Backdoor:Win32/Allaple.E is a backdoor that utilizes tools, or additional components downloaded by other Allaple variants, in order to perform activities such as key logging and sending system and password information to a remote server.
Installation
When executed, Backdoor:Win32/Allaple.E runs from its current location. It is typically downloaded and launched by other components of the Win32/Allaple family (such as
Backdoor:Win32/Allaple.D), which may write its components to %windir%\inf\svchost\csrss.exe and %windir%\inf\svchost\svchost.exe, along with a number of utilities that the backdoor may make use of in order to obtain user and system information.
Payload
Backdoor Functionality
Once installed, the trojan obtains the name of a server to contact from the text file %windir%\inf\ram64xp.dll. (This file is written by the Backdoor:Win32/Allaple component used to install the malware.)
It periodically contacts this server, which responds with commands to perform, and the times at which it should perform them. It also periodically contacts a server at 20083.maladate.com which may reply with a new server location of the backdoor’s controller. This new server information is updated at %windir%\inf\ram64xp.dll.
Examples of servers observed to have been used at the time of publication have included dino.kling.nu and cuentos.varro.es.
The backdoor’s controller may request that it perform any of the following activities:
Log Keystrokes and Window Information
The backdoor may be requested to log keystrokes typed by the user. Whenever the active window is changed, it also records the title of this window. This information is recorded in files at %windir%\inf\wtv32ax.inf and %windir%\inf\wtv32bx.inf and periodically posted to the backdoor server.
Send System Passwords and Certificate Information to Remote Server
Backdoor:Win32/Allaple.E uses utilities downloaded by the file that installed it to attempt to collect stored passwords from the system and send them to the backdoor’s server. These passwords are temporarily stored in files in the %windir%\inf directory, which are deleted after their contents are sent. The following filenames are used:
iepv.txt
netpass.txt
rdpv.txt
outlook.txt
The types of passwords it attempts to acquire may include:
- Passwords stored by Internet Explorer’s autocomplete function
- HTTP Basic Authentication and FTP passwords entered using Internet Explorer
- Outlook passwords
- MSN Messenger passwords
- Passwords used to access other systems on the local network
- Remote desktop connection passwords
It also may attempt to acquire and post information from the system’s certificate store.
Other Activities
The backdoor appears to contain the following capabilities, although none of these have been observed in laboratory testing:
- Download and execute arbitrary files
- Start and stop services
- Replace the hosts file
- Update itself
- Start and stop a web server, if this is present on the system
Analysis by David Wood
