Follow:

 

Backdoor:Win32/Vawtrak.A


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker access to your PC. It can also steal your personal information, such as your user names and passwords for some banking websites. 

Find out ways that malware can get on your PC.  

See the Win32/Vawtrak family description for more information.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following links can help change these settings back to what you want:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

When run, this threat drops aDLL component in %ALLUSERPROFILE%\AppData using a random file name with a DAT extension. Some of the file names it has been known to use are:

  • degwbxm.dat
  • dqxcovwm.dat
  • ejrtzpaz.dat
  • fvvifvwz.dat
  • iopwark.dat
  • uvfuvwog.dat
  • wthejcy.dat
  • xausgo.dat
  • zlbgqk.dat

The DLL file is then injected into a running process, for example, any of the following:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe

This threat creates the following registry entry so that its DLL component automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<DLL file name>"
With data: "regsvr32.exe /s "%ALLUSERSPROFILE%\AppData\<DLL file name>.dat""

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "bqbclrtr"
With data: "regsvr32.exe /s "C:\Documents and Settings\All Users\Application Data\bqbclrtr.dat""

Payload

Changes Internet Explorer settings

This threat changes the following Internet Explorer settings:

  • Disables the home page warning message when Internet Explorer is opened for the first time:

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
    Sets value: "NoProtectedModeBanner"
    With data: "dword:00000001"

  • Sets tabs and frames to run within the same process in IE:

    In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
    Sets value: "TabProcGrowth"
    With data: "dword:00000000"

  • Lowers Internet zone security settings:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    Sets value: "2500"
    With data: "dword:00000003"

Lets a malicious hacker access your PC

This backdoor threat contacts a malicious hacker by connecting to a certain server. Some of the servers it has been known to connect to are:

  • 188.190.126.87
  • 188.190.127.87
  • 195.137.188.50
  • 195.191.56.247
  • 195.210.47.173
  • afg.com.tw
  • countdown.com.tw
  • miison.com.tw

Once connected, the malicious hacker can do any of the following:

  • Log your keystrokes
  • Take screenshots of your desktop
  • Open a remote command shell
  • Download and run files
  • Find out what processes are running in your PC
  • Get a list of your visited websites
  • Delete your browser cache
  • Delete files
  • Steal digital certificates saved in your PC
  • Steal IE and Firefox cookies
  • Start or stop processes like IE, Firefox, Outlook, Windows Explorer, Command prompt, and Task Manager
  • Change Firefox settings

Steal information

This backdoor threat can steal information such as your user names and passwords for certain websites. We have observed this threat to steal this information if you visit any of these websites:

  • caixaebanking.cgd.pt
  • chaseonline.chase.com

Note that the monitored websites can vary.

This threat also tries to steal cached passwords and keywords from Internet Explorer.

It also tries to steal stored user name and password information from these programs, which are mostly file transfer and email programs:

  • 32BitFtp
  • 3D-FTP
  • ALFTP
  • AceBIT
  • BitKinex
  • BlazeFtp
  • Bullet Proof FTP
  • COREFTP
  • CUTEFTP
  • ClassicFTP
  • CoffeeCup Software
  • Cryer
  • Cyberduck
  • DeluxeFTP
  • Directory Opus
  • EasyFTP
  • ExpanDrive
  • FFFTP
  • FTP CONTROL
  • FTP Commander
  • FTP Explorer
  • FTP Navigator
  • FTP++.Link
  • FTPGetter
  • FTPInfo
  • FTPNow
  • FTPRush
  • FTPShell
  • FTPVoyager
  • Far FTP Plugin
  • FastStone Browser
  • FileZilla
  • FlashFXP
  • Fling
  • FreshFTP
  • Frigate3
  • Global Downloader
  • GoFTP
  • Leapftp
  • LeechFTP
  • LinasFTP
  • Martin Prikryl
  • Mozilla Thunderbird
  • My FTP
  • NetDrive
  • NetSarang
  • NexusFile
  • Notepad++
  • NovaFTP
  • Odin
  • Pocomail
  • PuTTY
  • Remote Desktop
  • RimArts
  • Robo-FTP
  • SecureFX
  • SmartFTP
  • SoftX.org
  • Staff-FTP
  • TurboFTP
  • UltraFXP
  • Visicom Media
  • WS_FTP
  • WebDrive
  • WinFTP
  • WinZip FTP
  • Windows Commander
  • Windows Mail

The stolen credentials are then sent to the malicious hacker.

Prevents your AV software from running

This backdoor threat makes changes to your software restriction policies, which prevents certain AV software from running on your PC. If you have any of these AV software installed, they might not be running as expected:

  • a-squared Anti-Malware
  • a-squared HiJackFree
  • Agnitum
  • Alwil Software
  • AnVir Task Manager
  • ArcaBit
  • AVAST Software
  • AVG
  • Avira
  • BitDefender
  • BlockPost
  • DefenseWall HIPS
  • DrWeb
  • ESET
  • F-Secure
  • FRISK Software
  • G Data
  • K7 Computing
  • Kaspersky Lab
  • Lavasoft
  • McAfee
  • Norton AntiVirus
  • Online Solutions
  • P Tools
  • Panda Security
  • Positive Technologies
  • Sandboxie
  • Security Task Manager
  • Spyware Terminator
  • Sunbelt Software
  • Symantec
  • Trend Micro
  • UAenter
  • Xore
  • Zillya Antivirus

Analysis by Ric Robielos and Vincent Tiu


Symptoms

The following could indicate that you have this threat on your PC:

  • You might not be able to run programs like IE, Firefox, Outlook, Windows Explorer, Command prompt, and Task Manager

Prevention


Alert level: Severe
First detected by definition: 1.149.1067.0
Latest detected by definition: 1.189.1703.0 and higher
First detected on: May 02, 2013
This entry was first published on: May 02, 2013
This entry was updated on: Sep 22, 2014

This threat is also detected as:
No known aliases