTTY
- Remote Desktop
- RimArts
- Robo-FTP
- SecureFX
- SmartFTP
- SoftX.org
- Staff-FTP
- TurboFTP
- UltraFXP
- Visicom Media
- WS_FTP
- WebDrive
- WinFTP
- WinZip FTP
- Windows Commander
- Windows Mail
The stolen credentials are then sent to the malicious hacker.
Prevents your AV software from running
This backdoor threat makes changes to your software restriction policies, which prevents certain AV software from running on your PC. If you have any of these AV software installed, they might not be running as expected:
- a-squared Anti-Malware
- a-squared HiJackFree
- Agnitum
- Alwil Software
- AnVir Task Manager
- ArcaBit
- AVAST Software
- AVG
- Avira
- BitDefender
- BlockPost
- DefenseWall HIPS
- DrWeb
- ESET
- F-Secure
- FRISK Software
- G Data
- K7 Computing
- Kaspersky Lab
- Lavasoft
- McAfee
- Norton AntiVirus
- Online Solutions
- P Tools
- Panda Security
- Positive Technologies
- Sandboxie
- Security Task Manager
- Spyware Terminator
- Sunbelt Software
- Symantec
- Trend Micro
- UAenter
- Xore
- Zillya Antivirus
Analysis by Ric Robielos and Vincent Tiu