Threat behavior
Backdoor:Win32/Nuwar.C is a backdoor Trojan that allows unauthorized access to an infected computer. The Trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This Trojan also contains advanced stealth functionality that allows it to hide particular files, folders and processes.
When executed, Backdoor:Win32/Nuwar.C peforms the following actions.
-
Copies itself to %windir%\spooldr.exe
-
Creates a configuration file %windir%\spooldr.ini which contains a list of peers to connect to initially (see "Backdoor Functionality" section below for further detail).
-
Drops a kernel driver <system folder>\spooldr.sys. The driver is then installed, using the file name, minus the extension, as the display name.
- Creates an event, "K8JT6Hnjm$#jui#WWhHHgG", which it uses as a marker to prevent re-installation attempts if the driver is already running.
- Attempts to modify tcpip.sys. This modification will load the driver <system folder>\spooldr.sys. The two targeted files are <system folder>\dllcache\tcpip.sys and <system folder>\drivers\tcpip.sys.
- Attempts to modify Windows Time configuration settings.
Note: <system folder> refers to the Windows system folder. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME).
Backdoor:Win32/Nuwar.C takes several measures in order to lower security settings and evade detection on the infected computer, including the following:
-
Registers itself as an exception to the Windows Internet Connection Firewall (ICF)
-
Attempts to terminate the following security related processes:
zlclient.exe
outpost.exe
fsbl.exe
-
Attempts to prevent any executable image with the following substrings from executing. (Note that many of these files are related to antivirus applications, and conversely, presumably as an anti-competitive measure, known spyware, adware and rogue security applications):
|
avp.exe
avpm.exe
avz.exe
bc_hassh_f.sys
bc_ip_f.sys
bc_ngn.sys
bc_pat_f.sys
bc_prt_f.sys
bc_tdi_f.sys
bcfilter.sys
bcftdi.sys
bdmcon.exe
bdss.exe
ccapp.exe
ccevtmgr.exe
cclaw.exe
ccpxysvc.exe
f-sched.exe
f-stopw.exe
filtnt.sys
FireWalker.exe
FloboSpywareClean.exe
ForbesAlerts.exe
fpavupdm.exe
freedom.exe
freeprodtb.exe
FroggieScanDemo.exe
fs30.exe
fsav32.exe
fsbl.exe
fsdfwd.exe
fservice.exe
fsm32.exe
ftviewer.exe
fvprotect.exe
fwnet64.exe
gcasdtserv.exe
gcasserv.exe
GeoWhere.2.61.lite.exe
gestionnaire antidote.exe
GetByMail.exe
GiveMeToo.exe
Gnucleus.exe
GoodbyeSpy.exe
GrabBurn.exe
guard.exe
gv.exe
hackmon.exe
HbtOEAddOn.exe
hidownload.exe
HitVirus.exe
hwpe2.exe
iao.exe
icmon.exe
iesplugin.dll
IEWatch20.exe
IncrediMail
inetupd.exe
install.exe
InternetSpy.exe
IntraKey.exe
irsetup.exe
isaddon.dll
isafe.exe
isamini.exe
isamonitor.exe
isass.exe
isclean.exe
ishost.exe
ismini.exe
isnotify.exe
issearch.exe
issvc.exe
itbill.exe
itunesmusic.exe
iwnvod.exe
ixt0.dll
Jimmy Surf.exe
JustRemoteITServer.exe
kav.exe
kavss.exe
kavsvc.exe
KeyLogger.exe
KeyLover21.exe
KillAndClean.exe
klpf.exe
klswd.exe
kpf4ss.exe
little_helper2.exe
livesrv.exe
LoggerConfigurator.exe
lsasrv.exe
lsass32.exe
magiclink.exe
MagPlayer.exe
MailSkinner.exe
Main.exe
MainWnd.exe
MalScr.exe
MalSwep.exe
MalwareDestroyer.exe
MalWhere.exe
mathchk.exe
mcagent.exe
mcshield.exe
mctskshd.exe
MemoryWatcher.exe
MNS.exe
Mob Masher.exe
moni.exe
monifree.exe
MP3Galaxy.exe
mpfirewall.sys
MPPoker.exe
mscornet.exe
msecag.exe
msgsys.exe
MSHUTDOWN.exe
msls32.exe
MsnSniffer.exe
mssearchnet.exe
msssrv.exe
multipl.exe
mupd32.dll
mwsoemon.exe
mytoolbar.dll
MyVideoDaily2.exe
navapp.exe
navstub.exe
navw32.exe
NetCtl.exe
NetPumperIEProxy.exe
Netzip.exe
nisum.exe
Njexplor.exe
NLSupervisorPro.exe
no32mon.exe
nod32krn.exe
nod32ra.exe
norton update.exe
nsmdtr.exe
nstask32.exe
nvctrl.exe
OemjiShare.exe
ofcdog.exe
optimize.exe
outpost.exe
Overseer.exe
OverSpy.exe
P2P Networking.exe
pavfnsvr.exe
pbcpl.exe
PBOptions.exe
PC Scanner.exe
pcacmes.exe
PCagent.exe
PCBusted.exe
pcOrion.exe
pcps.exe
PCSmokingGun2.exe
pctptt.exe
pcwatch.exe
Penguin Panic.exe
personalmoneytree.exe
PestTrap.exe
PestWiper.exe
picx.exe
PKViewer.exe
plook.exe
