Follow:

You have been re-routed to the Backdoor:Win32/Caphaw.A write up because Backdoor%3aWin32%2fCaphaw.A has been renamed to Backdoor:Win32/Caphaw.A
 

Backdoor:Win32/Caphaw.A


Microsoft security software detects and removes this threat.

It lets a hacker gain access to your PC.

You might receive a Facebook post containing a link that leads to this threat. The link might look like this:



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Change your passwords

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat makes a copy of itself in a variable location, like the following:

  • %APPDATA% \adobe\linguistics\dictionaries\adobe custom dictionary\all\
  • %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng\
  • %AppData%\microsoft\cryptneturlcache\metadata\
  • %AppData%\microsoft\drm\
  • %AppData%\microsoft\excel\xlstart\
  • %AppData%\microsoft\internet explorer\
  • %AppData%\microsoft\office\
  • %AppData%\microsoft\word\

with a variable file name like any of the following:

  • csrss.exe
  • eventvwr.exe
  • expand.exe
  • ie4uinit.exe
  • mem.exe
  • mobsync.exe
  • qappsrv.exe
  • route.exe
  • rundll32.exe
  • winmine.exe

Note that legitimate files also named csrss.exe and rundll32.exe exist by default in <system folder>.

The malware creates approximately 20 mutexes named MTX_<random hex number> (for example, MTX_9F5977F52104E883ACC0E9DEACC0E9DE).

It changes the registry to ensure it runs at each Windows restart:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2})
With data: "<full installation path>" (for example "%AppData%\Microsoft\Excel\xlstart\winmine.exe")

It deletes itself after it has done its malicous routine by running a BAT file that it also drops, named 7.tmp.bat.

Backdoor:Win32/Caphaw.A injects itself into the following processes to prevent security software from removing it:

  • firefox.exe
  • iexplore.exe
  • explorer.exe
  • reader_sl.exe
Payload

Lets a hacker access your PC

Backdoor:Win32/Caphaw.A tries to communicate to a hacker using these servers by connecting to TCP port 443:

  • web<removed>es.cc
  • exte<removed>adv.cc
  • no<removed>here.cc
  • commonworld<removed>.cc

A hacker can do a number of actions on your PC, including:

  • Control of the system desktop, which lets the attacker to see the desktop, and to gain control of the mouse and keyboard
  • Access to files and folder via a internal FTP server
  • Redirect Internet traffic via a proxy server
  • Send ICMP packets that can be used in distributed denial-of-service (DDoS) attacks
  • Log and redirect web traffic from Mozilla Firefox and Internet Explorer
  • Update itself
  • Shut down or restart your PC
Additional information

This threat has been observed spreading as a post on users' Facebook walls:

Analysis by Mihai Calota


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
    • csrss.exe
    • eventvwr.exe
    • expand.exe
    • ie4uinit.exe
    • mem.exe
    • mobsync.exe
    • qappsrv.exe
    • route.exe
    • rundll32.exe
    • winmine.exe
    in any of the following folders:
    • %APPDATA%\adobe\linguistics\dictionaries\adobe custom dictionary\all\
    • %AppData%\adobe\linguistics\dictionaries\adobe custom dictionary\eng\
    • %AppData%\microsoft\cryptneturlcache\metadata\
    • %AppData%\microsoft\drm\
    • %AppData%\microsoft\excel\xlstart\
    • %AppData%\microsoft\internet explorer\
    • %AppData%\microsoft\office\
    • %AppData%\microsoft\word\
  • A Facebook friend might post a link to your wall containing a link to this threat. The link might look like:

Prevention


Alert level: Severe
First detected by definition: 1.111.1491.0
Latest detected by definition: 1.177.301.0 and higher
First detected on: Sep 05, 2011
This entry was first published on: Sep 06, 2011
This entry was updated on: Apr 29, 2014

This threat is also detected as:
  • Backdoor.Win32.Caphaw (Ikarus)