Backdoor:Win32/Backage.C is a backdoor trojan that allows unauthorized access and control of an affected computer.
Installation
When executed, Backdoor:Win32/Backage.C copies itself to %windir%\Mskernel16.exe and executes this copy. It then deletes the original executable.
It creates the following registry entries so that it executes every time windows starts:
In subkey: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Runonce
Sets value: "Internet Kernel"
With data: "C:/windows/Mskernel16.exe"
In subkey: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Sets value: "Internet Kernel"
With data: "C:/windows/Mskernel16.exe"
In subkey: HKCU\SOFTWARE\Win\RUN
Sets value: "Internet Kernel"
With data: "C:/windows/Mskernel16.exe"
In subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Sets value: "Internet Kernel"
With data: "C:/windows/Mskernel16.exe"
In subkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES
Sets value: "Internet Kernel"
With data: "C:/windows/Mskernel16.exe"
As part of its auto start technique, this backdoor attempts to modify or add the below lines to the file %windir%\win.ini in the [Windows] section:
run=Mskernel16.exe
It also attempts to modify or add the below lines to a hardcoded file C:/windows/System.ini in tje [boot] section:
shell=Explorer.exe Mskernel16.exe
Payload
Allows backdoor access and control: Port 334
Backdoor:Win32/Backage.C opens port 334 to listen for connections from its controller and waits for commands. It allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Backage.C. These include the following actions:
-
Get the following information from the affected computer:
-
Product name
-
Product ID
-
Product type
-
User organization
-
User name
-
System root
-
Computer name
-
Network logon
-
Chat with the server
-
Control the user's keyboard and mouse
-
Capture screenshots
-
Change the affected computer's desktop wallpaper
-
Change display settings
-
Visit a webpage
-
Get/send/execute a file from the affected computer
-
Hide/show the taskbar
-
Open/close CDRom device
-
Restart the computer
-
Lock the screen
-
View a list of open windows
Analysis by Jonathan San Jose
