Backdoor:Win32/Poison.BR

Backdoor:Win32/Poison.BE is a backdoor trojan that allows unauthorized access and control of your computer. It may arrive in your computer by being dropped by malware that exploit the vulnerability described in CVE-2012-4969 and resolved with the release of Microsoft Security Advisory 2755399.

Installation

Backdoor:Win32/Poison.BE may be dropped in your computer by Exploit:Win32/CVE-2012-4969.A. It drops a DLL file as "%SystemRoot%\system32\mspmsnsv.dll" and then deletes itself.

This DLL file is also detected as Backdoor:Win32/Poison.BE.

Payload

Disables the System File Checker (SFC)

Backdoor:Win32/Poison.BE disables the System File Checker (SFC) by killing the SFC watcher thread in the "winlogon.exe" process.

Hijacks the Windows service "Portable Media Serial Number"

Backdoor:Win32/Poison.BE replaces the Windows system file "%SystemRoot%\system32\mspmsnsv.dll" with its dropped file. This file is used by the Windows service "Portable Media Serial Number".

It does this to ensure that it gets executed with elevated privileges in the context of the "svchost.exe" process.

Allows backdoor access and control

Backdoor:Win32/Poison.BE connects to "ie.aq1.co.uk" to receive commands from a remote attacker. These commands may include downloading and running arbitrary files.

Analysis by Horea Coroiu