Follow:

 

Backdoor:MSIL/Pontoeb.J


Backdoor:MSIL/Pontoeb.J is a trojan that may allow backdoor access and control of an affected computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:MSIL/Pontoeb.J is a trojan that may allow backdoor access and control of an affected computer.

Installation

Backdoor:MSIL/Pontoeb.J may be distributed as a file with an enticing name such as "Need.For.Speed.The.Run.Unlocked-TF.exe" or "Dota 2 Betakeys.txt.exe". Once run, it drops copies if itself as the following:

  • %AppData%\wscntfy.exe
  • %CommonProgramFiles%\lsmass.exe

The registry is modified to run the trojan files at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows-Audio Driver"
With data: "%AppData%\wscntfy.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Windows-Network Component"
With data: "%CommonProgramFiles%\lsmass.exe"

Payload

Bypasses Windows firewall

This trojan modifies the Windows firewall policy by changing registry data to allow the trojan to bypass Windows firewall.

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "%AppData%\wscntfy.exe"
With data: "%AppData%\wscntfy.exe:*:enabled:windows-audio driver"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%AppData%\wscntfy.exe"
With data: "%AppData%\wscntfy.exe:*:enabled:windows-audio driver"

Redirects log session tracing

Backdoor:MSIL/Pontoeb.J  hinders network traffic debugging of an affected computer by modifying registry data to redirect event tracing.

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier
Sets value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier
Sets value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier
Sets value: "Guid"
With data: "8aefce96-4618-42ff-a057-3536aa78233e"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Sets value: "Guid"
With data: "710adbf0-ce88-40b4-a50d-231ada6593f0"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Sets value: "LogSessionName"
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Sets value: "Guid"
With data: "b0278a28-76f1-4e15-b1df-14b209a12613"

Allows backdoor access and control

Backdoor:MSIL/Pontoeb.J may connect to the IP address "77.<removed>.4.101" to allow a remote attacker to access and control the affected computer. These commands may include, but are not limited to, the following:

  • Connect to a specified website
  • Download files
  • Gather the following information about the affected computer:
    • Disk drive serial number
    • System drive details
    • Operating system
    • Processor architecture
  • Perform HTTP, SYN, and UDP flooding
  • Update itself

Analysis by Francis Allan Tan Seng


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • %AppData%\wscntfy.exe
    • %CommonProgramFiles%\lsmass.exe

Prevention


Alert level: Severe
First detected by definition: 1.117.1554.0
Latest detected by definition: 1.195.1102.0 and higher
First detected on: Dec 22, 2011
This entry was first published on: Dec 22, 2011
This entry was updated on: Dec 23, 2011

This threat is also detected as:
  • Trojan.MulDrop3.21941 (Dr.Web)
  • Backdoor.MSIL.Agent.fyc (Kaspersky)
  • Backdoor:MSIL/Bafrus.J (other)