Backdoor:MSIL/Pontoeb.N is a trojan that connects to a remote server to listen for commands, sent by an attacker, that instruct the trojan to perform various payloads. The payloads could include instructions to download files, gather and send details about your computer, initiate flood attacks against other computers and update the trojan code.
Installation
This trojan may be distributed on file sharing networks as a 'keygen' or serial key generator. If this trojan is run, it will copy itself as files in certain folders, as in the following examples:
- C:\Users\Administrator\AppData\Roaming\wscntfy.exe
- C:\Users\Administrator\AppData\Roaming\wpnetwk.exe
- C:\Program Files\Common Files\lsmass.exe
The trojan bypasses the Windows Firewall by adding its files to the list of authorized applications that is stored in the system registry, and it will run whenever you start Windows.
Payload
Changes Windows settings
Backdoor:MSIL/Pontoeb.N changes Windows settings to perform the following:
- Disables alerts that display when an application tries to run and requires administrator (elevated) privileges
- Prevents Windows from displaying files marked as 'hidden'
Allows unauthorized remote access and control
Backdoor:MSIL/Pontoeb.N connects to one of these remote servers to listen for commands, sent by an attacker, that instruct the trojan to perform various payloads:
- 77.79.4.101
- 77.79.7.229
- agree.netau.net
- bot.spl0id.u2m.ru
- global-carding.ru
- hack2crew.org
- hcgcrew.info
- mynewclan.webuda.com
- seeq.u2m.ru
- tony45.host.sk
- sybli.host22.com
- xxtony.host.sk
- zonja.ru
The trojan will respond to commands sent by an attacker that could instruct Pontoeb to perform the following:
- Connect to a specified website
- Download files
- Gather the following information about the affected computer, such as:
- Disk drive serial number
- System drive details
- Operating system
- Processor architecture
- Perform flood attacks using HTTP, SYN, and UDP protocol
- Update itself
Additional information
This trojan makes many changes to the Windows registry, including the following:
Purpose: execute when Windows starts
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows-Audio Driver"
With data: "%AppData%\wscntfy.exe" or "%AppData%\wpnetwk.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sets value: "Windows-Network Component"
With data: "%CommonProgramFiles%\lsmass.exe"
Sets value: "StubPath"
With data: "%AppData%\wscntfy.exe -r"
In one of the following subkeys:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{125728E1-D0D8-9709-F968-AC75FBF77101}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1403017C-5B8A-E789-7BA8-D843BC94727C}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{190C3C45-CEA9-FEE4-96E6-7E9286F72E6B}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{19F96D35-45BE-1E2B-1DDA-CAE53A6D4ED6}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{28FA909A-B618-30E4-F00E-D566C11F3D0D}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{3B667F27-AA8D-874B-068E-00D0D6BB8798}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{60F2CA65-D2E6-9C90-50A0-46CDB63D3F87}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{61B7C2C5-027D-90CA-DBB5-E157D18EBFA4}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{75EC2D18-B4B0-57F8-1941-B9EA808AA7F5}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7C54CA08-4C16-5ACF-945C-0227E77F4FF7}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7F6109A4-597C-6D5A-FB3D-8ABE725C9624}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{8C2B1E48-B3CB-F958-CE56-2403872CF622}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A0592843-6AB9-8676-F4F4-96591B5EC8E1}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B42AE212-5EAA-DB02-2D24-AA72115C74FB}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{E014DC60-61D9-FF40-A7DD-BB1A45C47D4E}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{e27ac189-154d-11dd-8f2b-806d6172696f}
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{E39ACFFE-61E0-BF19-95B4-824D6CA0306E}
Purpose: Disable system alert messages when running an application that normally requires administrator rights to execute, such as malware or unknown programs
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
Purpose: Do not display files marked as hidden, even if the option to view hidden files is enabled under 'Folder Options' in Windows Explorer
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
Purpose: Add the malware to a list of authorized or approved programs that can run without being restricted by Windows Firewall
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "%CommonProgramFiles%\lsmass.exe"
With data: "%CommonProgramFiles%\lsmass.exe:*:enabled:windows-audio driver"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%CommonProgramFiles%\lsmass.exe"
With data: "%CommonProgramFiles%\lsmass.exe:*:enabled:windows-audio driver"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "%AppData%\wscntfy.exe" or "%AppData%\wpnetwk.exe"
With data: "%AppData%\wscntfy.exe:*:enabled:windows-audio driver" or "%AppData%\wpnetwk.exe:*:enabled:windows-audio driver"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%AppData%\wscntfy.exe" or "%AppData%\wpnetwk.exe"
With data: "%AppData%\wscntfy.exe:*:enabled:windows-audio driver" or "%AppData%\wpnetwk.exe:*:enabled:windows-audio driver"
Purpose: Do not log Windows driver event tracing sessions to a file (Additional details about Windows driver event tracing)
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier
Sets value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier
Sets value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier
Sets value: "Guid"
With data: "8aefce96-4618-42ff-a057-3536aa78233e"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Sets value: "Guid"
With data: "710adbf0-ce88-40b4-a50d-231ada6593f0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Sets value: "LogSessionName"
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Sets value: "Guid"
With data: "b0278a28-76f1-4e15-b1df-14b209a12613"
Analysis by Hyun Choi