pmmon.exe
pmsngr.exe
pmuninst.exe
POPUPS~1.EXE
powerscan.exe
ppmemcheck.exe
ppsys.exe
ppv5.exe
PrecisionTime.exe
PrivacyCrusaderDemo.exe
PrivateMailReader.exe
ProcAlert.exe
Pronto.exe
prt.exe
PSFree.exe
pxckdla.exe
qconsole.exe
qpanel.exe
rasautou.exe
RazeSpyware.exe
RCPAdmin.exe
rdriv.sys
Recorder.exe
regbar.exe
RegClean32.exe
Registry Fix.exe
RegistryCare.exe
RegistrySweeper.exe
|
regresc.exe
RemedyAntispy.exe
removeit.exe
RepSvc.exe
RFManager.exe
rpcsetup.exe
rrtcany.dll
rtvscan.exe
RunBackGammon.exe
RunBingo.exe
Safewebsurfer.exe
sandbox.sys
sandboxieserver.exe
SAR.exe
SaveMyWork.exe
savscan.exe
sb32mon.exe
sbserv.exe
sbsse.exe
Scan&Repair2006.exe
Scanner.exe
scanregw.exe
Scrabble.exe
Sd2006.exe
SecCon.exe
Secret Spy.exe
Security iGuard.exe
SeeStat.exe
serv.exe
service.exe
service32.exe
SGFwSvc.exe
showbar.exe
ShowBehind.exe
sidefind.exe
SK60.exe
skin2000.exe
sks32proc.exe
SlimShield.exe
slman.exe
SmileySource.exe
smoke.exe
smpcpro.exe
smss32bk.exe
SnackMan.exe
sndsrvc.exe
Snoop.exe
SnowballWars.exe
Sp0.exe
sp_rsser.exe
spamihilator.exe
spampal.exe
spbbcsvc.exe
Spedia.exe
Spy Cleaner Gold.exe
Spy Cleaner Platinum.exe
SpyAOL.exe
SpyBro.exe
spycl4.exe
SpyFighter.exe
SpyGraphica.exe
SpyHeal.exe
SpyHunter.exe
SpyiBlock.exe
Spyinator.exe
SpyKiller.exe
SpyLax.exe
SpyMon.exe
SpyOnThis.exe
SpyPry.exe
SpyReaperProDemo.exe
spyrem.exe
spyshield.exe
SpySniper.exe
SpySpotter.exe
SpySub.exe
Spytector.exe
SpyTrooper.exe
SpyViperProDemo.exe
Spyware_Annihilator.exe
SpywareBot.exe
SpywareDetector.exe
SpywareDisinfector.exe
SpywareQuake.exe
spywareremovalwizard.exe
SpywareRemover.exe
SpywareSlayer.exe
SpywareStormer.exe
SSDemo.exe
sservice.exe
Ssk.exe
ssp.exe
sss.exe
StaffCop.exe
stardialer.exe
StartPoker.exe
stinger.exe
STMonitor.exe
story.exe
sunshinebingo.exe
Surfkeeper.exe
sv.exe
svcmon.exe
swatcher.exe
swdoctor.exe
swnxt.exe
symwsc.exe
syscfg32.exe
sysd.exe
sysformat.exe
syslog.exe
Syslogin.exe
sysmgr32.exe
sysmgr64.exe
system.exe
taskdir.exe
tasker.exe
titanshield.exe
tmoagent.exe
Toolbar_cobrand.EXE
ToolKeylogger.exe
TopSearch.exe
tpcl.exe
truedownloader.exe
TrustCleaner.exe
TTBSETUP.exe
TVS_B.exe
TWAB5.exe
u88.exe
UDC2006.exe
uert.exe
UltraKeyboard.exe
UnSpyPC.exe
update.bat
updsvc.exe
userinit32.exe
usrprmpt.exe
USYP.exe
UTviewer.exe
VCatch.exe
vcehaeb.dll
vetmsg.exe
vetmsg9x.exe
vettray.exe
view.exe
viewer.exe
VIRTUESCOPE.exe
VirusRescue.exe
vptray.exe
vsdatant.sys
was6.exe
watchdog.sys
wcantispy.exe
Weather.exe
webrebates.exe
websnitch.exe
wfdmgr.exe
whspeedrank.exe
WICleaner.exe
win16dll.exe
WinAV.exe
wincom32.sys
wincp.exe
windll.exe
winlogin.exe
winlogons.exe
winlogonsys.exe
WinPass.exe
WinSL.exe
winsrv32.exe
wmsmod32.exe
wnames.exe
wnetmgr.exe
words.exe
WorldAntiSpy.exe
wrclock.exe
ws.exe
wslogger.exe
WSMDI.exe
WTRTrial.exe
wupdt.exe
X-Con Spyware Destroyer.exe
xcommsvr.exe
xfr.exe
Xolox.exe
xp-antispy.exe
xSpyware.exe
zango.exe
ZangoAstrology.exe
ZangoTVTimes.exe
zapspot.exe
zclient.exe
zcodec.exe
ZComService.exe
zilla.exe
ZipItFast.exe
zlara.dll
|
Advanced Stealth Features
The driver, "spooldr.sys", hides files, folders and processes beginning with the string "spooldr" by hooking the following function:
Backdoor Functionality
The Trojan attempts to join a malicious peer-to-peer network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to perform several actions including:
-
gathering e-mail addresses from files with the following extensions on all fixed drives on the affected machine:
.adb
.asp
.cfg
.cgi
.dat
.dbx
.dhtm
.eml
.htm
.jsp
.lst
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml
However, the Trojan avoids addresses that contain the following substrings:
@avp.
@foo
@iana
@messagelab
@microsoft
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
-
Perform Denial of Service (DoS) attacks.
-
Compose and send e-mail to addresses that may be supplied via the peer-to-peer network. This function can be used to send spam or to distribute additional malicious threats.
-
Downloading and executing arbitrary files, including files with which to update itself.
Prevention
