Backdoor:Win32/Beastdoor.DL is a trojan that allows unauthorized remote access and control to the affected computer. It also modifies certain settings on the computer.
Installation
When run, Backdoor:Win32/Beastdoor.DL copies itself to the computer using random file names. It usually creates three copies; one as a DLL file and two as COm files, using the following format:
- %windir%\<random name 1>.dll
- %windir%\msagent\ms<random name 2>.com
- %windir%\system32\ms<random name 3>.com
where <random name 2> and <random name 3> are usually 3 to 4 random characters.
In the wild, some of the file names it is known to use are the following:
- dxdgns.dll
- mspgcs.com
- msdqwn.com
It modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D}
Sets value: "StubPath"
With data: "%windir%\system32\msdqwn.com"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "COM Service"
With data: "%windir%\msagent\mspgcs.com"
Backdoor:Win32/Beastdoor.DL may create a mutex named "Bst_Run".
Payload
Modifies system security settings
Backdoor:Win32/Beastdoor.DL modifies the affected computer system's security settings by disabling Shared Access:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Sets value: "Start"
With data: "4"
It also disables the computer's dial-up connection by making the following changes to the registry:
In subkey: HKCU\Software\Microsoft\RAS Autodial\Control
Sets value: "LoginSessionDisable"
With data: "1"
Some variants lock the Internet Explorer toolbar by making the following registry modification:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "Locked"
With data: "1"
Allows backdoor access and control
Backdoor:Win32/Beastdoor.DL sends an email to a remote attacker, containing infection information such as the IP address and port number. Then it injects code into the "explorer.exe" process and tries to open a port (usually 6666, but may vary) and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer, including:
- Take a screen capture
- Record webcam video
- Open, close, and remove CD-ROM
- Download and execute arbitrary files
- Swap mouse buttons
- Control the mouse
- Steal files from the affected computer
- Change the time on theaffected computer
- Send emails
- Copy window text then send captures via email
- Log keystrokes or steal sensitive data
Additional information
Some samples of Backdoor:Win32/Beastdoor.DL may terminate processes related to antivirus programs. It may connect to "www.cnn.com" or "www.microsoft.com" to check for Internet connection on the affected computer.
Analysis by Rex Plantado
