Backdoor:MSIL/Ofnipon.A is a backdoor trojan that terminates certain security processes. It also allows a remote attacker to gain access and control of the infected computer.
Installation
Backdoor:MSIL/Ofnipon.A drops itself in the computer as the following file:
- %AppData%\update\svchost.exe
It also creates the following registry entries to ensure that it automatically runs every time Windows starts:
Adds value: "svchost"
With data: "%AppData%\update\svchost.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "svchost"
With data: "%AppData%\update\svchost.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Userinit"
With data: "<system folder>\userinit.exe,%AppData%\update \svchost.exe,"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It creates the following mutex:
- qxq9rm2qdpc9lss98ccaci9elgxqxq
Backdoor:MSIL/Ofnipon.A terminates itself if it is running under any of the following processes:
It also terminates if the currently running user name is one of the following:
- currentuser
- honey
- sandbox
- User
- UserName
It also terminates if the computer name is one of the following:
- COMPUTERNAME
- DELL-D3E62F7E26
- DWI-9625AC2E275
- MICHAEL-F156CF7
Payload
Terminates security processes
Backdoor:MSIL/Ofnipon.A terminates the following processes, which are related to security programs:
- a2servic.exe
- acs.exe
- antigen.exe
- ashwebsv.exe
- avgemc.exe
- bullguard.exe
- ccapp.exe
- clamauto.exe
- cpf.exe
- earthagent.exe
- ekrn.exe
- ewido.exe
- fpavserver.exe
- kavsvc.exe
- mcagentmcuimgr.exe
- msascui
- msmpeng
- nod32.exe
- nod32krn.exe
- pccntmon.exe
- spysweeper.exe
- tmlisten.exe
- vsmon.exe
Allows backdoor access and control
Backdoor:MSIL/Ofnipon.A attempts to connect to one of the following servers via port 3074:
- aidswow.no-ip.info
- dontdiebitch.no-ip.biz
- aidsplox123.no-ip.info
Backdoor:MSIL/Ofnipon.A can receive any of the following commands from the server:
UNINSTALL - removes itself from the infected computer
KEY - sends product key information, operating version and service pack version
FF - if Firefox is installed, sends saved login information
STOP
UDP - starts UDP flood of a given IP address/host
HTTP - starts HTTP flood of given IP address/host
BEEP - sends back to the control center "BEEP" to signal host is alive
STOP_ALL - stops HTTP and UDP flooding
UDPATE - updates malware on the infected computer from a given URL
URL:NORMAL - opens a URL to the user
URL:HIDDEN - opens a URL with a hidden window
DESKTOP - sends a screenshot of the user's desktop
STOPDESKTOP - stops sending the screenshots
GETPROCESSES - sends a list of current running processes (with process IDs and file locations)
Analysis by Daniel Radu
